What types of personal information do we process

We process personal information to enable us to run the CCG to support the provision of services to the population of Dorset.

The types of personal information we use include:

  • personal details such as names, addresses, email addresses, telephone numbers, dates of birth;

  • details about family, lifestyle and social circumstances;

  • employment and education details;

  • visual images, personal appearance and behaviour

  • details of how you use our website, and where you have accessed it from;

  • details of how you interact with us on social media;

  • details of when you contact us and when we contact you (including voice recordings of telephone calls and copies of written communications such as emails or letters);

  • CCTV images, which are used for building security;

  • any consents you have given us in relation to the processing of your information;

  • physical or mental health details in relation to requests for access to our services. Such information requires special protection by law – we will always explain what information we require and why it is needed when collecting this information. It will always be processed and stored securely;

  • details of your use of services offered by us.

Where we collect personal information from

We may collect your personal information from the following sources:

Personal information you give to us:

  • when you contact the CCG (for example by phone, email or letter);

  • in customer surveys or any other research activity we may conduct with you;

  • when you use our services;

  • when you update your personal information using our website, or by emailing or telephoning us.

Personal information gathered from our website:

  • when you use or access our website

For more information about our use of your personal information through our website (including cookies), read our privacy policy.

Personal information from third parties that we work with:

  • details of staff payments from our payroll service provider;

  • details obtained from social media;

  • details obtained from other health and social care organisations;

  • potential employee recruitment details;

  • details obtained from cookies on third party website (please read our privacy policy);

  • details relating to internal audit investigations;

  • details relating to counter fraud investigations;

  • details of individual cases from legal authorities that we may work with;

Why do we process your information

We process personal information to enable us to:

  • provide health services to our patients;

  • maintain our accounts and records;

  • promote our services;

  • undertake research;

  • support and manage our employees.

Who we process information about

We process personal information about:

  • patients;

  • members of the public;

  • staff;

  • suppliers and service providers;

  • survey respondents;

  • business contacts;

  • professional experts and consultants;

  • offenders and suspected offenders.

What do we use your information for

We use your information to plan health care services. Specifically we use it to:

  • check the quality and efficiency of the health services we commission;

  • prepare performance reports on the services we commission;

  • work out what illnesses people will have in the future, so we can plan and prioritise services and ensure these meet the needs of patients;

  • review the care being provided to ensure it is of the highest standard.

What information do we process and what is the legal basis

Classes of information processed

We process information relevant to the reasons/purposes outlined above. This information may include:

  • personal details;

  • family, lifestyle and social circumstances;

  • goods and services;

  • financial details;

  • employment and education details;

  • visual images – personal appearance.

As a CCG, we do not routinely hold medical records.

Format of information processed

We use information in the following formats:

  • identifiable – containing details that identify individuals (such as name, address, NHS number, postcode, date of birth);

  • pseudonymised – about individuals but with identifying details (such as name or NHS number) replaced with a unique code;

  • anonymised – about individuals but with all identifying details removed to prevent identification of the individuals;

  • aggregated – statistical, anonymised information about individuals that has been grouped together to show general trends without identifying individuals.

Special category information (sensitive)

There are some limited exceptions where we may hold and use sensitive personal information about you that may include:

  • physical and mental health details;

  • sexual life;

  • racial or ethnic origin;

  • trade union membership;

  • religious or other beliefs of a similar nature;

  • offences and alleged offences;

  • trade union membership.

For example, the CCG is required by law to perform certain services that involve the processing of sensitive personal information.

Specific purposes for use of special category personal information

The specific areas where we regularly use sensitive personal information include:

Responding to complaints/queries
Purpose and details of activity To process your personal information if it relates to a query or complaint where you have asked for our help or involvement, and to monitor the level of service we provide.
We usually have to disclose the complainant’s identity to whoever the complaint is about in order to investigate and respond. If a complainant does not want identifiable information to be disclosed, we will try and respect that. However, it may not be possible to handle a complaint on an anonymous basis.
Source of information Data subject, primary care, secondary care, community care
Lawful basis for use Explicit consent. Before we can respond to your complaint, our Complaints Officer will obtain your explicit consent to investigate the complaint.


Continuing healthcare (CHC) applications
Purpose and details of activity To process your personal information where you have asked us to undertake assessments for Continuing Healthcare (a package of care for those with complex medical needs), or where you have decided to appeal against a funding decision we have made. This is a national process using standard information collection tools. We will use the information you provide and may request further information from other care providers to identify eligibility for funding. If agreed, arrangements will be made to provide and pay for the agreed funding packages with appointed care providers.
Source of information Data subject/family members/legal representative, primary care, secondary care, local authority, community care
Lawful basis for use Explicit consent. Your initial assessment will be carried out by a clinical professional who will obtain your explicit consent before your application can be processed.



Individual funding requests
Purpose and details of activity To make an assessment for funding eligibility where you or your GP have requested special treatments that are not routinely funded by the NHS.
Source of information Data subject, primary care and secondary care
Lawful basis for use Explicit consent. The clinical professional who first identifies that you may need the treatment will obtain your explicit consent and will explain to you the information that we need to collect and process in order for us to assess your needs and commission your care.



Safeguarding assessment and evaluation of concerns
Purpose and details of activity To provide advice and guidance to care providers to ensure that adult and children’s safeguarding matters are managed appropriately. This may mean accessing identifiable information in limited circumstances where it is required for the safety of the individuals concerned.
Source of information Primary care, secondary care, community care, member of the public or staff member
Lawful basis for use Statutory legal obligation:
• Care Act 2012;
• Data Protection Act 2018, Amendment 85



Patient and public involvement
Purpose and details of activity To process your information where you have asked us to keep you regularly informed and up to date on the work of the CCG, or if you are actively involved in our engagement and consultation activities or patient participation groups.
Source of information Data subject
Lawful basis for use Explicit consent. We will ask for your consent before collecting and storing your contact details. You will be able to change your mind at any time by writing to us at the address provided or emailing us.



Post-infection reviews
Purpose and details of activity CCGs collaborate closely with the organisations involved in providing patient care, to jointly identify and agree the possible causes of, or factors that contributed to a patient’s infection.
CCGs lead the post infection reviews in accordance with the circumstances set out in the Post Infection Review Guidance, issued by NHS England. They will then use the results of the Post Infection Review to inform the mandatory healthcare associated infections reporting system.
Source of information Primary care, secondary care, community care
Lawful basis for use Statutory legal obligation:
• Health and Social Care Act 2008: Code of Practice for the NHS for the Prevention and Control of Healthcare Associated Infections (revised January 2015)
• Section 251* NHS Act 2006



Incident management
Purpose and details of activity CCGs are accountable for effective governance and learning from all serious incidents, and work closely with all staff and with provider organisations to ensure that all serious incidents are reported and managed appropriately. The Francis Report (February 2013) emphasised that commissioners, as well as providers, should have a primary responsibility for ensuring quality.
Source of information Primary care, secondary care, community care
Lawful basis for use Statutory legal obligation:
• Serious Incident Framework 2015



Supporting medicines management and optimisation
Purpose and details of activity CCG pharmacists work with GP practices to provide advice on medicines and prescribing queries, and to review prescribing of medicines to ensure that it is safe and cost-effective. The NHS number is used by our pharmacists in order to review and authorise (if appropriate) requests for high cost drugs which are not routinely funded. CCG pharmacists will also work with the risk team to provide advice on drug related deaths.
Source of information Primary care, secondary care, community care
Lawful basis for use Statutory legal obligation:
• Misuse of Drugs Act 1971, amended 2012
• Medicines Act 1968
• Human Medicines Regulations 2012Explicit consent. Where a request is made for a high cost drug which is not routinely funded, consent will be obtained on a case by case basis in order to assess your needs and reach a funding decision.



Risk stratification for commissioning
Purpose and details of activity Risk stratification is a process for identifying and managing patients who are at high risk of emergency hospital admission. Risk stratification tools use various combinations of historic information about patients, for example, age, gender, diagnoses and patterns of hospital attendance and admission and primary care data collected in GP practice systems. Your GP or staff within your GP Practice who are responsible for providing your care can see information that identifies you, but CCG staff will only be able to see information in a format that does not reveal your identity.

NHS England encourages CCGs and GPs to use risk stratification tools as part of their local strategies for supporting patients with long-term conditions and to help and prevent avoidable admissions. Knowledge of the risk profile of our population helps the CCG to commission appropriate preventative services and to promote quality improvement in collaboration with our GP practices. NHS Dorset CCG does not currently use risk stratification tools, but may at some point in the future.

Source of information Primary care, secondary care and community care
Lawful basis for use Statutory legal obligation:
• Section 251* NHS Act 2006.



Invoice validation
Purpose and details of activity Before paying an invoice for healthcare treatment, we will need to be sure that we, and not another CCG, are responsible for your treatment costs as well as checking to ensure that the amount that is being billed for is correct. This process is known as invoice validation. We use the NHS number within a special secure area known as a Controlled Environment for Finance (CEfF) to validate the invoices, so that the organisations that have provided care for you can be paid.
Source of information Primary care, secondary care, commissioned services, NHS Digital, South Central and West Commissioning Support Unit (CSU)
Lawful basis for use Statutory legal obligation:
• Section 251* NHS Act 2006. CAG approval for invoice validation has been granted until the end of September 2018 (ref CAG7-07 [A-C]/2013).
• NHS Constitution (Health and Social Care Act 2012)



Commissioning activities using secondary uses services (SUS) data
Purpose and details of activity Hospitals and community organisations that provide NHS funded care must submit certain information to NHS Digital about services provided to our service users. This information is generally known as commissioning datasets. Dorset CCG obtains these datasets from NHS Digital via a DSCRO and they relate to service users registered with GP Practices that are members of the CCG.

These datasets include data from a variety of sources listed below:

• Secondary Uses Services (SUS), this includes secondary care, community care and mental health providers in an inpatient, outpatient and emergency department setting;
• National Datasets for community and mental health services. Including mental health minimum dataset, children and young people minimum dataset, maternity.

The data we receive does not include patients’ names, dates of birth or home addresses, but may include information such as your NHS number.

When analysing current health services and proposals for developing future services, it is sometimes necessary to link separate individual datasets to be able to produce a comprehensive evaluation.

In some cases there may also be a need to link local datasets which could include a range of acute-based services such as radiology, physiotherapy, audiology etc. as well as mental health and community based services such as Improving Access to Psychological Therapies (IAPT), district nursing, podiatry etc. When carrying out this analysis, the linkage of these datasets is always done using a unique identifier that does not reveal a person’s identity.

Source of information NHS Digital via South Central and West Commissioning Support Unit
Lawful basis for use The processing is necessary for the performance of a task carried out in the exercise of official authority of the CCG. You can choose to opt-out of your personal information being used for secondary uses such as planning of health services by accessing the following link:



National Fraud Initiative
Purpose and details of activity NHS Dorset CCG is required by law to protect the public funds it administers. We may share information provided to us with other bodies responsible for auditing or administering public funds, in order to prevent and detect fraud. The cabinet office is responsible for carrying out the National Fraud Initiative and required the CCG to participate in any data matching exercise to assist in the prevention and detection of fraud.

Data matching involves comparing computer records held by one body against other computer records held by the same or another body to see how they match. This is usually personal information. Computerised data matching allows potentially fraudulent claims and payments to be identified. Where a match is found it indicates that there is an inconsistency that requires further investigation. No assumption can be made as to whether there is fraud, error or other explanation until an investigation is carried out.

Source of information Source of information National Fraud Initiative team at the Cabinet Office
Lawful basis for use Lawful basis for use Part 6 of Local Audit and Accountability Act 2014



Processing staff information
Purpose and details of activity To process potential and existing employee information for the purpose of staff recruitment, payroll and pension.
To process employee information for the purposes of employee relations, including the use of employee photographs for identification purposes, monitoring staff performance through appraisals and personal development reviews, monitoring training records, managing absence and sickness and ensuring fitness to return to work.
Source of information Data subject, recruitment agencies, occupational health
Lawful basis for use Performance of a contract: we need to share your personal data with our payroll provider in order to fulfil the employment contract and pay employees for work undertaken.

Statutory legal obligation: we are legally required to auto-enrol eligible employees into our pension scheme. Additionally, we are required to process some employee data under employment law, health and safety legislation and tax legislation.

Explicit consent. We will ask for your consent before collecting and storing your personal details or photographs and you will be provided with a privacy notice explaining why we need to collect your information.

*Section 251

Section 251 of the NHS 2006 Act provides a mechanism which can enable to use of confidential information for certain purposes that would otherwise be unlawful, through and application made to the Confidentiality Advisory Group (CAG).

The CAG assesses applications against the Health Service (Control of Patient Information) Regulations 2002 and provides independent expert advice to the Health Research Authority and the Secretary of State for Health on whether an application to process patient information without consent should be approved. The use of data for which an application is made must be for a medical purpose as defined in section 251 (12) of the NHS Act 2006. This includes medical research and the management of health and social care services. Where consent has been used, you can change your mind at any time and write to us at

If you choose not to give us your personal information

We may need to collect personal information by law, or under the terms of a contract we have with you.

If you choose not to give us this personal information, it may delay or prevent us from meeting our obligations. We will notify you if your choice not to give personal information to us would result in a delay or prevent us from meeting our obligations.