Fair Processing / Privacy Notice for Patients

What is a Fair Processing or Privacy Notice? 

The purpose of this notice is to inform you of the type of information including personal confidential data that NHS Oldham CCG (Data Controller) holds, how that information is used, who we may share that information with, and how we keep it secure and confidential.

Personal confidential data, commonly known as PCD, is a term which came from an information governance review undertaken by Dame Fiona Caldicott and her team in July 2013. PCD is personal information, such as your name, address, date of birth and / or sensitive information such as your health information (as defined in the Data Protection Act 1998) which must be kept confidential and includes dead as well as living people’s information.

NHS Oldham CCG has a duty to ensure this is kept confidential, secure and used appropriately.

Who are we and what do we do? 

NHS Oldham CCG is responsible for buying (also known as commissioning) health services from healthcare providers such as Hospitals and GP Practices for our local population.  

We also have a performance monitoring role of these services, which includes responding to any concerns from our patients on the services or by referring them to NHS England as appropriate.  


NHS Oldham CCG is the formal host for Greater Manchester Shared Services (GMSS). GMSS provides commissioning support services on behalf of the 12 Greater Manchester CCGs. 




The CCG processes several different types of information:

1          Identifiable – containing details that identify individuals.  The following are data items that are considered identifiable:  name, address, NHS Number, full postcode, date of birth

2          Pseudonymised information - individual-level information where individuals can be distinguished by using a coded reference, which does not reveal their ‘real world’ identity

3          Anonymised – about individuals but with identifying details removed

4          Aggregated – statistical information about several individuals that have been combined to show general trends or values with identifying individuals within the data.


Why we collect information about you 

We use anonymised data, which means you cannot be identified from that information and we will only use your personal confidential data with your consent or if there is a legal requirement to do so. For information that may identify you (known as personal confidential data) we would only use in accordance with the: 

§  Data Protection Act 1998 - This Data Protection Act requires us to have a legal basis if we wish to process any personal information.  

§  NHS Care Record Guarantee – sets out high level commitments for protecting and safeguarding your information, particularly in regard to your rights to access your information, how information will be shared, how decisions on sharing information will be made and investigating and managing inappropriate access (audit trails) 

§  NHS Constitution for England – this states that you have the right to privacy and confidentiality and to expect the NHS to keep your confidential information safe and secure 

We also have to honour any duty of confidence attached to information and apply Common Law Duty of Confidentiality requirements. This will mean where a legal basis does not exist to use your personal or confidential information we will not do so. 

There are some specific areas, however, because of our assigned responsibilities where we do hold and use personal information. In order to process that information we will have met a legal requirement, in general this is where we have complied with one of the following:  

§  The information is necessary for direct healthcare for patients 

§  We have received consent from individuals to be able to use their information for a specific purpose 

§  There is an overriding public interest in using the information e.g. in order to safeguard an individual, or to prevent a serious crime 

§  There is a legal requirement that will allow us to use or provide information (e.g. a formal court order) 

The areas where we use personal information are: 

§  Individual Funding Requests – a process where patients and their GPs can request special treatments not routinely funded by the NHS. This is processed by Greater Manchester Shared Service Effective Use of Resources Team on behalf of the CCG. 

§  Continuing Healthcare Requests – these are assessments for continuing healthcare assessments (a package of care for those with complex medical needs). The CCG has a team who process these requests.  

§  Queries / Concerns and Complaints – The hosted GMSS provide a complaints service to Greater Manchester CCGs, including Oldham CCG act with your consent to investigate any issues 

§  Safeguarding - Assessment and evaluation of safeguarding concerns for individuals –old and young. The CCG has a safeguarding team who deal with this and they disclose information to other safeguarding partners when this is required 

§  Medicines Management / Optimisation Services – GMSS has a team that work with the CCG who are responsible for the clinical and cost effective use of medicines. The team works with practices to review drugs 

§  Patient Engagement - if you are a member of any of our patient participation groups, or have asked us to keep you up to date about our work and involved in our engagement and public consultations, the Communications team keeps this data about you. 

We keep your information in written form and / or on a computer stored securely and confidentially. 

The records include personal details about you, such as your name and address. They may also contain more sensitive information about your health and also information such as outcomes of needs assessments.  

Information is held in accordance with the retention periods as set out in the Records Management: NHS Code of Practice. 

How we use information provided by the NHS Digital 

NB, HSCIC (Health and Social Care Information Centre) became known as NHS Digital on 1 April 2016. 

We use information collected by the NHS Digital from healthcare providers such as hospitals, community services and GPs, which includes information about the patients who have received care and treatment from the services that we fund. 

The data we receive does not include patients’ names or home addresses, but it may include information such as your NHS number, postcode, date of birth, ethnicity and gender as well as coded information about your visits to clinics, Emergency Department, hospital admissions and other NHS services.  

The Secretary of State for Health has given limited permission for us (and other NHS commissioners) to use certain confidential patient information when it is necessary for our work and whilst changes are made to our systems that ensure de-identified information is used for all purposes other than direct care. This approval is given under Regulations made under Section 251 of the NHS Act 2006 and is based on the advice of the Health Research Authority’s Confidentiality and Advisory Group. 

In order to use this data, we have to meet strict conditions that we are legally required to follow, which includes making a written commitment to NHS Digital that we will not use information in any way that would reveal your identity. These terms and conditions can be found on the NHS Digital website 

Below are examples of section 251 approval: 

Invoice Validation 

CCGs and NHS England, which includes Commissioning Support Units, do not have a legal right to access personal confidential data (PCD) for the purpose of validating invoices. On 22 November 2013, the Secretary of State for Health approved applications from NHS England for section 251 support for PCD to be used to validate invoices lawfully, without the need to obtain explicit consent from the individual patient at a local level. 

Invoice validation is an important process which the CCG carries out. This involves using your NHS number to establish which CCG is responsible for paying for your treatment. The process also ensures that those who provide you with care are reimbursed correctly for the care and treatment they have provided. The invoice validation process is done by Greater Manchester Shared Service who are registered as a Controlled Environment for Finance (CEfF) which ensures that procedures and systems for managing invoices on behalf of the CCG is in line with national requirements. This is done in line with the Who Pays Invoice Validation Guidance issued by NHS England. 

Risk Stratification (Pro-Active Care Management) 

Risk stratification is a process GPs use to help them to identify and support patients with long-term conditions and to help prevent un-planned hospital admissions or reduce the risk of certain diseases developing such as type 2 diabetes. This is called risk stratification for case-finding.  

The CCG also uses risk stratified data to understand the health needs of the local population in order to plan and commission the right services. This is called risk stratification for commissioning.  The CCG does not have access to your personal data.  The information is de-identified / pseudonymised. 

Pseudonymisation is a technical process that replaces identifiable information such as a NHS number, postcode, date of birth with a unique identifier, which obscures the ‘real world’ identity of the individual patient to those working with the data. It allows records for the same patient from different sources to be linked to create a complete longitudinal record of that patient’s condition, history and care.  

The CCG uses a Data Services for Commissioners Regional Offices (DSCRO’s). NHS Oldham CCG use NHS Arden and Greater East Midlands (GEM) ( Commissioning Support Unit, Data Service for Commissioners Regional Office team (DSCRO) to assist in the process of Risk Stratification. NHS Arden & GEM Commissioning Support Unit process personal confidential data on behalf of the CCG under a contract agreement with the CCG that mandates that robust technical and organisational measures are in place to ensure the security and protection of information. 

Linkage of data from different health and social care data sources is undertaken enabling the processing of data and provision of appropriate analytical support for GPs and CCGs whilst protecting the privacy and confidentiality of the patient(s). 

Robust access controls are in place to ensure only GPs are able to re-identify information about their individual patients with their consent when it is necessary for the provision of their care. GPs will be able to identify which of their patients are at risk in order to offer a preventative service to them, but the CCG will only have access to pseudonymised information to understand the local population needs. 

Handling Continuing Healthcare (CHC) Applications 

If you make an application for Continuing Healthcare (CHC) funding, Oldham CCG will use the information you provide and where needed, request further information from care providers to identify eligibility for funding. If agreed, arrangements will be put in place to arrange and pay for the agreed funding packages with appointed care providers. This process is nationally defined and follows a standard process and Oldham CCG use standard information collection tools to decide whether someone is eligible.

Handling Individual Funding Requests (IFR) Applications 

If you make an Individual Funding Request (IFR) to fund specialist drugs or rare treatments, GMSS will use the information you provide and where needed, request further information from care providers to identify eligibility for funding. If agreed, arrangements will be put in place to arrange and pay for the agreed funding packages with appointed care providers. We will always seek your consent to use your information for this purpose. When your request is shared with Oldham CCG decision-making panel, only health information required to inform the decision is shared, personal identifying information e.g. name, NHS No. address are redacted from shared information. 

Supporting Medicines Management 

CCGs support local GP practices with prescribing queries which generally don’t require identifiable information. 

GMSS supports Oldham CCG in processing funding requests for high cost drugs. However, any identifiable patient data provided to support the request is not shared with the CCG. 


Advice and guidance is provided to care providers to ensure that adult and children’s safeguarding matters are managed appropriately. Access to identifiable information will be shared in some limited circumstances where it’s legally required for the safety of the individuals concerned. 

Post Infection Reviews 

CCGs collaborate with Public Health services and work closely with the organisations involved in providing patient care, to jointly identify and agree the possible causes of, or factors that contributed to a patient’s infection. 

CCGs participate in Post Infection Review in the circumstances set out in the Post Infection Review Guidance, issued by NHS England. They will be able to use the results of the Post Infection Review to inform the mandatory healthcare associated infections reporting system. 

Incident Management 

Oldham CCG is accountable for effective governance and learning following all Serious Incidents (SIs) and work closely with all provider organisations as well as commissioning staff members to ensure all SIs are reported and managed appropriately. The Francis Report (February 2013) emphasised that commissioners should have a primary responsibility for ensuring quality, as well as providers. 

Sharing Information 

In order for Oldham CCG to perform its commissioning functions, information (mostly anonymised) is shared from various organisations which include general practices, acute and mental health hospitals, other CCGs, community services, walk-in centres, nursing homes, directly from service users and many others.  

We share anonymised information with other NHS and social care partners for the purposes of improving local services, research, audit and public health. We will not share personal confidential data about you unless:  

§  You have given us consent 

§  We are lawfully required to report to certain authorities such as to prevent fraud or serious crime 

§  To protected children and vulnerable adults (safeguarding) 

§  When a formal court order has been served upon us 

§  To protect the health and safety of others, for example, reporting an infectious disease 

We may share your information for health purposes and for your benefit with other organisations such as NHS England, NHS Hospitals, General Practitioners, etc. We may also need to share information with our partner organisations such as Ambulance Services, the Police, Housing Organisations and External Care providers. Information may also need to be shared with other non-NHS organisations, from which you are receiving care, such as the Local Authorities and other providers from which we commission services. Where information sharing is required with third parties, we will always have a relevant Data Sharing Agreement in place and will not disclose any health information without your explicit consent unless there are exceptional circumstances such as when the health or safety of others is at risk or where the law requires it or to carry out a statutory function. 

We are required by law to report certain information to the appropriate authorities. This is only provided after formal permission has been given by a qualified health professional. There are occasions when we must pass on information, such as notification of new births, where we encounter infectious diseases which may endanger the safety of others, such as meningitis or measles (but not HIV/AIDS), and where a formal court order has been issued.  

Our guiding principle is that we are holding your records in strictest confidence. 

The CCG will use the services of the additional data processors, who provide additional expertise to support the work of the CCG and the hosted GMSS by adding value to the analyses of data that does not directly identify individuals, as follows:

Data Processors

Sharing Pseudonymised data with other CCGs for collaborative working

Data Processor 1

NHS Arden and Greater East Midlands (GEM) Commissioning Support Unit (CSU), St John’s House, East Street, Leicester, LE1 1NB

Data Processor 2

NHS Oldham CCG hosting: Greater Manchester Shared Services, Ellen House, Waddington Street, Oldham, OL9 6EE

Data Processor 3

Salford Royal NHS Foundation Trust hosting: Advancing Quality Alliance (AQuA), 3rd Floor, Gate House, Cross St, Sale, M33 7FT

Data Processor 4

Salford Royal NHS Foundation Trust hosting:
Academic Health Sciences Network (Utilisation Management Team), Salford Royal NHS Foundation Trust Data Centre, Stott Lane, Salford, M6 8HD

Manchester CCG

Bury CCG

Heywood, Middleton and Rochdale CCG

Tameside and Glossop CCG

Bolton CCG

Wigan Borough CCG

Salford CCG

Trafford CCG

Stockport CCG

Oldham CCG


We ensure that our partner agencies have contracts / information sharing agreements which outline that your information is processed under strict conditions and in line with the law.

Keeping information secure and confidential

All staff have contractual obligations of confidentiality, enforceable through disciplinary procedures. All staff will receive appropriate training on confidentiality of information and staff (who because of their role) have regular access to personal information will have received additional specialist training.

We take relevant organisational and technical measures to ensure the information we hold is secure – such as holding information in secure locations, restricting access to information to authorised personnel, protecting personal and confidential information held on equipment such as laptops with encryption.

Each NHS organisation has a senior person responsible for protecting the confidentiality of patient information and enabling appropriate information sharing. This person is called the Caldicott Guardian, who in Oldham CCG is Dr Zuber Ahmed. In addition, the hosted GMSS has a dedicated Caldicott Guardian, Mr Andrew White.

Your right to withdraw consent / opt out to processing your personal information

The NHS Constitution states "You have the right to request that your confidential information is not used beyond your own care and treatment and to have your objections considered".

At any time, you have the right to opt out / withdraw consent to the CCG processing your information or sharing this with others unless there is a law that enables us to do this. The possible consequences will be fully explained to you and please be aware that could cause delays in receiving care. 

You have the right to refuse/withdraw consent to information sharing at any time.  The possible consequences can be fully explained to you and could include delays in receiving care.

If you wish to opt out of your data being processed and / or shared onwards with other organisations, please contact the CCG patient advice and liaison service (PALS) at the following address: patientservices.gmcsu@nhs.net

There are several forms of opt- outs available at different levels. These include for example:

A.        Information directly collected by the CCG:

Your choices can be exercised by withdrawing your consent for the sharing of information that identifies you, unless there is an overriding legal obligation.

B.        Information not directly collected by the CCG, but collected by organisations that provide NHS services.

Type 1 opt-out

If you do not want personal confidential data information that identifies you to be shared outside your GP practice, for purposes beyond your direct care you can register a type 1 opt-out with your GP practice. This prevents your personal confidential information from being used other than in particular circumstances required by law, such as a public health emergency like an outbreak of a pandemic disease.

Patients are only able to register the opt-out at their GP practice.

Records for patients who have registered a type 2 opt-out will be identified using a particular code that will be applied to your medical records that will stop your records from being shared outside of your GP Practice.

Type 2 opt - out

NHS Digital collects information from a range of places where people receive care, such as hospitals and community services.

To support those NHS constitutional rights, patients within England are able to opt out of their personal confidential data being shared by NHS Digital for purposes other than their own direct care, this is known as the 'Type 2 opt-out'

If you do not want your personal confidential information to be shared outside of NHS Digital, for purposes other than for your direct care you can register a type 2 opt-out with your GP practice.

Patients are only able to register the opt-out at their GP practice.

Further Information and Support about Type 2 opt-outs

For further information and support relating to type 2 opt-outs please NHS Digital contact centre at enquiries@hscic.gov.uk referencing 'Type 2 opt-outs - Data requests' in the subject line; or

Alternatively, call NHS Digital on (0300) 303 5678; or

Alternatively visit the website: http://digital.nhs.uk/article/7092/Information-on-type-2-opt-outs

How can you get access to information held about you at the CCG?

The Data Protection Act 1998 gives you the right to request to view or have a copy of your records held by the CCG.  You do not need to give a reason, but you may be charged a fee.

If you want to request access to your information held by the CCG and / or request audit trail information, you need to make a written request to:

For health records:

Health Records         
NHS Oldham CCG        
Ellen House
Waddington Street

For Continuing Health Care (CHC) records:

Michelle Mellor
Continuing Health Care
NHS Oldham CCG
Ellen House
Waddington Street
OL9 6EE 

As noted above, the CCG holds limited health information about you where it can use this for direct care purposes, some you may also have to contact the NHS organisation(s) where you are being, or have been treated. 

You should also be aware that in certain circumstances, your right to see some details in your health records may be limited in your own interest or for other reasons.


The Data Protection Act 1998 requires organisations to notify with the Information Commissioners Office (ICO) to describe the purposes for which we process personal confidential data on a yearly basis.  The Information Commissioners Office is the UK's independent body set up to uphold information rights. 

NHS Oldham CCG have dutifully notified and you can access this notification via the ICO website at www.ico.org.uk.


If you have any questions or concerns regarding the information we hold on you or the use of your information, please contact us at: 

NHS Oldham CCG
Ellen House
Waddington Street

 Main switchboard: Tel: 0161 622 6400

Patient Advice and Liaison and Complaints:
0161 212 6270, email: patientservices.gmcsu@nhs.net

For independent advice about data protection, privacy and data-sharing issues, you can contact the Information Commissioners Office (ICO):

Information Commissioner Office (ICO)
Wycliffe House
Water Lane