The CCG has issued the following statement to provide further information on the situation regarding Corby Urgent Care Centre: We... Read More »
NHS Corby Clinical Commissioning Group has issued this statement following media reports about the future of Corby Urgent Care Centre... Read More »
Health leaders in Corby want your views to inform and improve the future of health and social care services across the borough. NHS... Read More »
The Northamptonshire acute and emergency healthcare system is still under strain going into 2017. The trend for attendances to A&... Read More »
Northamptonshire’s health and social care organisations have today published their five year plan to reshape and improve the... Read More »
The NHS is raising awareness about modern slavery to mark Anti-Slavery Day. Modern slavery is the recruitment, movement, harbouring... Read More »
This privacy notice tells you about information we collect and hold about you, what we do with it, how we will look after it and who we might share it with. It covers information we collect directly from you or receive from other individuals or organisations.
Corby Clinical Commissioning Group (CCG) is responsible for securing, planning, designing and paying for your NHS services, including planned and emergency hospital care, mental health services, rehabilitation and community services. This is known as commissioning. We need to use information about you to enable us to do this effectively, efficiently and safely.
For further information please refer to the ‘about us’ page.
This Privacy Notice is part of our programme to make transparent the data processing activities we are carrying out in order to deliver on our commissioning activities.
This Privacy Notice tells you about information we collect and hold about you, what we do with it, how we will look after it and who we might share it with.
It covers information we collect directly from you or receive from other individuals or organisations.
This notice is not exhaustive. However, we are happy to provide any additional information or explanation needed. Any requests for this should be sent to:-
NHS Corby Clinical Commissioning Group
Corby Enterprise Centre
Phone: 01536 560420
Reviews of and Changes to our Privacy Notice
We will keep our privacy notice under regular review. This privacy notice was last reviewed in August 2016.
We are committed to protecting your privacy and will only process personal confidential data in accordance with the Data Protection Act 1998, the Common Law Duty of Confidentiality and the Human Rights Act 1998.
Corby CCG is a Data Controller under the terms of the Data Protection Act 1998 we are legally responsible for ensuring that all personal information that we process i.e. hold, obtain, record, use or share about you is done in compliance with the 8 Data Protection Principles.
All data controllers must notify the Information Commissioner’s Office (ICO) of all personal information processing activities. Our ICO Data Protection Register number is Z3584112 and our entry can be found in the Data Protection Register on the Information Commissioner’s Office website
Everyone working for the NHS has a legal duty to keep information about you confidential. The NHS Care Record Guarantee and NHS Constitution provide a commitment that all NHS organisations and those providing care on behalf of the NHS will use records about you in ways that respect your rights and promote your health and wellbeing.
If you are receiving services from the NHS, we share information that does not identify you (anonymised) with other NHS and social care partner agencies for the purpose of improving local services, research, audit and public health.
We would not share information that identifies you unless we have a fair and lawful basis such as:
All information that we hold about you will be held securely and confidentially. We use administrative and technical controls to do this. We use strict controls to ensure that only authorised staff are able to see information that identifies you. Only a limited number of authorised staff have access to information that identifies you where it is appropriate to their role and is strictly on a need-to-know basis.
All of our staff, contractors and committee members receive appropriate and on-going training to ensure they are aware of their personal responsibilities and have contractual obligations to uphold confidentiality, enforceable through disciplinary procedures.
We will only use the minimum amount of information necessary about you.
Information in the CCG is held for a specific length of time depending on the type of information it is.
The length of time we retain your information for is defined by the NHS retention schedule which can be viewed online here: Records Management Code of Practice for Health and Social Care 2016.
Once information has been reviewed and is no longer required to be kept by a retention period the information will be securely destroyed. Information is securely destroyed via an approved confidential paper and shredding recycling contractor.
Your information will not be sent outside of the United Kingdom where the laws do not protect your privacy to the same extent as the law in the UK. We will never sell any information about you.
You have certain legal rights, including a right to have your information processed fairly and lawfully and a right to access any personal confidential data we hold about you.
You have the right to privacy and to expect the NHS to keep your information confidential and secure.
You also have a right to request that your confidential information is not used beyond your own care and treatment and to have your objections considered.
These are commitments set out in the NHS Constitution, for further information please visit
You have the right to withdraw consent to us sharing your personal information if you do not wish us to process or share your information
If you do not agree to certain information being processed or shared with us or by us, or have any concerns then please let us know. We may need to explain the possible impact this could have on our ability to help you and discuss the alternative arrangements that are available to you.
You have the right to refuse/withdraw consent to information sharing at any time. The possible consequences can be fully explained to you and could include delays in receiving care. If you wish to discuss withdrawing consent please contact us on Corby CCG
What is the patient opt-out?
The NHS Constitution states "You have the right to request that your confidential information is not used beyond your own care and treatment and to have your objections considered".
You may want to prevent confidential information about you from being shared or used for any purpose other than providing your care unless one of the following criteria applies which means that it isn’t possible to opt out of having your information shared:
• The information is used to support your direct care and treatment
• You have consented to the use of your information (whether before or after registering their type 2 opt-out) for a specific purpose such as a research study
• A mandatory legal requirement (such as a court order) exists.
• The information released is not considered to be identifiable personal confidential data
• The information is made available in anonymised form
• The information is used to support the management of communicable diseases and other risks to public health under Regulation 3 of the Health Service (Control of Patient Information) Regulations 2002
There are several forms of opt- outs available at different levels. These include for example:
Your choices can be exercised by withdrawing your consent for the sharing of information that identifies you, unless there is no overriding legal obligation.
Type 1 opt-out
If you do not want personal confidential data information that identifies you to be shared outside your GP practice, for purposes beyond your direct care you can register a type 1 opt-out with your GP practice. This prevents your personal confidential information from being used other than in particular circumstances required by law, such as a public health emergency like an outbreak of a pandemic disease.
Patients are only able to register the opt-out at their GP practice.
Records for patients who have registered a type 2 opt-out will be identified using a particular code that will be applied to your medical records that will stop your records from being shared outside of your GP Practice.
Type 2 opt - out
The Health and Social Care Information Centre (HSCIC) collects information from a range of places where people receive care, such as hospitals and community services.
To support those NHS constitutional rights, patients within England are able to opt out of their personal confidential data being shared by the HSCIC for purposes other than their own direct care, this is known as the 'Type 2 opt-out'
If you do not want your personal confidential information to be shared outside of the HSCIC, for purposes other than for your direct care you can register a type 2 opt-out with your GP practice.
Patients are only able to register the opt-out at their GP practice.
Further Information and Support about Type 2 opt-outs
For further information and support relating to type 2 opt-outs please contact the HSCIC contact centre at firstname.lastname@example.org referencing 'Type 2 opt-outs - Data requests' in the subject line; or
Alternatively, call the HSCIC on (0300) 303 5678; or
Alternatively visit the website http://www.hscic.gov.uk/article/7092/Information-on-type-2-opt-outs.
We try to meet the highest standards when collecting and using personal information. For this reason, we take any complaints we receive about this very seriously. We encourage people to bring concerns to our attention if they think that our collection or use of information is unfair, misleading or inappropriate. We would also welcome any suggestions for improving our procedures.
Subject Access Requests
Individuals can find out if we hold any personal information by making a ‘subject access request’ under the Data Protection Act 1998. If we do hold information about you we will:
To make a request to any personal information we may hold you need to put the request in writing to our contact address provided further below.
If we do hold information about you, you can ask us to correct any mistakes by, once again, contacting us at the contact address further below.
Confidentiality Advice and Support
The CCG has a Caldicott Guardian who is a senior person responsible for protecting the confidentiality of service user and service user information and enabling appropriate and lawful information-sharing.
The contact details of our Caldicott Guardian is as follows:
NHS Corby Clinical Commissioning Group
Corby Enterprise Centre
Phone: 01536 560420
As a commissioner, we do not routinely hold or have access to your medical records. However, we may need to hold some personal information about you, for example:
Our records may include relevant information that you have told us, or information provided on your behalf by relatives or those who care for you and know you well, or from health professionals and other staff directly involved in your care and treatment.
Our records maybe held on paper or in a computer system. The types of information that we may collect and use include the following:
Personal Confidential Data: This term describes personal information about identified or identifiable individuals, which should be kept private or secret. For the purposes of this guide ‘personal’ includes the DPA definition of personal data, but it is adapted to include dead as well as living people. ‘Confidential’ includes both information ‘given in confidence’ and ‘that which is owed a duty of confidence’ and is adapted to include ‘sensitive’ as defined in the Data Protection Act. Used interchangeably with ‘confidential’ in this document.
Pseudonymised Information: This is data that has undergone a technical process that replaces your identifiable information such as a NHS number, postcode, date of birth with a unique identifier, which obscures the ‘real world’ identity of the individual patient to those working with the data.
Anonymised Information: This is data rendered into a form which does not identify individuals and where there is little or no risk of identification (identification is not likely to take place).
Our Uses of Information
Although this is not an exhaustive detailed listing, the following table lists key examples of the purposes and rationale for why we collect and process information:
To process your personal information if it relates to a complaint where you have asked for our help or involvement.
We will need to rely on your explicit consent to undertake such activities.
Complaint Processing Activities
When we receive a complaint from a person we make up a file containing the details of the complaint. This normally contains the identity of the complainant and any other individuals involved in the complaint.
We will only use the personal information we collect to process the complaint and to check on the level of service we provide.
We usually have to disclose the complainant’s identity to whoever the complaint is about. This is inevitable where, for example, the accuracy of a person’s record is in dispute.
If a complainant doesn’t want information identifying him or her to be disclosed, we will try to respect that. However, it may not be possible to handle a complaint on an anonymous basis.
We will keep personal information contained in complaint files in line with NHS retention policy. It will be retained in a secure environment and access to it will be restricted according to the ‘need to know’ principle.
We will publish service user stories, following upheld complaints, anonymously via our governing body. The service user stories will provide a summary of the concern, service improvements identified and how well the complaints procedure has been applied. Consent will always be sought from the service user and carer or both before we publish the service user story.
We will collect and process your personal information where we are required to fund specific treatment for you for a particular condition that is not already covered in our contracts.
This may be called an “Individual Funding Request” (IFR).
The clinical professional who first identifies that you may need the treatment will explain to you the information that we need to collect and process in order for us to assess your needs and commission your care and gain your explicit consent.
We will collect and process your identifiable information where you have asked us to undertake assessments for Continuing Healthcare (a package of care for those with complex medical needs) and commission resulting care packages.
The clinical professional who first sees you to discuss your needs will explain to you the information that they need to collect and process in order for us to assess your needs and commission your care and gain your explicit consent.
We will collect and process identifiable information where we need to assess and evaluate any safeguarding concerns.
Because of public Interest issues, e.g. to protect the safety and welfare of vulnerable children and adults, we will rely on a statutory basis rather than consent to process information for this Use
Risk stratification is a process for identifying and managing patients who are at high risk of emergency hospital admission.
We are committed to conducting risk stratification effectively, in ways that are consistent with the laws that protect your confidentiality.
The use of identifiable data by CCGs and GPs for risk stratification has been approved by the Secretary of State, through the Confidentiality Advisory Group of the Health Research Authority and this approval has been extended to April 2017.
Typically this is because patients have a long term condition such as Chronic Obstructive Pulmonary Disease. NHS England encourages CCGs and GPs to use risk stratification tools as part of their local strategies for supporting patients with long-term conditions and to help and prevent avoidable admissions.
Knowledge of the risk profile of our population will help the CCG to commission appropriate preventative services and to promote quality improvement in collaboration with our GP practices.
Data Processing activities for Risk Stratification
Risk stratification tools use various combinations of historic information about patients, for example, age, gender, diagnoses and patterns of hospital attendance and admission and primary care data collected in GP practice systems.
The CCG will use pseudonymised information to understand the local population needs, whereas GPs will be able to identify which of their patients are at risk in order to offer a preventative service to them.
The service provider that is for our data processor for Risk Stratification purposes is the Arden & GEM CSU.
The CCG has commissioned Arden & GEM CSU to conduct risk stratification on behalf of itself and its GP practices.
This processing for risk stratification takes place under contract with the Arden & GEM CSU, following these steps below:
The risk scores are only made available to authorised users within the GP Practice where you are registered via a secure portal.
This portal allows only the GPs to view the risk scores for the individual patients registered in their practice in identifiable form.
If you do not wish information about you to be included in our risk stratification programme, please contact your GP Practice. They can add a code to your records that will stop your information from being used for this purpose.
Further information about risk stratification is available from: https://www.england.nhs.uk/ourwork/tsd/ig/risk-stratification/
Corby Clinical Commissioning Group (CCG) is responsible for paying for health services within Corby. We are required to check healthcare invoices to ensure that they are accurate and genuine.
To do this the CCG needs to be able to identify you so that the patient and the care provided match. Once your personal details have been used to check the validity of your care invoice, your personal details are deleted from our system before the invoice is processed for payment.
The Invoice validation process involves using your NHS number and occasionally your postcode or date of birth to establish which NHS organisation is responsible for paying for your treatment. The information is only accessible by named staff in a controlled environment.
Corby CCG uses the services of Arden & GEM CSU to undertake this activity on our behalf. NHS Arden & BGEM CSU perform invoice validation within a secure processing environment and with a restricted number of authorised staff. Nationally, this arrangement is known as a Controlled Environment for Finance and is approved by NHS England. Information is used within a controlled setting (known as a Controlled Area for Finance) to ensure that organisations have provided the correct care and can be paid. All activities and personal information relating to invoice validation remain within this Controlled Environment.
The Secretary of State for Health has approved the NHS England application for support under Regulation 5 of the Health Service (Control of Patient Information) Regulations 2002 (Section 251 Support). This allows Clinical Commissioning Groups (CCGs) and Commissioning Support Units (CSUs) to process Personal Confidential Data (PCD) which are required for invoice validation purposes. Arden & GEM CSU as an accredited Controlled Environment for Finance (CEfF) under a Section 251 exemption which enables them to process patient identifiable information without consent for the purposes of invoice validation – CAG 7- 07(a)(b)(c)/2013 on our behalf.
Patient and Public Involvement
If you have asked us to keep you regularly informed and up to date about the work of the CCG or if you are actively involved in our engagement and consultation activities or patient participation groups, we will collect and process personal confidential data which you share with us.
We will rely on your consent for this purpose
Where you submit your details to us for involvement purposes, we will only use your information for this purpose. You can opt out at any time by contacting us using our contact details at the end of this document.
To collect NHS data about service users that we are responsible for.
Our legal basis for collecting and processing information for this purpose is statutory.
Hospitals and community organisations that provide NHS-funded care must submit certain information to the Health and Social Care Information Centre (HSCIC) about services provided to our service users.
This information is generally known as commissioning datasets. The CCG obtains these datasets from the HSCIC and they relate to service users registered with GP Practices that are members of the CCG.
These datasets are then used in a format that does not directly identify you, for wider NHS purposes such as managing and funding the NHS, monitoring activity to understand and plan the health needs of the population and to gain evidence that will improve health and care through research.
The datasets include information about the service users who have received care and treatment from those services that we are responsible for funding. The CCG is unable to identify you from these datasets. They do not include your name, home address, NHS number, post code or date of birth. Information such as your age, ethnicity and gender as well as coded information about any clinic or accident and emergency attendances, hospital admissions and treatment will be included.
The specific terms and conditions and security controls that we are obliged to follow when using those commissioning datasets can also be found on the HSCIC website.
More information about how this data is collected and used by the Health and Social Care Information Centre (HSCIC) is available on their website http://www.hscic.gov.uk/patientconf
We also receive similar information from GP Practices within our CCG membership that does not identify you. We use this datasets for a number of purposes such as:
If you do not wish your information to be included in these datasets, even though it does not directly identify you to us, please contact your GP Practice and they can apply a code to your records that will stop your information from being included.
For Other organisations to provide support services for us
This often involves those organisations processing data on our behalf, for example we use a Commissioning Support Unit to deliver the Continuing Healthcare service for our service users.
We have entered into contracts with other NHS organisations to provide some services for us or on our behalf.
These organisations are known as “data processors”. .
Below are details of our data processors and the function that they carry out on our behalf:
These organisations are subject to the same legal rules and conditions for keeping personal confidential data and secure and are underpinned by a contract with us.
Before awarding any contract, we ensure that organisations will look after your information to the same high standards that we do. Those organisations can only use your information for the service we have contracted them for and cannot use it for any other purposes.
National Registries (such as the Learning Disabilities Register) have statutory permission under Section 251 of the NHS Act 2006, to collect and hold service user identifiable information without the need to seek informed consent from each individual service user.
To support research oriented proposals and activities in our commissioning system
Your consent will be obtained by the organisation holding your records before identifiable information about you is disclosed for any research.
Sometimes research can be undertaken using information that does not identify you. The law does not require us to seek your consent in this case, but the organisation holding your information will make notices available on the premises and on the website about any research projects that are undertaken.
Researchers can provide direct benefit to individuals who take part in medical trials and indirect benefit to the population as a whole.
Service user records can also be used to identify people to invite them to take part in clinical trials, other interventional studies or studies purely using information from medical records.
Where identifiable data is needed for research, service users will be approached by the organisation where treatment was received, to see if they wish to participate in research studies.
If you do not wish your information to be used for research, whether identifiable or non-identifiable, please let you GP Practice know. They will add a code to your records that will stop you information from being used for research.
.NHS Corby CCG is required by law to protect the public funds it administers. It may share information provided to it with other bodies responsible for auditing or administering public funds, in order to prevent and detect fraud.
The Cabinet Office conducts data matching exercises to assist in the prevention and detection of fraud. This is one of the ways in which the Minister for the Cabinet Office takes responsibility within government for public sector efficiency and reform. The Minister for the Cabinet Office is also the Chair of the Fraud, Error and Debt Taskforce, the strategic decision-making body for all fraud and error, debt and grant efficiency initiatives across government.
Data matching involves comparing sets of data, such as the payroll or benefits records of a body, against other records held by the same or another body to see how far they match. The data is usually personal information. The data matching allows potentially fraudulent claims and payments to be identified. Where a match is found it may indicate that there is an inconsistency that requires further investigation. No assumption can be made as to whether there is fraud, error or other explanation until an investigation is carried out.
The processing of data by the Cabinet Office in a data matching exercise is carried out with statutory authority under its powers in Part 6 of the Local Audit and Accountability Act 2014. It does not require the consent of the individuals concerned under the Data Protection Act 1998.
All bodies participating in the Cabinet Office’s data matching exercises receive a report of matches that they should investigate, so as to detect instances of fraud, over- or under-payments and other errors, to take remedial action and update their records accordingly.
For further information on data matching at NHS Corby CCG contact Antony Upton, Local Counter Fraud Specialist, on 07484 040694.
Alternatively you can contact Antony by email: email@example.com
If you have any questions or concerns regarding how we use your information, please contact us at:
Post: NHS Corby Clinical Commissioning Group
Corby Enterprise Centre
Phone: 01536 560420
For independent advice about data protection, privacy and data-sharing issues, you can contact the:
Wycliffe House, Water Lane,
Cheshire, SK9 5AF.
Phone: 08456 30 60 60 or 01625 54 57 45
Further information about the way in which the NHS uses personal confidential data and your rights in that respect can be found in: