[Skip to content]


Fair Processing notice

To commission services, Ashford CCG needs to process patients’ information.  As the data controller for information, we are committed to informing our patients about the types of information we use about them, what we do with the information we process, how you can opt out of having your information processed and how you can access your own information

This Fair processing notice or privacy notice tells you what to expect when and how Ashford CCG collects and handles personal information.

This notice is to inform you of the type of information (including personal information) that we, as your clinical commissioning group (CCG), holds, how that information is used, who we may share that information with, and how we keep it secure and confidential.

What we do

We are responsible for planning, buying and monitoring (also known as commissioning) health services from healthcare providers, such as hospitals and GP practices, for our local population to ensure the highest quality of healthcare. We also have a performance monitoring role for these services, which includes responding to any concerns from our patients on services offered.

How we use your information

We hold some information about you and this document outlines how that information is used, who we may share that information with, how we keep it secure (confidential) and what your rights are in relation to this.

What are Primary Care Data and Secondary Care Data?

As many people's first point of contact with the NHS, around 90 per cent of patient interaction is with primary care services, e.g. GP Practices. In addition to GP practices, primary care covers dental practices, community pharmacies and high street optometrists. Primary Care Data relates to information which has been sourced from these types of services.

Secondary Care covers treatment and care of a specialised medical service by Clinicians, for example, specialist doctors and nurses, within a health facility or hospital on referral by a primary care clinician (e.g. your GP). Secondary Care data relates to information which has been sourced from these types of services.

The Secondary Uses Service (SUS) is the single, comprehensive repository for healthcare data in England which enables a range of reporting and analyses to support the NHS in the delivery of healthcare services. When a patient or service user is treated or cared for, information is collected which supports their treatment. For further information, please visit NHS Digital’s website.

SUS data is useful to commissioners and providers of NHS-funded care for 'secondary' purposes - purposes other than direct or 'primary' clinical care, as we have stated previously like how the CCG uses information. We go into more detail within the ‘Do you share my information with other organisations’ section below. 

What kind of information do we use?

The CCG processes several different types of information:

1. Identifiable – containing details that identify individuals. The following are data items that are considered identifiable: name, address, NHS Number, full postcode, date of birth

2. Pseudonymised information - individual-level information where individuals can be distinguished by using a coded reference, which does not reveal their ‘real world’ identity

3. Anonymised – about individuals but with all identifying details removed

4. Aggregated – statistical information about multiple individuals that has been combined to show general trends or values without identifying individuals within the data. 

What do we use these types of data for?

We use the above types of data to plan health care services. Specifically, we use it to:

  • check the quality and efficiency of the health services we commission;
  • prepare performance reports on the services we commission;
  • work out what illnesses people will have in the future, so we can plan and prioritise services and ensure these meet the needs of patients in the future; and
  • review the care being provided to make sure it is of the highest standard.

Do we share your information with other organisations?

We commission a number of organisations (both within and outside the NHS) to provide healthcare services to you. A full list of services can be found on ‘our services’ page. We may also share anonymisedl information with them for the purpose of improving local services: for example, understanding how health conditions spread across our local area compared to other areas

The law provides some NHS bodies, particularly NHS Digital (Health and Social Care Information Centre (HSCIC)), ways of collecting and using patient data that cannot identify a person to help commissioners design and procure the combination of services that best suit the population they serve.

Data may be linked and de-identified by these special  bodies so that it can be used to improve health care and development, and monitor NHS performance. Where data is used for these statistical purposes, stringent measures are taken to ensure individual patients cannot be identified.

When analysing current health services and proposals for developing future services, it is sometimes necessary to link separate individual datasets to be able to produce a comprehensive evaluation. This may involve linking primary care GP data with secondary care secondary uses service (SUS) data (inpatient, outpatient and A&E). 

In some cases there may also be a need to use link local data sets which could include a range of acute
hospital-based services such as radiology, physiotherapy and audiology, as well as mental health and 
community-based services such as IAPT (Improving Access to Psychological Therapies), district nursing
and podiatry. When carrying out this analysis this information is pseudonymised as the CCG 
does not have access to patient identifiable data without consent from the patient or for purposes other than 
direct treatment and care of a patient.

The following are the types of organisations NHS Digital (HSCIC) receives data from, and then forwards on to our data processor in a de-identified format or a dataset with a weak pseudonym identifier (NHS Number) format to link and analyse the data. 

Types of organisations and types of information we receive:

  • Acute Trusts – Hospitals, William Harvey Ashford, Kent and Canterbury in Canterbury, Queen Elizabeth Queen Mother in Margate. We receive de-identified data with pseudonym data such as A&E attendances, waiting times, diagnosis, treatments, and follow ups, length of stay, discharge information and next steps.  
  •  Community trusts or community organisations - Kent Community Health Foundation NHS Trust. We receive de-identified data with pseudonym identifier community data such as outpatient information, waiting times, diagnosis and treatments, referrals and next steps, domiciliary and district nursing (which includes home visits) and community rehabilitation units. 
  • Mental Health Trusts or Mental Health organisations - Kent and Medway NHS and Social Care Partnership Trust. We receive de-identified data with pseudonymmental health data such as rehabilitation and outpatient attendances, waiting times, diagnosis, treatment, length of stay, discharge,referrals and next steps. 
  • Partnership Trust. We receive de-identified data with pseudonym primary care data such as attendances, diagnosis, treatment, GP or GP practice visits, referrals, medication/prescriptions information, follow-ups and next steps.

Primary Care organisations, for example your local GP practice. We receive data such as attendances, diagnosis, treatment, GP or GP practice visits, referrals,  medication/prescriptions information, follow-ups and next steps. 

It is also important to note that if you receive treatment in another part of the country, for example if you are on holiday, NHS Digital (HSCIC) will receive information about your treatment. 

We may also contract with other organisations to process data. We ensure external data processors that support us are legally and contractually bound to operate this process. They must be able to prove security arrangements are in place where data that could or does identify a person is processed.

Currently, the external data processors we work with include (amongst others):

  • NHS NEL Commissioning
This is how all the above processing works:

FPN diagram

*Data Services for Commissioners’ Regional Offices

Invoice Validation

There may be times where one healthcare organisation will need to invoice another for treatment given to a patient. This can occur, for example, when you need hospital treatment while away from home on holiday. The hospital at which you were seen may need to invoice us for the treatment you received.

Before paying the invoice, we will need to be sure that we are responsible for your treatment costs and not another CCG, as well as checking to ensure that the amount we are being billed for is correct. This process is known as invoice validation. For invoice validation to occur, a limited amount of information about you needs to be shared between us and the hospital you received treatment at.

Risk stratification

Your GP uses your data to provide the best care they can for you.  As part of this process, your GP will use your personal and health data to undertake risk stratification, also known as case finding.

Risk stratification involves applying computer based algorithms, or , to identify those patients registered with the GP Surgery who are most at risk from certain medical conditions and who will benefit from clinical care to help prevent or better treat their condition.

To identify those patients individually from the patient community registered with your GP would be a lengthy and time-consuming process, which would by its nature potentially not identify individuals quickly and therefore increase the time to improve care.

Your GP Surgery uses the services of a health partner, NEL Commissioning Support Unit (NELCSU) to identify those most in need of preventative or improved care.  This contract is arranged by us.

Neither we nor NHS will at any time have access to your personal or confidential data. They act on behalf of your GP to organise this service with appropriate contractual and security measures only.

NEL CSU will automatically process your personal and confidential data without any staff being able to view the data. Typically they will process your data using indicators such as your age, gender, NHS number and codes for your medical health to identify those who will benefit from clinical intervention. 

Processing takes place automatically and without human or manual handling. Data is extracted from your GP computer system, automatically processed, and only your GP is able to view the outcome, matching results against patients on their system.

We have implemented strict security controls to protect your confidentiality and recommend this as a secure and beneficial service to you. At all times, your GP remains accountable for how your data is processed. However, if you wish, you can ask your GP for your data not to be processed for this purpose and your GP will mark your record as not to be extracted so it is not sent to NEL Commissioning Support Unit (NELCSU) for risk stratification purposes. 

The lawful basis to use this information for risk stratification has been allowed by s251 NHS Act 2006 and is processed by NEL Commissioning Support Unit (NELCSU) or other approved providers only. Further information on Risk Stratification and HRA.

Managing conflicts of interest

We manage conflicts of interest as part of our day-to-day activities. Effective handling of conflicts of interest is crucial to give confidence to patients, tax payers, healthcare providers and parliament that CCG commissioning decisions are robust, fair, transparent and offer value for money. It is essential in order to protect healthcare professionals and maintain public trust in the NHS. Failure to manage conflicts of interest could lead to legal challenge and even criminal action in the event of fraud, bribery and corruption.

Section 14O of the National Health Service Act 2006 (as amended by the Health and Social Care Act 2012) (“the Act”) sets out the minimum requirements of what both NHS England and CCGs must do in terms of managing conflicts of interest.

Any persons who believe they should be included in the declaration of interest registers or who have questions about it can contact the Data Protection Officers for Ashford CCG by writing to:NHS Ashford CCG

Head of Corporate Services

Inca House
Trinity Road
Eureka Business Park
TN25 4AB
Email: ashford.ccg@nhs.net

Patient right to object to processing/opt-out

There are choices you can make about how your information is used, and you can choose to opt out of your information being shared or used for any purpose beyond providing your care. Please note that not choosing to share your information may have an impact on your care and, by sharing your information, will improve NHS services and the experience of treatment and care for our patients.

If you wish to do so, please inform your GP practice and they will mark your choice in your medical record.

There are two types of opt-out. You can withdraw either opt-out at any time by informing your GP practice.

Type 1 opt-outs

If you do not want information that identifies you to be shared outside your GP practice, for purposes beyond your direct care, you can register a type 1 opt-out with your GP practice. This prevents your personal confidential information from being used other than in particular circumstances required by law, such as a public health emergency like an outbreak of a pandemic disease.

Type 2 opt-outs

The NHS Digital (HSCIC) collects information from a range of places where people receive care, such as 
hospitals and community services. If you do not want your personal confidential information to be shared
 outside of NHS Digital (HSCIC), for purposes other than for your direct care, you can register a type 2 ~
opt-out with your GP practice.

A direction from the Secretary of State for Health sets out the Department of Health policy as to how type 2 opt-outs must be applied and instructs NHS Digital (HSCIC) to apply type 2 opt-outs from 29 April 2016.

When NHS Digital (HSCIS) has collected information about your type 2 opt-out from your GP practice they 
use that to create a record of all current type 2 opt-outs. Then  NHS Digital use that record to check against 
any set of data that is to be made available by NHS Digital (HSCIC) to another organisation and remove all of 
your personal confidential information if it is in that data set before that data is made available.

The direction sets out the scope of when your type 2 opt-out does not apply, such as when there is a legal requirement to release information, or where you have given your consent to a specific release of your information.

There are also some limited circumstances which are set out in the direction, when we don't apply your type 2 opt-out to information made available. These are cases where:

  • The Secretary of State for health has identified the information flow is very important.
  • There are complex technical barriers that make it very difficult to apply opt-outs.

For more information on how we collect and use opt-out information see Applying Type 2 Opt Outs

For more information about care records and how to access them see NHS Choices. For details about how public bodies must make information available, see the model publication scheme published by the Information Commissioner's Office. 

How long we will keep your information and how we will destroy information

There are different retention schedules for different types of information and types of record. In the NHS, all commissioners and providers apply retention schedules in accordance with the Information Governance Alliance’s Records Management Code of Practice for Health and Social Care. For more information, you can access the document.

NHS data are subject to legal retention periods and should not be destroyed unless specific instructions to do so has been determined and received from the Data Controller. Where data has been identified for disposal:

  • NHS organisations have the responsibility to ensure that NHS information held in manual form 
    (regardless of whether originally or printed from the IT systems) is destroyed using a cross cut shredder
    or subcontracted to a reputable confidential waste company that complies with European Standard EN15713. 
  • Ashford CCG also ensures that electronic storage media used to hold or process NHS Information is destroyed or overwritten to current CESG standards as defined at www.cesg.gov.uk. NHS ICT Teams usually carry out or contract out to an approved company to ensure the secure destruction or permanent removal of information from ICT equipment which are NHS assets. In the event of any bad or unusable sectors that cannot be overwritten, the NHS ICT Team or approved contractor shall ensure complete and irretrievable destruction of the media itself.
  • It is the responsibility of Ashford CCG to retain copies of all relevant overwriting verification reports and/or certificates of secure destruction of NHS information at the conclusion of the contract.
  •  Any arrangement made by Ashford CCG to sub-contract secure disposal services from another provider, must comply with clause GC 12 of the NHS Standard Contract and with assurance that the sub-contractor’s organisational and technical security measures comply with the 7th Data Protection Act 1998 principle.

Relevant links to associated documents or organisations:

If you would like to find out more information on the wider health and care system approach to using personal information or other useful information, please click on the following links: