NHS logo sign

How the CCG Uses Your Information

(Last updated September 2016)

This notice explains the NHS Scarborough and Ryedale Clinical Commissioning Group’s privacy policy and how we will use and protect any information about you that you give us when you contact us by whatever method.

This privacy statement only covers the NHS Scarborough and Ryedale Clinical Commissioning Group and does not cover any other organisations, including organisations that can be linked to from this site. It is important you are aware when you are moving to the site, or engaging in correspondence with another organisation that you read the privacy statement of that organisation. This notice explains:

Who We Are and What We Do

Scarborough and Ryedale Clinical Commissioning Group (hereafter referred to as “the CCG”) is responsible for implementing the commissioning roles as set out in the Health and Social Care Act 2012.

CCGs are groups of GP Practices that are responsible for commissioning health and care services for the local community, for example hospital services, nursing in the community and mental health services. We ensure the care providers provide safe high quality care, which includes responding to concerns from our citizens; please see below for details of how to make comments and complaints.

As a Clinical Commissioning Group we have many other functions, but these do not generally need data that may specifically identify an individual.

The CCG commissions healthcare services from a number of NHS bodies and non-NHS bodies, such as independent sector treatment centres, private providers and voluntary bodies. 

Primary care is the first point of contact for someone when they contract an illness, suffer an injury or experience symptoms that are new to them. It is generally regarded as the ‘gateway’ to receiving more specialist care. This contact will be with a GP, Dentist or Optician. A list of our GP practices can be found here.

Patients may be referred to a secondary care professional – a specialist with expertise on the patient’s issue. These are consultant-led services. Secondary care is usually (but not always) delivered in a hospital/clinic with the initial referral being made by a primary care professional.

We commission Secondary Care services from a range of providers of healthcare services, key providers are listed below.

  • York Teaching Hospital NHS Foundation Trust
  • The Leeds Teaching Hospitals NHS Trust
  • Tees, Esk and Wear Valley NHS Trust
  • Leeds and York Partnership NHS Foundation Trust
  • South Tees Hospitals NHS Foundation Trust

These bodies will use your personal information to provide the healthcare services which they have been commissioned to provide. Each organisation is responsible for publishing information about how they use your personal information.

The Data Protection Act 1998

Under the Data Protection Act 1998 (DPA) the CCG is required to register with the Information Commissioners Office detailing all purposes for which personal identifiable data is collected, held and processed.

The Data Protection Act 1998 says that personal data means data which relate to a living individual who can be identified from those data, or from those data and other information which is in the possession of, or is likely to come into the possession of, the data controller. So person identifiable data usually refers to grouped data. This may be your name, address, date of birth etc. 

The CCG has a legal duty to protect any information we collect from you. We use leading technologies and encryption software to safeguard your data and keep strict security standards to prevent any unauthorised access to it.

The CCG will not pass on your details to any third party or other government department unless you consent to this or where it is necessary and we are allowed or required to by law.

The Information Commissioners Office maintains a public register of organisations that process personal identifiable data.

The NHS Scarborough and Ryedale Clinical Commissioning Group’s registration number is Z3527047.
View the CCG’s Notification online here

The entry sets down:

  • The purpose for which the personal data are held, such as the management of personnel, provision of health services to the local community, marketing or research;
  • Categories of individuals, such as employees, services users, CCG members;
  • Categories of personal information held, such as name, address, medical history;
  • To whom the personal information will be disclosed, such as NHS England, Central Government;
  • Whether personal information will be transferred overseas.

Data Protection Officer – Queries Regarding Data Protection Issues

New legislation (General Data Protection Regulation and Data Protection Act 2018) mandates that the CCG appoint a Data Protection Officer (DPO).  This is because we are a public body.

The DPO will assist us to monitor internal compliance, inform and advise on data protection obligations and act as a contact point for data subjects (members of the public and employees) where there are concerns or queries regarding Data Protection.  The DPO will also act as a contact point for communication with the Information Commissioner’s Office.

The CCG has appointed a shared service to deliver the DPO role provided by eMBED Health Consortium

If you wish to contact the DPO then please use the following contact details stating in the heading which organisation you are enquiring about:

DPO : Caroline Million
DPO contact details: embed.gdpr@nhs.net

Information we collect and how we use it

For most of our work we do not need to know personal details. It should be noted that information which cannot identify an individual does not come under the Data Protection Act 1998.

The CCG receives uses and holds statistical information about the health care provided to the population of the local community to allow it to better plan and commission health services for the local area.

The law provides some NHS bodies, particularly the Health and Social Care Information Centre (HSCIC), ways of collecting and using patient data from health care providers that cannot identify a person (anonymised) to help Commissioners to design and procure the combination of services that best suit the population they serve.

Anonymisation is the process of turning data into a form which does not identify individuals and where identification is not likely to take place. This allows for a much wider use of the information. The process of anonymising personal data protects it from inappropriate use or disclosure. (For further information regarding definitions and how the Data Protection Law applies please see the ICO website: https://ico.org.uk/for-organisations/guide-to-data-protection/anonymisation/  and NHS Digital: http://digital.nhs.uk/article/3638/Personal-data-access-FAQs )

Data may be linked and de-identified by these special bodies so that it can be used to improve health care and development and monitor NHS performance. Where data is used for these statistical purposes, stringent measures are taken to ensure individual patients cannot be identified.

Unless there is another lawful basis, only anonymous statistical data, normally aggregated, may also be passed to organisations with a legitimate interest, including universities, community safety units and research institutions.

This could include:

  • Monitoring the quality and efficiency of services commissioned
  • Statistical analysis of the local populations illnesses
  • Preparing national data submissions for quality and cost

The CCG does not directly provide health care services and therefore does not create or hold any clinical records about any individuals. If you wish to have sight of your own personal health care records you will need to apply to your GP Practice, or the NHS Hospital or NHS organisation which provided your healthcare.

There are functions for which the CCG may process data that may identify an individual, however we try to limit this to the individuals NHS number or postcode, and have controls in place to prevent the identity of that individual becoming known by staff within the CCG.

There are some specific purposes for which the CCG may process information that may allow the right people to identify an individual, however this is normally limited to an individual’s NHS number or postcode, and there are controls in place to prevent the identity of that individual becoming known by staff within the CCG. These functions are:

  • Analysing the health information of the local population by NHS Number so that GP’s may identify patients who require specific targeted health care in order to help those individuals manager their condition effectively.  We call this Risk Stratification for further information please visit:
  • Risk Stratification: The CCG under its duties from the Health and Social Care Act commissions a Risk Stratification Service. This service enables your family doctor to undertake a pro-active approach to managing your health. A secure computer system reviews your personal information such as your Name, NHS Number, date of birth, post code and recent treatments you may have had at the surgery or in hospital and also any existing health conditions. The purpose of this system is to alert your doctor to the likelihood of a possible deterioration in your health. This information will be used to get you early care and further treatment if needed. Your doctor will have provided information to you about this service.

    Dr Foster (an organisation which is part of Embed Health Consortium) has been contracted to provide risk stratification services. This is an approved exception under section 251 of the NHS Act 2006.  The information will only be seen by qualified health workers involved in your care. NHS security systems will protect your health information and patient confidentiality at all times.

    The CCG uses risk stratified data to understand the health needs of the local population in order to plan and commission the right services. This is called risk stratification for commissioning. The CCG does not have access to your personal data. The information is de-identified / pseudonymised. Pseudonymisation is a technical process that replaces identifiable information such as a NHS number, postcode, date of birth with a unique identification number to prevent the CCG staff working with the data tracing it back to an individual patient.

    You have a right to opt out of your information being used for risk stratification profiling. Your GP practice will make you aware if your information is being used for risk stratification and your right to opt-out.

    For further information please visit: https://www.england.nhs.uk/ourwork/tsd/ig/risk-stratification/
  • Invoice validation: Invoice validation is an important process and is a statutory duty under the Health and Social Care Act in order to manage the CCG finances. It involves using your NHS number to confirm that the CCG is responsible for paying for your treatment. We will also use your NHS number to check whether your care has been funded through specialist commissioning, which NHS England will pay for. The process makes sure that the organisations providing your care are paid correctly.  This is an approved exception under section 251 of the NHS Act 2006.
  • Where different providers are caring for the same person, we may ask for evidence of the provision of services before making payment, or we may design a service where the payment is all or partly based on providers ensuring the service user has a healthy outcome.
  • Where we have received an exemption for health and research purposes. This is called a S251 exemption and is approved and monitored through the Health Research Authority If you wish to understand more about Section 251 please visit:  

There are some functions for which the CCG will need to process data that directly identifies an individual.  This normally requires the individual’s consent, for example:

  • Individual Funding Requests (IFR). IFR is a process where patients, their GPs or Consultants can request treatments not routinely funded by the NHS. This services requires holding and processing patient information to assess the requests for care and if appropriate approval. Sometimes, it may be needed to speak with the care providers about the patient to assess the request. This service is provided by North East Commissioning Support (NECS).

    You are entitled to withdraw your consent to your personal information being shared by your care providers at any point but please note that information already shared for this purpose cannot be retracted and future limitation on sharing may mean your funding request cannot be properly considered.
  • Business support services, for example Human Resources, Information Technology Management and Business Intelligence services. These services are provided by eMBED Health Consortium.
  • Case management (Continuing Healthcare, Funded Nursing Care and Mental Health & Vulnerable Adults), Adult Safeguarding, Mental Health & Vulnerable Adults and Children, Young People & Maternity Services, and Legal Services. These services are provided by the Partnership Commissioning Unit (PCU), hosted by the Scarborough and Ryedale CCG. In order for the PCU to provide these services they need to collect and keep a record of personal information about the person to whom the service is to be provided. This record may be either written down or held electronically on computer, these details may include:

             - Basic details such as name, address, and next of kin
             - Details of health conditions, diagnostic tests, treatments and medication
             - Information from other health care professionals and those who provide care

    Note: This information may be shared with other agencies involved in providing care or where required by law, for example with social services or for safeguarding purposes, however such information will only be shared with the appropriate consent or under a statutory legal requirement.  You are entitled to object to your information being shared with specific agencies, however it should be noted that this may mean that the provision of appropriate care may be limited
  • Medicines Management Reviews. This service performs a review of prescribed medications to ensure patients receive the most appropriate and cost effective treatments. The CCG commissions this service through NHS Harrogate and Rural District CCG.  NHS Harrogate and Rural District CCG website is at http://www.harrogateandruraldistrictccg.nhs.uk/
  • Review of existing services with a view to improvement and/or for CCG statutory purposes as outlined below

Referral Management, (Choose and Book) Service

When you and your GP agree that you need a secondary care appointment, you can choose which hospital or clinic you go to. The Referral Management Service provides access to a system, (Choose and Book) that lets you choose your hospital or clinic and book your first appointment.

The Referral Support Service

When it has been identified by your GP that you require further diagnosis and/or treatment/care your GP will make a referral to a secondary care service.  For some specialties your referral will be reviewed by an independent specialist doctor to ensure that you receive the most effective care.  This involves a review of a copy of your GP referral against agreed clinical pathways with the aim of ensuring the patient is seen by the right clinician, in the right place at the right time.  These arrangements provide for an additional ‘check’ of referrals by a team of contracted clinicians.

Your GP should discuss transferring your information to a specialist with you during your consultation and request your permission for the transfer.

The CCG commissions both the Referral Management Service and the Referral Support Service through the Vale of York CCG.  NHS Vale of York CCG website is at www.valeofyorkccg.nhs.uk

CCG Statutory Purposes

The CCG is required by law to report identifiable information it may hold about you to other authorities under the following circumstances:

  • Statutory compliance, e.g. reporting of infectious diseases which may endanger the safety of others, such as meningitis or measles, (but not HIV /AIDS).
  • Investigation of the causes of an infection, sometimes contagious, which may cause risk to the public (Post Infection Review). We do not always need to ask permission to access a person’s record if there is a risk to the public, this is a statutory obligation on the CCG.
  • Notification of births

(The above may be linked to national statistical datasets in an anonymised format only in order to monitor trends of infectious diseases, other infections and birth rates).

  • To allow the organisation to fulfil its obligations to safeguarding children and vulnerable adults, this is a statutory obligation on all NHS Organisations.  

    The CCG has a responsibility; along with other NHS organisations and every healthcare professional, to ensure that people in vulnerable circumstances are not only safe but also receive the highest possible standard of care. The welfare of the people who come into contact with the services commissioned by the CCG is paramount and it has a statutory responsibility for ensuring that the organisations from which they commission services provide a safe system that safeguards children and adults at risk of abuse or neglect. The CCG has a statutory duty to be members of Local Safeguarding Children Boards (LSCBs) and are expected to be fully engaged with local Safeguarding Adults Boards (SABs), working in partnership with local authorities to fulfil their safeguarding responsibilities.
  • Where a formal court order has been issued
  • Police investigations (in limited circumstances)

The CCG will collect information about you in order to respond to queries, enquiries or complaints you have raised and this applies to:

  • Visitors to our website
  • Complainants and other individuals.
  • People who use the CCG’s services.
  • Staff of the CCG

Visitors to our Website

When someone visits the CCG’s website, www.scarboroughryedaleccg.nhs.uk  information is collected in a standard internet log to enable the CCG to monitor how the website is used.  This is done to find out things such as the number of visitors to the various parts of the site.  This information is collected in such a way that does not identify people who have visited our websites.

From time to time, you may be asked to submit personal information about yourself (e.g. name and email address) in order to receive or use services on our website. Such services include bulletins, email updates, website feedback, requesting investigation of complaints and any other enquiries.

By entering your details in the fields requested or sending us an email, you enable the CCG and its service providers to provide you with the services you select. Any information you provide will only be used by the CCG, or our agents or service providers, and will not be disclosed to other parties unless we are obliged or permitted to do so.

We will hold your personal information on our systems for as long as you use the service you have requested, and remove it in the event the purpose has been met or when you no longer wish to continue your subscription.

Making a complaint to us

When we receive a complaint from anyone we will need to make up a file containing details of the complainant and the complaint they are making. How we use a complainant’s information to investigate a complaint is explained further on our Compliments and Complaints Page at: http://www.scarboroughryedaleccg.nhs.uk/contact/patient-relations-compliments-complaints-and-concerns/

Making an Freedom of Information Request & Environmental Information Regulations Requests

The Freedom of Information (FOI) Act gives you the right to ask any public sector organisation for all the recorded information they have on any subject. If your request is wholly or partly for “environmental information” the CCG will treat that part of your request as a request under the Environmental Information Regulations (EIR).
For further information on how to make and FOI or EIR request visit our Freedom of Information page at:


People who email us

Any email sent to the CCG, including any attachments, may be monitored and used by the CCG for reasons of security and for monitoring compliance with office policy.

Email monitoring or blocking software may also be used. Please be aware that you have a responsibility to ensure that any email you send to us is within the bounds of the law.

If you post or send offensive, inappropriate or objectionable content anywhere on www.scarboroughryedaleccg.nhs.uk or otherwise engage in disruptive behaviour on www.scarboroughryedaleccg.nhs.uk we may use whatever information is available to us, about you, to stop such behaviour.


As NHS Employers the CCG needs to process information in relation to staff. This information is in a variety of ways to ensure staff are paid or provided other services related to their employment.

For more details regarding how staff data is used please see the staff fair processing notice.

Information for Job Applicants

The CCG will process information provided by applicants for the management of their application and the subsequent selection process. This involves providing details provided by you on your application regarding your qualifications, skills and work experience, (but excluding your name, address and other personal data) to the short-listing and selection panels. After shortlisting full details provided by you on your application form will be provided to the interview panel. Details provided by you are also used to help fulfil our obligations to monitor equality and diversity within the organisation and process your application. You can find more information about the use of personal data throughout the application process from our business support providers, eMBED Health Consortium, at http://embedhealth.co.uk/ .

Information will be retained on interview performance and the application in line with the retention periods of NHS England.

National Fraud Initiative

NHS Scarborough and Ryedale CCG is required by law to protect the public funds it administers.  It may share information provided to it with other bodies responsible for auditing or administering public funds, in order to prevent and detect fraud.

The Cabinet Office is now responsible for carrying out the National Fraud Initiative. More information can be found here:


Data matching involves comparing computer records held by one body against other computer records held by the same or another body to see how far they match.  This is usually personal information.  Computerised data matching allows potentially fraudulent claims and payments to be identified.  Where a match is found it indicates that there is an inconsistency that requires further investigation.  No assumption can be made as to whether there is fraud, error or other explanation until an investigation is carried out.

The Cabinet Office currently requires us to participate in a data matching exercise to assist in the prevention and detection of fraud.  We are required to provide particular sets of data for matching within each exercise, and these are set out in the guidance, which can be found at by following the above link.

The processing of data by the Cabinet Office in a data matching exercise is carried out with statutory authority under its powers in Part 6 of the Local Audit and Accountability Act 2014.  It does not require the consent of the individuals concerned under the Data Protection Act 1998.

For specific details on the Cabinet Office National Fraud Initiative please follow the above link. Cabinet Officer Fair Processing in relation to the initiative can be found here:


Keeping Information Secure and Confidential

Everyone working for the NHS is subject to the Common Law Duty of Confidentiality and all staff are trained to keep information confidential and have contractual obligations in respect of confidentiality, which are enforceable through disciplinary procedures.  Information provided in confidence will only be used for the purposes advised and consented to by the patient, unless there are circumstances covered by the law.

The NHS Confidentiality Code of Conduct applies to all of our staff, and they are required to protect your information, inform you of how your information will be used, and allow you to decide if and how your information can be shared.

We also have a duty to show that the systems and processes we use are secure and that legal agreements are put in place to maintain security.

We ensure external data processors that support us are legally and contractually bound to operate and prove security arrangements are in place where data that could or does identify a person are processed.

At the moment, among others, we work with:

  • Scarborough Borough Council
  • North East of England Commissioning Support Unit (NECS); and
  • eMBED Health Consortium, who support the data gathering and processing across the Yorkshire and Humber area.

Use of Cookies

You can read more about how cookies work on the CCG website here

Your right to opt out

You have the right, in law and additionally in the NHS Constitution, to request that your confidential information is not used beyond your own care and treatment and to have your objections considered, and where your wishes cannot be followed, to be told the reasons including the legal basis.

NHS Digital provides a “Guide to confidentiality in health and social care” which you may find useful before deciding if you would like to opt out. This guidance states that:

  • Patients can object to information about them leaving general practice in identifiable form for purposes other than direct care, so confidential information about them will not be shared. This is called a Type 1 objection.
  • Patients can object to information about them leaving the HSCIC in identifiable form, so confidential information about them will not be made available by the HSCIC other than for purposes of direct care. This is called a Type 2 objection.

If you wish to exercise your right to opt-out, please contact you GP surgery or alternatively to speak to somebody who will explain what impact this may have, please contact us at: SCRCCG.enquiries@nhs.net or telephone 01723 343691

There are some situations where an individual cannot opt out of their personal information being used these are detailed in the CCG Statutory purposes above.

Retaining Information

We will only retain information for as long as necessary. Records are maintained in line with the NHS records management code of practice for health and social care found on the NHS Digital website. This guidance covers many types of health record and specifies the length of time they should be kept for (the minimum retention period). http://systems.digital.nhs.uk/infogov/iga/resources/rmcop/index_html

All personal identifiable information is destroyed securely in accordance with the Data Protection Act

Access to Personal Information
Everybody has the right to see, or have a copy, of data we hold that can identify you, with some exceptions.  You do not need to give a reason to see your data. If we do hold any information about you we will:

  • Give you a description of that information
  • Tell you why we are holding it
  • Tell you who it could be disclosed to
  • Let you have a copy

If you want to access your data you must make the request in writing.  Under special circumstances, some information may be withheld.  To make a request to NHS Scarborough and Ryedale CCG for any personal information we may hold, you will need to put the request in writing and send it to:

SCRCCG.PatientRelations@nhs.net or

Subject Access Requests
NHS Scarborough and Ryedale Clinical Commissioning Group
Scarborough Town Hall York House
St Nicholas Street
YO11 2HG

Caldicott Guardian

Caldicott Guardian is a senior person responsible for protecting the confidentiality of patient and service-user information and enabling appropriate information-sharing. Each NHS organisation is required appoint a Caldicott Guardian; this was mandated for the NHS by Health Service Circular: HSC 1999/012. The CCG’s Caldicott Guardian is the CCG’s Executive Nurse and may be contacted as detailed below.

How to contact us.

If you want to request information about our privacy policy you can write to us at:

NHS Scarborough and Ryedale Clinical Commissioning Group
Scarborough Town Hall - York House
St Nicholas Street
YO11 2HG

or Email General Enquiries at: SCRCCG.enquiries@nhs.net

or Telephone 01723 343691

For independent advice about protection, privacy or data sharing issues, you can contact:

The Information Commissioner
Wycliffe House
Water Lane

Phone: 08456 30 60 60 0r 01625 54 57 45
Website: www.ico.gov.uk

Further Information

For further information regarding how the NHS uses your data and how it is protected see the following:

Changes to this Privacy Notice

If our privacy policy changes in any way, we will place an updated version on this page. Regularly reviewing the page ensures you are always aware of what information we collect, how we use it and under what circumstances, if any, we will share it with other parties.

This Privacy/Fair Processing Notice was last updated 16 September 2016