How the CCG uses patient information

What you need to know - Fair Processing Notice

In this section:

Who we are and what we do at Barnet CCG

What kinds of information does the CCG use

How your records are used by the CCG

When your information might be shared with other organisations

What safeguards are in place

What are your rights

Access to more information

Who we are and what we do

Barnet Clinical Commissioning Group (BCCG) is the local membership organisation led by family doctors that is responsible for planning and paying for healthcare services. 

We do not provide healthcare. Our role is to commission appropriate NHS care for the people of Barnet.   This process involves planning, buying and monitoring health services from healthcare providers such as hospitals and GP practices for our local population to ensure the highest quality of healthcare. We also have a performance monitoring role of these services, which includes responding to any concerns from our patients about services offered. Further information is available on the Welcome page in the about us section.   

In carrying out some of these roles we may collect information about you which helps us respond to your queries or secure specialist services. Our CCG receives some information about you and this guidance outlines: 

  • How that information is used
  • Who we may share that information with
  • How we keep your information secure (confidential)
  • What your rights are in relation to the information the CCG uses about you

What kinds of information we use

The information that we use at Barnet CCG may be: 

Identifiable information – containing details that identify individuals. We may use personal information about you such as your name and address or other times we use more sensitive information about your health. 

The CCG only has access to identifiable information where a legal basis exists to hold that information. These are outlined in the How your records are used by the CCG section of this guidance. 

Pseudonymised information – about individuals but identifying details (such as name or NHS number) replaced with unique code. This information format allows data to be linked (without directly identifying individuals) to give the CCG a better understanding of healthcare needs in order to plan for the future. 

Anonymised information – about individuals but with identifying details removed and so cannot be tracked back to you. This information is used to plan health care services. Specifically, it is used to: 

  • Check the quality and efficiency of the health services that Barnet CCG commissions
  • Prepare performance reports on the services commissioned
  • Work what illnesses people will have in the future, so the CCG can plan and prioritise services and ensure these meet the needs of patients in the future.
  • Review the care being provided to make sure it is of the highest standard 

Aggregated information – anonymised information grouped together so that it cannot easily be put back together in order to identify individuals. 

Barnet CCG’s use of your information is in line with the purposes outlined in our registration (reference number is ZA008464) with the Information Commissioners Office.

 return to the top

How your records are used by Barnet CCG

Analysis (see also risk stratification)

Your information may be used to help assess the needs of the general population and make informed decisions about the provision of future services. Information can also be used to conduct health research and development, monitor NHS performance, to help the NHS plan for the future.


If you have a complaint about the CCG or a service that we commission, we will use your information to communicate with you and to investigate any complaint if it’s the responsibility of the CCG. See our complaints section for more information.

Handling continuing healthcare (CHC) applications

If you make an application for CHC funding the CCG will use the information you provide and where needed request further information from care providers to identify eligibility for funding. If agreed, arrangements will be put in place to arrange and pay for the agreed funding packages with appointed care providers.

Handling individual funding requests (IFR) applications

If you make an Individual Funding Request (IFR) to fund specialist drugs or rare treatments, the CCG will use the information you provide and, where needed, request further information from care providers to identify eligibility for funding. If agreed, arrangements will be put in place to arrange and pay for the agreed funding packages with appointed care providers.

Paying for services

Where care is provided that the CCG is responsible for, it will need to provide payment to the care provider. In most cases limited data is used to make such payments. In some instances, information to confirm that you are registered at a GP within the CCG is needed to make such payments. This is done in line with the Who Pays Invoice Validation Guidance. 

The validation of invoices is undertaken within a controlled environment for finance within our service supplier organisation: North East London Commissioning Support Unit (an NHS organisation). Your information would be used to ensure that the CCG is paying for treatments relating to its patients only. The dedicated team receives patient level information direct from the hospital providers and undertakes a number of checks to ensure that the invoice is valid and that it should be paid for by the CCG. 

The invoice validation process supports the delivery of patient care across the NHS and as such operates under a Section 251 approval to use information that can identify you such as NHS number, name, Date of birth. The CCG does not receive or see any patient level information relating to these invoices.

Risk Stratification (see also Analysis)

The NHS Barnet CCG Risk Stratification Programme incorporates the services of the Barnet Integrated Locality Team (BILT), hosted by Central London Community Healthcare Trust working to support General Practices. This is a small dedicated team of staff who will support GP Practices with risk stratification.  Where approval is granted by a General Practice, BILT will have access to the risk stratification tool and will support the General Practice in identifying patients at high risk of readmission.

Risk stratification tools use historic information about patients, such as age, gender, diagnoses and patterns of hospital attendance and admission collected by NHS Digital from NHS hospitals and community care services. This is linked to data collected in GP practices and analysed to produce a risk score.  

There is currently Section 251 support in place to allow the CCG’s risk stratification tool to receive and link identifiable (using NHS Number) patient information from NHS Digital and from local GP Practices. The risk stratification tool then:

Provides the CCG with anonymised or aggregated data which we use to understand the health needs of the local population in order to plan and commission the right services. This is called risk stratification for commissioning.

ThIs used by GPs to help them to identify and support patients with long-term conditions and to help prevent unplanned hospital admissions or reduce the risk of certain diseases developing such as Type 2 diabetes. This is called risk stratification for case-finding. 

GPs are able to identify individual patients from the risk stratified data when it is necessary discuss outcomes and consider preventative care. Where the risk stratification process has linked GP data to health data obtained from other sources i.e. from another health care provider, the GP will ask for your permission to access the details of that information.


Advice and guidance will be provided to care providers to ensure that adult and children’s safeguarding matters are managed appropriately. 

Access to identifiable information will be shared in some limited circumstances where it’s legally required for the safety of the individuals concerned.

Supporting medicines management

CCGs support local GP practices with prescribing queries that generally don’t require identifiable information. 

Where specialist support is required for example to order a drug that comes in solid form in gas or liquid, the medicines management team will order this on behalf of a GP to support your care.

 When your information might be shared with other organisations

Barnet CCG commissions a number of organisations (both within the NHS and outside of the NHS) to provide healthcare services to you. We may also share anonymised statistical information with providers for the purposes of improving local services, for example to understand how health conditions spread across our local area when compared against other areas. 

Where information sharing is required with third parties, we will always have a relevant contract and data sharing agreement in place. We would not share any detailed health information without your explicit consent unless there are exceptional circumstances such as when the health and safety of others is at risk, to prevent fraud, protect children and vulnerable adults from harm or where the law requires it (a formal court order has been serves requiring us to do so). 

In these cases, permission to share must be given by our Caldicott Guardian, who is the senior person in the CCG responsible for ensuring the protection of confidential patient and service user information. We are obliged to tell you that we have shared your information unless doing so would put you or others at risk of harm.  

The law provides some NHS bodies, particularly NHS Digital, with permission to collect and use patient data to help commissioners to design and procure the combination of services that best suit the population that they serve. The patient data that is supplied is not in a form that will identify you. 

return to the top

What safeguards are in place

The CCG only uses information that may identify you in accordance with the Data Protection Act 1998. This requires that we process personal data only if there is a legitimate basis for doing so and that any such processing is fair and lawful.

Confidentiality and security of information

Everyone working for the NHS has a legal duty to keep information about you confidential and comply with the Common Law Duty of Confidence. The information we do hold about you, whether in paper or electronic form, is therefore protected from unauthorised access. Under the NHS Confidentiality Code of Conduct, all our staff are also required to protect your information, inform you of how your information will be used, and allow you to decide if and how your information can be shared. All CCG staff receive annual training on how to do this. This is monitored by the CCG and can be enforced through disciplinary procedures.

Barnet CCG, working with our service provider, North East London Commissioning Services Unit (NELCSU), ensure that information is held in secure locations with restricted access to authorised persons only. We protect any personal information that is held on our systems with encryption so that it cannot be accessed by those who do not have access rights


Barnet CCG has an executive director who is responsible for protecting the confidentiality of patient information. This person is known as the Caldicott GuardianHelen Donovan is the Barnet CCG Caldicott Guardian.  


Barnet CCG is registered with the Information Commissioners Office (ICO) as a data controller to collect information (data) for a variety of purposes. A copy of the registration is available through the ICO website (search by CCG name).

Retention and destruction of records

All records held by Barnet CCG will be kept for the duration specified by National guidance from the Department of Health, NHS Records Management Code of Practice

The NHS Care Record Guarantee is a commitment that all NHS organisations (and other organisations which provide NHS-funded care) will use your records in ways that respect your rights and promote your health and wellbeing.  

The NHS Constitution establishes the principles and values of the NHS in England. It provides a summary of your legal rights and contains pledges that the NHS is committed to achieve, including certain rights and pledges concerning your privacy and confidentiality.

return to the top

What are your rights

Gaining access to the data we hold about you

The CCG does not directly provide healthcare services and as such does not hold personal healthcare records. If you wish to have sight of, or obtain copies of your own personal healthcare records you will need to apply to your GP Practice, the hospital or the NHS organisation which provided your healthcare. 

Everyone has the right to see, or receive a copy of information held that can identify them, with some exceptions. You do not need to give a reason to see your information, but you may be charged a fee.

Access to your information held by the CCG

Under the Data Protection Act 1998 you have the general right to see or be given a copy of personal data held about you. This right can be exercised via submission of a Subject Access Request (SAR) to the NHS Barnet CCG. We are able to charge a reasonable fee for the administration of the request however these fees are set down in law as follows:

We may charge up to £10 for complying with a SAR relating to records if the information is only held electronically or up to £50 if those records are held either wholly or partly in non-electronic form. To make a SAR please contact:

Information Governance Team
North and East London Commissioning Support Unit
Clifton House, 75-77 Worship Street, London EC2A 2DU

Your right to opt-out of information sharing

Barnet CCG will not publish any information that identifies you or routinely disclose any information about you without your express permission. 

At any time, you have the right to opt out (refuse) of information sharing. There are two types of opt-out that you can make. There are two choices available to you:  

  • You can object to information about you leaving a GP Practice in an identifiable form for purposes other than your direct care, which means confidential information about you will not be shared with the CCG, NHS Digital or other organisation for any non-direct care purpose. This is referred to as a 'type 1' objection. 
  • You can object to information about you leaving NHS Digital in identifiable form, which means confidential information about you will not be sent to anyone outside the This is referred to as a 'type 2' objection. 

Information from other places where you receive care, such as hospitals and community services is collected nationally by NHS Digital.  

If you do not want information that identifies you to be shared outside your GP practice and/or with NHS Digital, please speak to a member of staff at your GP practice to ask how to “opt- out”.  

The Practice will add the appropriate code to your records to prevent your confidential information from being used for non-direct care purposes. Please note that these codes can be overridden in special circumstances required by law, such as a civil emergency or public health emergency.  

In both cases, it is still necessary for NHS Digital to hold information about you in order to ensure data is managed in accordance with your expressed wishes. Please see Patient Objections Management on the HSCIC website for further information. 

If you have questions about this, please speak to staff at your GP practice or NHS Digital’s dedicated patient information line on 0300 456 3531.

Withdrawing your consent

If you have already given consent for your information to be shared, you have the right to change your mind and withdraw this consent at any time. The possible consequences will be fully explained to you, such as potential delays in receiving care where a CCG is required to make a funding decision. 

If your wishes cannot be followed, you will be told the reasons (including the legal basis) for that decision. 

There may be circumstances where we are required to share information about you owing to a legal obligation, such as for the benefit of public health in the event of a pandemic. Anyone who receives information from us is also under a legal duty to keep this information confidential.

Complaints / Appeals about information use

In the event that you believe that Barnet CCG has not complied with the Data Protection Act, either in responding to a Subject Access Request or in the way we have processed your personal information, you have the right to make a complaint by contacting our complaints team.

You can make a complaint in writing, by email, over the telephone or in person. Your complaint should be made as soon as possible. 

If you have a complaint about a primary care service such as a GP, dentist, pharmacist or optometrist, then in the first instance you should contact them directly.

If your comment or complaint cannot be resolved locally then you can escalate it with NHS England

For independent advice about data protection, privacy, data sharing issues and your rights you can contact the Information Commissioner's Office in writing to the following address:

Information Commissioners Office
Wycliffe House, Water Lane,
Wilsmlow, Cheshire SK9 5AF

Enquiry Line: 0303 123 1113 (local rate) or 01625 545700
Email: Website:

Access to more information

Below are links to more information about your rights and the ways that the NHS uses personal information: 

The Health and Social Care Information Centre (HSCIC) Guide to confidentiality in health and social care. 

The Confidentiality Advisory Group, who approve Section 251 applications and provide independent expert advice to the HRA (for research applications) and the Secretary of State for Health (for non- research applications) on whether applications to access patient information without consent should or should not be approved.  

NHS England advice for CCGs and GPs on information governance and risk stratification  

NHS Digital guidance on their data collections.

If you would like to know more about how Barnet CCG uses your information, please use the Contact Us section of our website.

return to the top