How does the CCG use my information

Who we are and what we do.

NHS East Surrey Clinical Commissioning Group (CCG) is responsible for commissioning (buying) hospital, community and mental health services across East Surrey. We are made up of 17 GP member practices that work together to ensure the people of East Surrey have access to high quality healthcare services. East Surrey CCG is the local NHS organisation that brings together local GPs and other experienced health professionals to take on planning, buying and monitoring responsibilities (also known as commissioning) for local health services. The CCG is responsible for planning, buying and monitoring:

  • the care and treatment you may need in hospital and community health services, including district nurses, physiotherapy and other therapies
  • mental health services
  • the medicines you may be prescribed

We also have a role which includes managing patient feedback, including complaints, from our patients about services offered. This helps us to understand what is working well and what is causing problems for our patients.

The CCG is registered with the Information Commissioner’s Office (ICO) as a data controller and collects data for a variety of purposes. A copy of the registration is available through the ICO website.  You can search by our CCG name or ICO Data Protection Register number: Z3622215.

The CCG is not responsible for hospital records or information held by your GP e.g. your GP record.

How we keep your information confidential and safe

Everyone working for the NHS is subject to the Common Law Duty of Confidentiality. This means that any information that you provide in confidence cannot normally be disclosed without your consent. However there are circumstances which may override this duty of confidence, for example where a disclosure is ordered by the courts.

The NHS Confidentiality Code of Practice requires all our staff to protect your information, tell you how it will be used, and allow you to decide if, and how, it can be shared.

We are also required to comply with other legislation relating to the use of personal information such as the Data Protection Act 2018, and General Data Protection Regulations (GDPR) .

Who is Responsible for Looking after your data?

The individuals appointed to the following roles are responsible for all information about you held by the CCG, whether you are a patient, service user, member of staff, or member of the public.

Senior Information Risk Officer (SIRO),  A Senior Information Risk Officer (known as a SIRO) is responsible for ensuring that your information is handled securely.

East Surrey CCG’ s SIRO is: 

  • Sumona Chatterjee
  • Tel: 01883 772800​
  • e-mail:


Data Protection Officer, (DPO) We have a Data Protection Officer who is a Data Protection and Information and Cyber Security expert, reporting directly to the highest level of management within the CCG.

The DPO acts independently and is responsible for informing and advising the CCG and our staff of their obligations under the existing and forthcoming Data Protection related law. The DPO is also responsible awareness-raising, staff training, the provision of advice and monitoring the CCG’s compliance with all European and UK data protection law and the CCG’s data protection related policies.

NHS East Surrey CCG’s DPO is: 


Caldicott Guardian: A Caldicott Guardian is responsible for making sure that your information is handled properly in line with your rights and the law. They ensure information is shared appropriately, effectively acting as the conscience of the organisation.

East Surrey CCG’ s Caldicott Guardian is:  

Information Governance Team Information Governance services are  provided to East Surrey CCG by South Central and West Commissioning Support unit (SCW CSU), The CSU Information Governance Team is responsible for supporting the Caldicott Guardian, Senior Information Risk Officer and the Data Protection Officer in ensuring that your personal information is collected, used and shared appropriately, securely and in line with the law.

Information Governance Team (East Surrey CCG):

What kind of Information do we use?

As a Commissioner we do not routinely hold or have access to your medical records.  However, we may need to hold some personal information about you, for example:

  • Your name, address, your date of birth, your NHS number and contact details
  • Details of your GP, what treatment you have received and where you received it
  • Details of concerns or complaints you have raised about your health care provision and we need to investigate
  • If you ask us for our help or involvement with your healthcare, or where we are required to fund specific specialised treatment for a particular condition that  is not already covered in our contracts with organisations that provide NHS care
  •  If you ask us to keep you regularly informed and up-to-date about the work of the CCG, or if you are actively involved in our engagement and consultation activities or service user/Patient Participation Groups


Our records may include relevant information that you have told us, or information provided on your behalf by relatives or those who care for you and know you well, or from health professionals and other staff directly involved in your care and treatment.  Our records may be held on paper or electronically in a computer system. 

We use the following types of information/data:

  • Personal – this is information containing details that identify individuals. The following are data items that are considered identifiable: name, address, NHS Number, full postcode, date of birth.
  • Special Categories – personal data revealing: racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, sex life or sexual orientation, and health, biometric or genetic data
  • Confidential Information - this term describes information or data about identified or identifiable individuals, which should be kept private or secret and includes deceased as well as living people. ‘Confidential’ includes both information ‘given in confidence’ and ‘that which is owed a duty of confidence’.
  • Pseudonymised - this is data that has undergone a technical process that replaces your identifiable information such as NHS number, postcode, date of birth with a unique identifier. Pseudonymised data is individual-level information where individuals can be distinguished by using a coded reference, which does not reveal their ‘real world’ identity. When data has been pseudonymised it still retains a level of detail in the replaced data that should allow tracking back of the data to its original state.
  • Anonymised – this is data about individuals in a form that does not identify individuals and where identification through its combination with other data is not likely to take place. 
  • Aggregated – this is statistical data about several individuals that has been combined to show general trends or values without identifying individuals within the data.


How long do you hold confidential information for?

All records held by the CCG will be kept for the duration specified by national guidance from the Department of Health,  

What do we use anonymised, pseudonymised and aggregated? data for?

We use anonymised data to plan health care services. Specifically we use it to:

  • check the quality and efficiency of the health services we commission
  • prepare performance reports on the services we commission.
  • predict what illnesses people will have in the future, so we can plan and prioritise services and ensure these meet the needs of patients in the future
  • review the care being provided to make sure it is of the highest standard.

What is my sensitive and personal information used for?

There are some times when the CCG may hold and use sensitive personal information about you. For example the CCG is required by law to perform certain services that involve the processing of sensitive personal information.

The areas where we regularly use sensitive personal information include:

  • a process where you or your GP can request special treatments that are not routinely funded by the NHS, which are known as individual funding requests
  • assessments for continuing healthcare and appeals
  • responding to your queries, compliments or concerns
  • assessment and evaluation of safeguarding concerns

Where there is a provision permitting the use of sensitive personal information under specific conditions, for example to:

  • understand the local population needs and plan for future requirements, which is known as “risk stratification for commissioning".
  • ensure that the CCG is billed accurately for the treatment of its patients, which is known as “invoice validation”.
  • monitor access to services, waiting times and particular aspects of care.

Sensitive personal information may also be used in the following cases:

  • üthe information is necessary for your direct healthcare
  • üCCGs responding to patients, carers or member of Parliament communication
  • üyou have freely given your informed agreement (consent) for us to use your information for a specific purpose
  • üthere is an overriding public interest in using the information e.g. in order to safeguard an individual, or to prevent a serious crime.
  • üthere is a legal requirement that will allow us to use or provide information (e.g. a formal court order).

What is my sensitive and personal information used for?

There are some specific business activities where the CCG process data. Details of what these activities are, and the legal basis we rely on for processing the information are listed.

NHS Continuing Health Care (CHC Applications)

When individuals make applications for Continuing Health Care funding, East Surrey CCG will use personal identifiable information  (PID) to request information from care providers to identify eligibility for funding.

East Surrey CCG have contracted Surrey Downs CCG to deliver this service on our behalf

This process is nationally defined and the CCG follow a National process using standard information collection tools when assessing eligibility for CHC applications.

The clinical professional who first sees you to discuss your needs will explain to you the information that they need to collect and process in order for your needs to be assessed and commission your care; they will gain your explicit consent to share this. You have the right to withdraw your consent at any time.

Risk Stratification

Risk stratification is a process that usespseudonymised/anonymised and aggregate, de-identified personal data from health care services to determine which people are at risk of experiencing certain outcomes, such as unplanned hospital admissions.


Risk stratification tools are used by CCGs to analyse the overall health of a population using data which is anonymised in line with the Information Commissioner's Office (ICO) Anonymisation Code of Practice.  The combined CCGs Secondary Use Service (SUS) data and GP data which contains an identifier (usually NHS number) is made available to clinicians with a legitimate relationship with their patients to enable them to identify which patients should be offered targeted preventative support to reduce those risks.

The CCG has commissioned a company - Sollis to provide the risk stratification software solution on behalf of itself and its GP practices.

Reports produced from the system including identifiable data are only provided back to your GP or member of your care team. CCG commissioners do also have access to the risk stratification tool to support and inform commissioning decisions but they CANNOT see patient identifiable data as part of this.

There is currently Section 251 of the NHS Act 2006 support in place to allow the CCG’s risk stratification tool to receive and link identifiable patient information from NHS Digital and from local GP practices.

If you do not wish information about you to be included in the risk stratification programme please contact your GP Practice. They can add a code to your records that will stop your information from being used for this purpose.


Safeguarding Adults and Children

Advice and guidance is provided to care providers to ensure that adult and children's safeguarding matters are managed appropriately. Access to identifiable information will be shared in some limited circumstances where it's legally required for the safety of the individuals concerned. We will collect and process identifiable information where we need to assess and evaluate any safeguarding concerns.

The CCG rely on a statutory basis, defined under the Care Act 2012 rather than consent to process information for this use.


Comments, Complaints, Concerns and Compliments

When the CCG receives any feedback from an individual, whether it be a comment, concern, complaint or compliment the CCG would normally include personal information about the individual or others involved in the communication.

Before we proceed with handling your complaint we will obtain the explicit, written consent of the patient involved. We ensure they are aware of how and with whom their data may be shared by us, including if they have a representative they wish us to deal with on their behalf.


Supporting Medicines Management and Optimisation

East Surrey CCG pharmacists work with GP practices to provide advice on medicines and prescribing queries, process repeat prescription requests and review prescribing of medicines to ensure that it is safe and cost-effective. This may require the use of identifiable information.

In cases where identifiable data is required, this is done with practice agreement and in the case of repeat prescription processing with patient consent. No data is removed from the practice’s clinical system and no changes are made to patient's records without permission from the GP. Patient records may be viewed remotely via secure laptops from the CCG's premises and in care homes or patient homes.

Identifiable data is also used by our pharmacists in order to review and authorise (if appropriate) requests for high cost drugs which are not routinely funded. In cases where identifiable data is required, this is done with the consent of the patients via the electronic high cost drug authorisation form. The legal basis for the CCG to process this information is in order to provide Direct Care Provision (GDPR Art. 9(2)(h)) to a patient.

East Surrey CCG contract Medicines Management and Optimisation services from Surrey Downs CCG


Invoice Processing and Validation

The CCG may need to pay another healthcare provider for services delivered, for example, when you need hospital treatment while away from home on holiday. The hospital at which you were seen may need to invoice us for the treatment you received.

Before paying the invoice, we will need to be sure that we, and not another CCG, are responsible for your treatment costs as well as checking to ensure that the amount you are being billed for is correct. This process is known as invoice validation. For invoice validation to occur, a limited amount of Identifiable (Personal Confidential Information about you needs to be processed.

Once the invoice has been paid, the limited information held about you for this purpose is deleted, as it is no longer required. If the information is needed again, to respond to a question, it will be requested from the healthcare provider, the question answered and the information deleted again.

CCCG’s are required to complete this task under - Section 251 NHS Act 2006, NHS Constitution (Health and Social Care Act 2012)

East Surrey CCG use other organisations to process invoices on our behalf – NHS Shared Business Services (SBS) and NHS South, Central and West Commissioning Support Unit (CSU).

Patient and Public Involvement

If you have asked us to keep you regularly informed and up to date about the work of the CCG or if you are actively involved in our engagement and consultation activities or patient participation groups, we will collect and process personal identifiable data which you have agreed to share with us.

We will rely on your explicit consent for this purpose. You have the right to withdraw your consent at any time.

Where you submit your details to us for involvement purposes, we will only use your information for this purpose.

Quality Monitoring and Incident investigation

East Surrey CCG is responsible for ensuring that the care that you receive is safe, effective, and of good quality and we have a statutory duty under the Health and Social Care Act 2012, Part 1, Section 26, in securing continuous improvement in the quality of services provided.

If concerns are raised about the care provided or an incident has happened we need to investigate. 

To do this we may required Identifiable/ Personal Confidential Information/ Pseudonymised/ Anonymised data given to us by GP’s and other health care professionals that may include details of the care you have received and any concerns about that care. 

Commissioning Services

Type of Information – Pseudonymised/ Anonymised

Purpose – To collect NHS data about services we have commissioned to provide services to you.  We also work with other local CCGs and often hold joint contracts and commission joint services to make best use of the money available to us.

Legal Basis - Our legal basis for collecting and processing information for this purpose is statutory.  We set our reporting requirements as part of our contracts with NHS service providers and do not ask them to give us identifiable data about you. 

Data Processor – NHS Digital collect various data sets from NHS service providers that have been agreed locally.  All identifying information about you is removed by NHS Digital before the information is made available for the CCG to monitor and manage its contracts.  We also have signed a Data Sharing contract with NHS Digital and have been given approval to use a wide range of data to help us commission care services.  This agreement makes sure that we only process data that does not identify you, that we keep the information secure and we do not share it without the agreement of NHS Digital.  For more information about the types of data that NHS Digital collect please use this link .

National Registries

National Registries (such as the Learning Disabilities Register) have statutory permission under Section 251 of the NHS Act 2006, to collect and hold service user identifiable information without the need to seek informed consent from each individual service user.

Do you share my information with other organisations?

We commission a number of organisations (both within and outside the NHS) to provide healthcare services to you. We may also share anonymised statistical information with them for the purpose of improving local services, for example understanding how health conditions spread across our local area compared against other areas.

The law provides some NHS bodies, particularly NHS Digital, (formally the Health and Social Care Information Centre) ways of collecting and using patient data that cannot identify a person, to help Commissioners to design and procure the combination of services that best suit the population they serve.

It is sometimes necessary to link separate individual datasets to be able to produce a comprehensive evaluation. This may involve linking primary care GP data with other data such as secondary uses service (SUS) data (hospital inpatient, outpatient and A&E data). When carrying out this analysis, the linkage of these datasets is always done using a unique identifier that does not reveal a person’s identity as the CCG does not have any access to patient identifiable data for this purpose.

NHS Digital takes the responsibility for looking after care information very seriously. Please follow links on how NHS Digital looks after information  for more detailed documentation.

NHS England recognises the importance of protecting personal and confidential information in all that it does, all it directs or commissions, and takes care to meet its legal duties. Follow the links on the NHSE How we use your information page for more details.

Details of other organisations we share information with

We may also contract with other organisations to process data. These organisations are known as Data Processors. We ensure external data processors that support us are legally and contractually bound to operate and prove security arrangements are in place where data that could or does identify a person are processed.

Although this is not an exhaustive detailed list, the following lists key examples of the purposes

We share sensitive information with the following organisations

We share anonymised data with the following organisations

  • BDO LLP Auditors  - Auditor or CCG accounts
  • Tandridge District Council? –Document disposal  

Before awarding any contract, and during the life of the contract??, we ensure that organisations will look after your information to the same high standards that we do. Those organisations can only use your information for the service we have contracted them for and cannot use it for any other purpose.

What if I don’t want information about me shared with others?

If you do not want your information to be used for purposes beyond providing your care you can choose to opt out. If you wish to do so, please inform your GP practice and they will mark your choice in your medical record. You can opt out of your data being used for some purposes. You can withdraw your opt-out choice at any time by informing your GP practice. More information is available on NHS Digital Your personal information choices

There are two types of opt-outs available at different levels. These include:

Type 1 opt-out

If you do not want personal confidential information that identifies you to be shared outside your GP practice you can register a ‘Type 1 opt-out’ with your GP practice. This prevents your personal confidential information from being used except for your direct health care needs and in particular circumstances required by law, such as a public health emergency like an outbreak of a pandemic disease.  Patients are only able to register the opt-out at their GP practice and your records will be identified using a particular code that will stop your records from being shared outside of your GP Practice.

National Data Opt-out 

The national data opt-out was introduced on 25 May 2018 and replaces the previous ‘type 2’ opt-out.  NHS Digital collects information from a range of places where people receive care, such as hospitals and community services.  The new programme provides a facility for individuals to opt-out from the use of their data for research or planning purposes.  For anyone who had an existing type 2 opt-out, it will have been automatically converted to a national data opt-out from 25 May 2018 and will receive a letter giving them more information and a leaflet explaining the new national data opt-out. The national data opt-out choice can be viewed or changed at any time by using the online service at 

For further information and support about national data opt-outs you can contact NHS Digital:

  • Tel: 0300 303 5678 
  • Email:

Visit the website

Accessing your information

Under General Data Protection Regulations (GDPR) 2018, you have the right to see or be given a copy of personal data held about you. To gain access to your information you will need to make a Individual Rights Request (IRR)Please be aware that the CCG can only provide information held by us at the CCG and not information held by any other NHS organisation e.g. your GP.
There is no charge for providing this information.

If you wish to make a an Individual Rights request or have any other concerns or questions please contact the Information Governance Team at:

NHS East Surrey CCG
Tandridge District Council Offices
8 Station Road
RH8 0BT​
Tel 01883 772800

Please note that in order to respond to Individual Rights Request we will need to share information about you with the NHS South, Central and West CSU.

If you are not happy with our response to your Individual Rights request please refer to our complaints process If you have exhausted this process, wish to take your complaint to an independent body, and your complaint relates to Subject Access Requests or the handling of your personal information, you can contact the Information Commissioner's Office in writing at the following address:

Wycliffe House 
Water Lane 

You can also telephone their helpline on 0303 123 1113 (local rate) or 01625 545 745 if you prefer to use a national rate number.

They are also contactable via email: 

Freedom of Information Requests

The Freedom of Information Act 2000 (FOIA) gives people a general right of access to information held by or on behalf of public authorities, promoting a culture of openness and accountability across the public sector. – for more on our FOI please visit:


If you have a comment, compliment or complaint about health services in East Surrey then please contact the complaints team.

If you would like this document in large print, on tape or in another language please contact us:

NHS East Surrey CCG
Tandridge District Council Offices
8 Station Road
RH8 0BT​

Tel 01883 772800​
Mobile 07827253111