Dorset Clinical Commissioning Group

Using your information

Fair Processing Notice

NHS Dorset Clinical Commissioning Group (CCG);

Vespasian House, Barrack Road, Dorchester, DT1 1TB

What we do

NHS Dorset CCG is responsible for planning, buying and monitoring (also known as commissioning) health services from healthcare providers such as hospitals and GP practices for our local Dorset population to ensure the highest quality of healthcare. We also have a performance monitoring role of these services, which includes responding to any concerns from our patients on services offered.

How we use your information

We hold some information about you and this fair processing notice outlines how that information is used, who we may share that information with, how we keep it secure (confidential) and what your rights are in relation to this.

What kind of information we use?

We use the following types of information/data:

  • identifiable - containing details that identify individuals;
  • pseudonymised - about individuals but with identifying details (such as name or NHS number) replaced with a unique code;
  • anonymised - about individuals but with identifying details removed;
  • aggregated - anonymised information grouped together so that it doesn't identify individuals.

What do we use anonymised data for?

We use anonymised data to plan health care services. Specifically we use it to:

  • check the quality and efficiency of the health services we commission;
  • prepare performance reports on the services we commission;
  • work out what illnesses people will have in the future, so we can plan and prioritise services and ensure these meet the needs of patients;
  • review the care being provided to make sure it is of the highest standard.

What do we use your sensitive and personal information for?

We can only use information that may identify individuals (known as personal information) in accordance with the Data Protection Act 1998 and other laws such as the Health and Social Care Act 2012.

We also have a Common Law Duty of Confidentiality to protect your information. This means that where a legal basis for using your personal or confidential information does not exist, we will not do so.

As a CCG we do not routinely hold medical records or confidential patient data. There are some limited exceptions where we may hold and use sensitive personal information about you. For example Dorset CCG is required by law to perform certain services that involve the processing of sensitive personal information. In order to process that information we will use only the minimum data allowed.

The areas where we regularly use sensitive personal information include:

Individual Funding Requests

A process where you or your GP can request special treatments that are not routinely funded by the NHS.

Legal Basis

The clinical professional who first identifies that you may need the treatment will explain to you the information that we need to collect and process in order for us to assess your needs and commission your care and gain your explicit consent.

Continuing Healthcare Assessments

A package of care for those with complex medical needs, and appeals.

Legal Basis

It will be explained to you the information that we need to collect and process in order for us to assess your needs and commission your care.  The explicit consent of you, or your legal representative, will be obtained to process your information.

Responding to Complaints/Queries

To process your personal information if it relates to a query or a complaint where you have asked for our help and/or involvement.

Legal Basis

We will need your explicit consent to process your query or complaint.

We usually have to disclose the complainant’s identity to whoever the complaint is about in order to investigate and respond. If a complainant does not want information identifying him/her to be disclosed, we will try to respect that. However, it may not be possible to handle a complaint on an anonymous basis.  

Safeguarding - assessment and evaluation of concerns

We will collect and process identifiable information where we need to assess and evaluate any safeguarding concerns. 

Legal Basis

Because of public Interest issues, e.g. to protect the safety and welfare of vulnerable children and adults, we rely on a statutory basis rather than consent to process information for this use.

Investigate legal claims or adverse incidents

We will collect and process identifiable information where we need to assess and evaluate any legal claim or adverse incident.

Legal Basis

We rely on a statutory basis rather than consent to process information for this use.

Risk Stratification for Commissioning

A process for understanding the local population needs and plan for future requirements.

Legal Basis

The use of identifiable data by CCGs and GPs for risk stratification has been approved by the Secretary of State, through the Confidentiality Advisory Group of the Health Research Authority and this approval has been extended to April 2017.

Invoice Validation

A small amount of information that could identify you, mainly the NHS Number, is used within a special secure area within the Finance Directorate, known as a Controlled Environment for Finance (CEfF), so that the organisations that have provided care for you can be paid.

Legal Basis

Dorset CCG is an accredited Controlled Environment for Finance (CEfF) which enables us to process patient identifiable information without consent for the purposes of invoice validation.

Commissioning Purposes

To monitor access to services, waiting times and particular aspects of care.

Legal Basis

Our legal basis for collecting and processing information for this purpose is through the ASH accreditation process, supported by s251 of the NHS Act 2006 obtained by NHS England.

Hospitals and community organisations that provide NHS-funded care must submit certain information to the Health and Social Care Information Centre (HSCIC) about services provided to our service users. This information is generally known as commissioning datasets. Dorset CCG obtains these datasets from NHS Digital (HSCIC), via a DSCRO, and they relate to service users registered with GP Practices that are members of the CCG.

These datasets include data from a variety of sources listed below:

  • Secondary Uses Services (SUS), this includes secondary care, community care and mental health providers in an inpatient, outpatient and emergency department setting.
  • National Datasets for community and mental health services. Including Mental Health Minimum Dataset, Children and Young People Minimum Dataset, Maternity.

The data we receive does not include patients’ names, dates of birth or home addresses, but may include information such as your NHS number, partial postcode (first 4 digits only), age, ethnicity and gender as well as coded information about your visits to clinics, Emergency Department, hospital admissions and other NHS services.

When analysing current health services and proposals for developing future services it is sometimes necessary to link separate individual datasets to be able to produce a comprehensive evaluation. 

In some cases there may also be a need to link local datasets which could include a range of acute-based services such as radiology, physiotherapy, audiology etc., as well as mental health and community-based services such as Improving Access to Psychological Therapies (IAPT), district nursing, podiatry etc. 

 When carrying out this analysis, the linkage of these datasets is always done using a unique identifier that does not reveal a person’s identity as the CCG does not have any access to patient identifiable data.

Patient and Public Involvement

If you have asked us to keep you regularly informed and up to date about the work of the CCG or if you are actively involved in our engagement and consultation activities or patient participation groups, we will collect and process personal confidential data which you share with us.

Legal Basis

We obtain your consent for this purpose.

National Fraud Initiative

Protection of Public Funds

Legal Basis

NHS Dorset CCG is required by law to protect the public funds it administers. We may share information provided to us with other bodies responsible for auditing or administering public funds, in order to prevent and detect fraud.

The Cabinet Office is responsible for carrying out the National Fraud Initiative. More information can be found online.

Data matching involves comparing computer records held by one body against other computer records held by the same or another body to see how far they match. This is usually personal information. Computerised data matching allows potentially fraudulent claims and payments to be identified. Where a match is found it indicates that there is an inconsistency that requires further investigation. No assumption can be made as to whether there is fraud, error or other explanation until an investigation is carried out.

The Cabinet Office requires us to participate in any data matching exercise to assist in the prevention and detection of fraud. We are required to provide particular sets of data for matching within each exercise, and these are set out in the guidance, which can be found at by following the above link.

The processing of data by the Cabinet Office in a data matching exercise is carried out with statutory authority under its powers in Part 6 of the Local Audit and Accountability Act 2014. It does not require the consent of the individuals concerned under the Data Protection Act 1998.

Specific details on the Cabinet Office National Fraud Initiative can be found online.

The areas where we regularly use sensitive personal information include:

Sensitive personal information may also be used in the following cases:

  • the information is necessary for your direct healthcare;
  • responding to communication from patients, carers or Member of Parliament;
  • you have freely given your informed agreement (consent) for us to use your information for a specific purpose;
  • conduct research approved by the Local Research Ethics Committee (with your consent);
  • for the health and safety of others, for example to report an infectious disease such as meningitis or measles;
  • there is a legal requirement that will allow us to use or provide information (e.g. a formal court order).


Dorset CCG is committed to ensuring that your privacy is protected. Should we ask you to provide certain information by which you can be identified when using this website; you can be assured that it will only be used in accordance with this privacy statement.

You may choose to restrict the collection or use of your personal information in the following ways:

  • Information you supply using any electronic form(s) on this website will only be used for the purpose(s) stated on the form.
  • whenever you are asked to fill in a form on the website, look for the box that you can click to indicate that you do not want the information to be used by anybody for direct marketing purposes
  • if you have previously agreed to us using your personal information for direct marketing purposes, you may change your mind at any time by writing to or emailing us at

Information you provide in emails to us will only be used for the purpose (which we reasonably believe) that you give it to us for.

Data Processors

We may also contract with other organisations to process data. These organisations are known as Data Processors. We ensure external data processors that support us are legally and contractually bound to operate and prove security arrangements are in place where data that could or does identify a person are processed.

Currently, the external data processors we work with include (amongst others) and the function that they carry out on our behalf:

Data Processor


South Central Commissioning Support Unit

Provision of core DCS services for the Business Intelligence and Commissioning function


Internal Audit related purposes


Claims Management

NHS Shared Business Service


Dorset Healthcare University NHS Foundation Trust

Staff Payroll


Legal Services

Do you share my information with other organisations?

We commission a number of organisations (both within and outside the NHS) to provide healthcare services to you. We may also share anonymised statistical information with them for the purpose of improving local services, for example understanding how health conditions spread across our local area compared against other areas.

The law allows some NHS bodies, particularly NHS Digital (Health and Social Care Information Centre), to collect and use patient data, which does not identify a person, to help Commissioners to design and procure the combination of services that best suit the population they serve.

We may also share information with NHS England and NHS Digital. If you do not want your information to be used for purposes beyond providing your care you can choose to opt-out.

What is the patient opt-out?

The NHS Constitution states "You have the right to request that your confidential information is not used beyond your own care and treatment and to have your objections considered".

There are several forms of opt- outs available at different levels. These include for example:

Information directly collected by the CCG

Your choices can be exercised by withdrawing your consent for the sharing of information that

identifies you, as long as there is no overriding legal obligation. If your wishes cannot be followed, you will be told the reasons (including the legal basis) for that decision.  If you wish to exercise your right to opt-out, or to speak to somebody to understand what impact this may have, if any, please contact Joyce Green, Data Protection Officer via


By phone: 01305 361252

Information not directly collected by the CCG, but collected by organisations that provide NHS services.

Type 1 opt-out

If you do not want personal confidential data information that identifies you to be shared outside your GP practice, for purposes beyond your direct care, you can register a type 1 opt-out with your GP practice. This prevents your personal confidential information from being used other than in particular circumstances required by law, such as a public health emergency like an outbreak of a pandemic disease.

Patients are only able to register the opt-out at their GP practice.

Records for patients who have registered a type 1 opt-out will be identified using a particular code that will be applied to your medical records that will stop your records from being shared outside of your GP Practice.

Type 2 opt - out

The NHS Digital (HSCIC) collects information from a range of places where people receive care, such as hospitals and community services.

To support those NHS constitutional rights, patients within England are able to opt out of their personal confidential data being shared by NHS Digital for purposes other than their own direct care, this is known as the 'Type 2 opt-out'.

If you do not want your personal confidential information to be shared outside of NHS Digital, for purposes other than for your direct care, you can register a type 2 opt-out with your GP practice.

Patients are only able to register the opt-out at their GP practice.

Further Information and Support about Type 2 opt-outs

For further information and support relating to type 2 opt-outs please contact NHS Digital at  referencing 'Type 2 opt-outs - Data requests' in the subject line; or

by phone on (0300) 303 5678 or;  

visit the website

What are your rights?

Where information from which you can be identified is held, you have the right to ask to:

  • View this or request copies of the records by making a subject access request (see below);
  • have the information updated where it is no longer accurate;
  • ask us to stop processing information about you where we are not required to do so by law – although we will first need to explain how this may affect the care you receive.

How you can access your own information (Subject Access Request)

The Data Protection Act 1998 allows you to find out what information about you is held on computer and in certain manual records.  This is known as “right of subject access” and applies to personal information held about you.

Dorset CCG does not directly provide health care services and therefore does not hold personal healthcare records. If you wish to have sight of, or obtain copies of your of your own personal health care records you will need to apply to your GP Practice, the hospital or NHS Organisation which provided your health care.

If you want to see the information about you that the CCG holds you will need to make a written request to the CCG.  You are entitled to receive a copy subject to certain exemptions, usually within 40 days of receipt of your request, but should note that a charge will usually be made. 

Please be aware, however, that in certain circumstances your right to see some details in your records might be limited, in your own interest or for other reasons.  If you would like to find out more about accessing your personal information please contact the Information Governance Team on or via the postal address at the end of this notice.

What safeguards are in place to ensure data that identifies me is secure?

We only use information that may identify you in accordance with the Data Protection Act 1998. The Data Protection Act requires us to process personal data only if there is a legitimate basis for doing so and that any processing must be fair and lawful.

Within the health sector, we also have to follow the common law duty of confidence, which means that where identifiable information about you has been given in confidence, it should be treated as confidential and only shared for the purpose of providing direct healthcare. 

Everyone working in, or for, the NHS Dorset CCG must use personal information in a secure and confidential way.  We are required to protect your information, inform you of how your information will be used, and allow you to decide if and how your information can be shared. All CCG staff are mandated to attend annual training on how to do this. This is monitored by the CCG and can be enforced through disciplinary procedures.

We also ensure the information we hold is kept in secure locations, restrict access to information to authorised personnel only, protect personal and confidential information held on equipment such as laptops with encryption (which masks data so that unauthorised users cannot see or make sense of it).

We ensure external data processors that support us are legally and contractually bound to operate and prove security arrangements are in place where data that could or does identify a person are processed.

The CCG has an Executive Director responsible for protecting the confidentiality of patient information. This person is called the Caldicott Guardian and the contact details are Sally Shead,

Director of Nursing and Quality via:


By phone: 01305 368070

The CCG is registered with the Information Commissioner’s Office (ICO) as a data controller and collects data for a variety of purposes. A copy of the registration is available through the ICO website (search by Dorset CCG).

How long do you hold confidential information for?

All records held by Dorset CCG will be kept for the duration specified by national guidance from the Department of Health, NHS Records Management Code of Practice.  

Freedom of Information Act

The Freedom of Information Act 2000 (FOIA) gives people a general right of access to information held by or on behalf of public authorities, promoting a culture of openness and accountability across the public sector.

What sort of information can I request?

In theory, you can request any information that Dorset CCG holds, that does not fall under an exemption. You may not ask for personal and/or sensitive information that is covered by the Data Protection Act.

How do I make a request for information?

Your request must be in writing and can be either posted or emailed to Dorset CCG. 

For postal requests, please send to the Freedom of Information Team at the address at the address below. For emailed requests please use

For independent advice about data protection, privacy, data sharing issues and your rights you can contact:

Information Commissioner’s Office

Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF

Telephone: 0303 123 1113 (local rate) or 01625 545 745


Visit the ICO website. 

Changes to this privacy notice

We keep our privacy notice under regular review. This privacy notice will be reviewed again in April 2017 or as any changes in legislation require.

Complaints or questions

We try to meet the highest standards when collecting and using personal information. For this reason, we take any complaints we receive about this very seriously. We encourage people to bring concerns to our attention if they think that our collection or use of information is unfair, misleading or inappropriate.

This privacy notice does not provide exhaustive detail of all aspects of NHS Dorset CCG’s collection and use of personal information. However, we are happy to provide any additional information or explanation needed. Any requests for this should be sent to the address below.

Please contact: Joyce Green, Data Protection Officer at or via the following postal address

Contact Details

NHS Dorset Clinical Commissioning Group (CCG);

Vespasian House,

Barrack Road,

Dorchester, DT1 1TB

Further information

Further information about the way in which the NHS uses personal confidential data can be found at

NHS Digital takes the responsibility for looking after care information very seriously. Please follow links on how we look after information for more detailed documentation.

NHS England recognises the importance of protecting personal and confidential information in all that we do, all we direct or commission, and takes care to meet its legal duties. Follow the links on the How we use your information page for more details.

A Guide to Confidentiality in Health and Social Care 

The Information Governance Review 2013

NHS Constitution

NHS Care Record Guarantee