How We Use Your Information


Published September 2016

This privacy notice explains why we collect information about you, and how it may be used. It is Barnsley Clinical Commissioning Group’s duty to let you know this and to make you aware of your rights over your information.

What we do

Barnsley CCG is led by GPs who have been elected from its Membership Council (of which all GP Practices in Barnsley are members)  and is responsible for commissioning (buying) health services to meet the needs of our local community from relevant providers, for example hospital services, nursing in the community and mental health services. We ensure the care providers deliver is safe, of  high quality care and that they work together when they care for patients in common.

Why we may collect information about you and how we use it

  • We may use your information to pay GPs, care providers, dentists or hospitals for the care you receive. We may also use it to make sure you receive good quality care; to train and teach health and social care professionals; and for local auditing of NHS services and accounts.
  • NHS Rotherham CCG helps us check and process some of the payments we make for your care. We may share information that identifies you as an individual (identifiable data) such as your NHS Number, name, address and date of treatment to allow them to carry out the work on our behalf.
  • We may also use your personal information to investigate incidents and complaints. If you are unhappy with your care, having a record of what has happened means your concerns can be properly investigated.
  • The CCG may use your information to carry out Continuing Health Care (CHC) Assessments, to allow packages of care to be assessed, agreed and paid for; in regards to individuals whose care needs are primarily health related.

  • If you have been advised that a particular treatment or drug might be appropriate to you, but that treatment or drug is not normally funded, you can apply for funding via an Individualised Funding Request (IFR details on our website). Sometimes, to assess the request, we have to speak to the care providers about you.
  • We may investigate the causes of an infection, sometimes contagious, which may be risk to the public. We do not always need to ask for permission to access and share a person’s information if there is a wider risk to the public.

The CCG does not directly provide health care services and therefore does not routinely create or hold any clinical records about any individuals as it does not provide direct care. If you wish to have sight of your own personal health care records you will need to apply to your GP Practice, or the NHS Hospital or NHS organisation which provided your healthcare.

We have been granted an exemption under Section 251 of the NHS Act 2006 which allows us to process personal information for limited purposes including:

Understanding the local population needs and planning for future requirements, which is known as “Risk Stratification for Commissioning

Information from health and social care records is looked at by the CCG to identify groups of patients who would benefit from some additional help from their GP or care team. The aim is to prevent ill health and possible future hospital visits, rather than wait for you to become more poorly. Only your GP/care team is able to see who actually requires additional help and there are strict rules in place to ensure this. Typically, we only use the NHS number or postcode to identify patients for this purpose

Ensuring that the CCG is billed accurately for the treatment of its patients, which is known as “Invoice Validation

Where we pay for care, particularly where different providers are caring for the same person, we may ask for evidence before paying, or we may design a service where the payment is all or partly based on the providers ensuring the service user’s health improves. When processing invoices for payment of treatment or procedures you have received – information such as NHS number, name, address and date of treatment might be used by the CCG. Where this happens, these details are held within a secure environment and kept confidential; such information is only used to validate invoices and not shared for any other purpose

Section 251 was introduced because it was recognised that there were essential activities of the NHS, and important medical research, that required the use of identifiable patient information – but, because patient consent had not been obtained to use people’s personal and confidential information for these other purposes, there was no secure basis in law for these uses.

We currently use the following organisation to help carry out this work:

North of England CSU (NECS)

EMBED Health Consortium

NHS Rotherham CCG

Continuing Health Care

In order for the CCG to provide these services they need to collect and keep a record of personal information about the person to whom the service is to be provided as well as those making an application on their behalf. This record may be either written down or held electronically on computer, these details may include: 

Basic details such as name, address, next of kin.

Details of health conditions, diagnostic tests, treatments and medications.

Information from other health care professionals and those who provide care.

Bank Account details to allow CHC care payments to made.

This information may be shared with other agencies involved in providing care or where required by law, for example with social services or for safeguarding purposes, however such information will only be shared with the appropriate consent or under a statutory legal requirement.

Planning and Improving Healthcare

The CCGs uses anonymised and pseudonymised patient information to design and commission care services across its area as well as to identify gaps in healthcare services.

  • Anonymised information is data about you, but from which you cannot be personally, individually identified
  • Pseudonymised information is where any identifiable information (e.g. names) have been removed and replaced with a unique code (to represent each individual) so that specific people cannot be easily identified from the remaining data. This code still allows information from several sources to be linked together and analysed, without seeing the identity of the patient. This de-identification and linking work is carried out by the Health and Social Care Information Centre (a public body granted additional legal rights to carry out the work).
  • Information across the following sources (national and local) may be used and linked to help manage the health and social care needs of Barnsley and its surrounding area.
  • Primary Care data. This information is extracted from individual GP practices
  • Providers Trusts (collected nationally): Inpatient, Outpatient, Accident and Emergency, Out of Hours, Urgent Care, Community Nursing, Community Mental Health
  • Provider Trusts (collected locally): other local patient level activity provided directly to the DSCRO (Data Services for Commissioners) hosted by NECS (North East of England Commissioning Support Unit)
  • Other datasets as agreed and approved by the Caldicott Guardian – e.g. social care activity data sets provided by the local council.

The CCG handles pseudonymised data as if it were sensitive personal data

Sharing information to improve your care

Health and social care organisations across Barnsley are improving the way they work together to give you better care and support. By encouraging the sharing of information and resources we can remove the barriers to providing joined up, effective care. Schemes such as I Heart Barnsley , Barnsley Care Navigation and Telehealth Service  and RightCare Barnsley are a result of this new integrated approach.

The health and social care professionals who provide you with your care maintain records about your health social care needs, including your previous treatment and care. These records allow them to assess your needs, decide what help or treatment is right for you and provide you with the best possible care. Your records may also include the following information:

  • Details about you, such as address, date of birth and next of kin
  • Any contact that we have had with you, e.g. appointments, clinic visits, emergency appointments, etc.
  • Notes reports and assessments about your health and social care needs
  • Details about your treatment and care
  • Results of investigations, such as laboratory tests, x-rays, etc.
  • Relevant information from other health professionals, relatives or those who care for you.

Different health and care professionals involved in your care may make their own notes, so you may have care records in different parts of the NHS and social care services.

Health and Social Care organisations across Barnsley are committed to working together to provide joined-up integrated care. To make sure this happens they may create joint records on your behalf or share your information to make sure they provide safe, effective care. We will only ever use or pass on information about you if others involved in your care have a genuine need for it.  This may include when you need to see another doctor, be referred to a specialist or other health and social care provider.

You may receive care from other organisations as well as the NHS and Social Services.  We may need to share some information about you so we can all work together for your benefit. These partner organisations are listed in the section below called “Who are our partner organisations”.

We use a combination of working practices and technology to make sure that both your electronic and paper records are kept confidential and secure, this includes audit trails of who has accessed your records.

We along with a number of partner organisations in the region have signed up to a set of rules which cover how we can safely and legally share information and what agreements need to be in place. This is known as the Inter Agency Information Sharing Protocol.

Who are our partner organisations?

Where it is in your interest to do so and to support your care, we may share your information with:

  • NHS Trusts
  • General Practitioners (GPs)
  • Local Authorities (including Social Care and Education Services)
  • Ambulance Trusts
  • Clinical Commissioning Groups (CCGs)
  • ‘Data processors’ working on behalf of the NHS and Local Authorities, including:

    - eMBED Health Consortium
    - North East of England Commissioning Support Unit (NECS)
  • Private Sector Providers.

When we are required to by law, or under limited circumstances subject to strict agreements on its use, we may share your information with the following organisations:

  • Voluntary Sector Providers working on behalf of or with the NHS and Local Authorities
  • Independent Contractors such as dentists, opticians, pharmacists
  • Governmental Regulators
  • Fire and Rescue Services
  • Police Services.

More Information on Sharing

Your anonymised information may also be used to help us:

  • Look after the health of the wider public
  • Audit NHS accounts and services
  • Investigate complaints, legal claims or untoward incidents
  • Make sure our services can meet service user and carer needs in the future
  • Prepare statistics on NHS performance
  • Review the care we provide to ensure it is of the highest standard
  • Teach and train health and social care professionals
  • Conduct health research and development.

Where we use your information to gather statistics we will make sure that you cannot be identified from this information and that all individuals remain anonymous.

We may give anonymous statistical information to organisations with a legitimate interest, including universities, community safety units and research institutions.

Where there is a request to use your personal confidential data, such as for research purposes this will only be approved after getting your consent.

Ways we may communicate with you

Health and Social Care organisations may need to contact you for a variety of reasons including to:

  • Offer you a new appointment or alter an existing one
  • Send you a reminder of an existing appointment
  • Arrange for transport to be provided
  • Ask your opinion of our services
  • Tell you about other health and social care services (such as Flu Jabs).

Our standard way to contact you is by letter or telephone.  We may also use automated telephone calls, emails, SMS text messaging and where appropriate, social media. If you do not wish to be contacted by any of these other methods please let us know.

Keeping your information private

We are committed to protecting your privacy and will only use information collected lawfully in accordance with the Data Protection Act 1998, Human Rights Act, the Common Law Duty of Confidentiality, and the NHS Codes of Confidentiality and Security.

Every member of staff who works for an NHS organisation or Social Services has a legal obligation to keep information about you confidential. Anyone who receives information from an NHS organisation or Social Services, or processes it on their behalf, has a legal and contractual duty to keep it confidential.

We will not share your information with third parties without your consent unless there are exceptional circumstances, such as when or the health and safety of you or others is at risk, to protect the health and wellbeing of children and vulnerable adults, or where or where the law requires information to be passed on.

Each NHS organisation has a senior person responsible for protecting the confidentiality of patient information and enabling appropriate information sharing. This person is called the Caldicott Guardian. The Caldicott Guardian for NHS Barnsley CCG is Brigid Reid – Chief Nurse.

Accessing Your Own Information

The Data Protection Act allows you to access information that is held about you, and you are able to either view or receive copies of records held in electronic or paper format.

This is known as the "right of subject access".  It applies to all your records held by us.  If you want to review your records you should make a request to your care team, or where you are being or have been treated. To receive a copy of your information held by the CCG please email or write to us using the details on our contact us page.

You are entitled to receive a copy of your information but should note that a charge will usually be made.  In special circumstances your right to see some details in your health records may be limited, to protect you and others mentioned in your records from harm, and to maintain the confidentiality of others.

The CCG’s Use of Your Information.. Your Right To Opt-Out or Withdraw Consent

You have the right, in law and additionally in the NHS Constitution, to request that your confidential information is not used beyond your own care and treatment and to have your objections considered, and where your wishes cannot be followed, to be told the reasons including the legal basis.

In addition you may at any time withdraw any consent you may have previously given the CCG to process information about you.

The possible consequences will be fully explained to you and could include problems and delays in identifying and providing the most appropriate care.

If you wish to exercise your right to opt-out, withdraw consent to use your information, or to speak to somebody to understand what impact this may have, if any, please contact your health care provider directly or contact the CCG via using ‘Opt Out Request’ in the subject line of the email.

Opt-Out (Stopping) Information About You Across The NHS Being Used Outside Of Direct Care

If you do not want the NHS to use information about you, collected by your GP or other parts of the NHS, then you can opt-out by completing an opt-out form and returning it to your GP practice. There two different types or levels of opt-out available:

  • A Type 1 opt-out prevents information about you held by your GP, from being shared with others for reasons other than direct care.
  • A Type 2 opt-out prevents information collected by NHS digital from hospitals and community care services, from being shared with others for reasons other than direct care.

Depending on the type of opt out you may choose, this will prevent your information being shared outside of your GP practice or NHS Digital for purposes beyond your direct care (except in special circumstances allowed by law, such as when there is a public health emergency or safeguarding issue). More information about these opt-out types is available from NHS Digital.

The possible consequences of opting-out will be fully explained to you and could include problems and delays in identifying and providing the most appropriate care or making additional care resources available.

How Long Do You Hold Confidential Information For?

All records held by the CCG will be kept for the duration specified by national NHS guidance (see  Records Management Code of Practice for Health and Social Care 2016 Retention Schedule for further information).  At the end of the retention period, data will be reviewed as to whether it can then be securely destroyed. When destroying records the CCG will do so in line with the Records Management Code of Practice for Health and Social Care 2016.


The CCG as an employer needs to process information in relation to staff. This information is used in a variety of ways to ensure staff are paid, that the CCG complies with employment law, and to provide other services related to their employment. All NHS employment contracts include a requirement to uphold patient confidentiality.

National Fraud Initiative

This organisation is required [by law] to protect the public funds it administers. It may share information provided to it with other bodies responsible for; auditing, or administering public funds, or where undertaking a public function, in order to prevent and detect fraud.

The Cabinet Office is responsible for carrying out data matching exercises.

Data matching involves comparing computer records held by one body against other computer records held by the same or another body to see how far they match. This is usually personal information. Computerised data matching allows potentially fraudulent claims and payments to be identified. Where a match is found it may indicate that there is an inconsistency which requires further investigation. No assumption can be made as to whether there is fraud, error or other explanation until an investigation is carried out.

We participate in the Cabinet Office’s National Fraud Initiative: a data matching exercise to assist in the prevention and detection of fraud. We are required to provide particular sets of data to the Minister for the Cabinet Office for matching for each exercise, as detailed here.

The use of data by the Cabinet Office in a data matching exercise is carried out with statutory authority under Part 6 of the Local Audit and Accountability Act 2014. It does not require the consent of the individuals concerned under the Data Protection Act 1998.

Data matching by the Cabinet Office is subject to a Code of Practice.

View further information on the Cabinet Office’s legal powers and the reasons why it matches particular information. For further information on data matching at the CCG please use the “Contact Us” section below.

Declarations of Interests, Gifts, and Hospitality

The CCG is required to maintain and publish on it website registers of interests, gifts and hospitality for all staff of the CCG, as well as its Members, Governing Body and Committee Members.

In exceptional circumstances, where the public disclosure of information could lead to a real risk of harm or is prohibited by law, a person’s name or other information may be withheld from the published registers. If you feel that substantial damage or distress may be caused to you or somebody else by the publication of information in the registers, you are entitled to request that the information is not published. Such requests must be made in writing to the CCG or via the contact us  page.


If you wish to make a complaint about how we handle your information, please contact us through our comments, compliments and complaints page.

When we receive a complaint from anyone we will need to make up a file containing details of the complainant and the complaint they are making.

Data protection officer - Queries regarding data protection issues

New legislation (General Data Protection Regulation and Data Protection Act 2018) mandates that the CCG appoint a Data Protection Officer (DPO).  This is because we are a public body.

The DPO will assist us to monitor internal compliance, inform and advise on data protection obligations and act as a contact point for data subjects (members of the public and employees) where there are concerns or queries regarding Data Protection.  The DPO will also act as a contact point for communication with the Information Commissioner’s Office.

The CCG has appointed a shared service to deliver the DPO role provided by eMBED Health Consortium

If you wish to contact the DPO then please use the following contact details stating in the heading which organisation you are enquiring about:

Information Commissioner’s Office - ICO

Under the Data Protection Act 1998 the CCG is required to register with the Information Commissioners Office detailing all purposes for which personal identifiable data is collected, held and processed. The Information Commissioners Office maintains a public register of organisations that process personal identifiable data.

The NHS Barnsley Clinical Commissioning Group’s registration number is Z3516383.

Our registration can be viewed here:

For independent advice about protection, privacy or data sharing issues, you can contact:

The Information Commissioner
Wycliffe House
Water Lane

Phone: 08456 30 60 60 0r 01625 54 57 45


This is a printable version of