How we use your information  (Privacy Notice)

Privacy Notice

NHS Dartford Gravesham and Swanley Clinical Commissioning Group (CCG) is responsible for buying (also known as commissioning) health services from healthcare providers such as hospitals and GPs, for our local population. We also monitor the performance and quality of these services. In general we only use data that has been anonymised or pseudonymised[1] for these purposes. For further information on who the CCG are and what we do please visit our About Us page

This Privacy Notice tells you about

  • Who we are
  • The type of information (including personal data and special categories of information) that the CCG holds and why.
  • How the CCG uses the information.
  • Who the CCG may share that information with
  • How we keep the information, safe, secure and confidential.
  • How you can contact us regarding your rights.

Full details on each data flow are included in the Data Flows Map section below.

The CCG is a Controller under the terms of the General Data Protection Regulations (GDPR) / Data Protection Act 2018 (the Act). This means we are legally responsible for ensuring that all personal information that we process i.e. hold, obtain, record, use or share about you is carried out in compliance with the Data Protection Principles.

All Controllers must register with the Information Commissioner’s Office (ICO). Our ICO Data Protection Register number is Z3592794 and our entry can be found in the Data Protection Register on the Information Commissioner’s Office website.

Under the new General Data Protection Regulation (GDPR), which comes into force on the 25 May 2018, the CCG as a public authority must appoint a data protection officer (DPO). All CCGs must also appoint a Caldicott Guardian and Senior Information Risk Officer (SIRO). We have already established these roles – please see the key individuals section below for more information.

In addition to this privacy notice, the CCG has a staff privacy notice in place, available to download HERE

[1] Pseudonymised data/information is anonymous to the people who hold or receive it (e.g. a research team), but contains information or codes that would allow others (e.g. those responsible for the individual’s care) to identify an individual from it.

Our Commitment to Data Privacy, Security and Confidentiality

We are committed to protecting your privacy and will only process personal confidential data in accordance with the Data Protection Act 2018, the Common Law Duty of Confidentiality and the Human Rights Act 1998.

Everyone working for the NHS has a legal duty to keep information about you confidential and comply with the Common Law Duty of Confidence. The information we do hold about you, whether in paper or electronic form, is therefore protected from unauthorised access. Under the NHS Confidentiality Code of Conduct, all our staff are also required to protect your information, inform you of how your information will be used, and allow you to decide if and how your information can be shared. The NHS Care Record Guarantee and NHS Constitution provide a commitment that all NHS organisations and those providing care on behalf of the NHS will use records about you in ways that respect your rights and promote your health and wellbeing.

All information that we hold about you will be held securely and confidentially. We use administrative and technical controls to do this, such as the issuing of encrypted secure IT equipment to all staff. We use strict controls to ensure that only authorised staff are able to see information that identifies you. Only a limited number of authorised staff have access to information that identifies you where it is appropriate to their role and is strictly on a need-to-know basis.

All of our staff, contractors and committee members receive appropriate and on-going Data Security Awareness training to ensure they are aware of their personal responsibilities and have contractual obligations to uphold confidentiality, enforceable through disciplinary procedures.

We will not share any information about you to any third party. We will only obtain and use the minimum amount of information necessary about you.

Roles within the CCG (including the Data Protection Officer)

For information on how to contact the CCG’s Data Protection Officer, Caldicott Guardian or Senior Information Risk Owner, please see the contact details in the complaints and questions section below.

Data Protection Officer

The Head of Corporate Governance is the CCG’s Data Protection Officer. Contact details for the Data Protection Officer can be found within the complaints or questions section below.

The DPO’s minimum tasks are defined in Article 39 of the GDPR. These are

  • To inform and advise the organisation and its employees about their obligations to comply with the GDPR and other data protection laws.
  • To monitor compliance with the GDPR and other data protection laws, including managing internal data protection activities, advise on data protection impact assessments; train staff and conduct internal audits.
  • To be the first point of contact for supervisory authorities and for individuals whose data is processed

Caldicott Guardian

All NHS organisations are required to appoint a Caldicott Guardian to ensure compliance with patient data confidentiality. The CCG’s Caldicott Guardian is Chief Nurse Paula Wilkins, who is responsible for protecting the confidentiality of patients’ and service-users’ information and enabling appropriate information-sharing.

The Caldicott Guardian plays a key role in ensuring that the CCG satisfy the highest possible standards for handling personal information.

Acting as the ‘conscience’ of an organisation, the Caldicott Guardian actively supports work to enable information sharing where it is appropriate to share, and advises on options for lawful and ethical processing of information.

Senior Information Risk Officer (SIRO)

In addition to the Caldicott Guardian, CCGs also have a SIRO who owns the CCG’s overall information risk policy and risk assessment process. This involves ensuring there are robust incident reporting process for any information risks identified by the CCG. The CCG’s SIRO is the Company Secretary.

How your data is used to help the NHS

The law provides some NHS bodies, such as NHS Digital, the ability to collect and use patient data that cannot identify a person which they can then provide to help commissioners (CCGs) to design and acquire the combination of services that best suit the population they serve.

Data may be linked and anonymised by these bodies so that it can be used to improve health care and development and monitor NHS performance. This is often referred to as a ‘secondary use’ of data. Where data is used for these statistical purposes, rigorous measures are taken to ensure individual patients cannot be identified (see information below regarding anonymisation).

Information the CCG collects and how we use it

For the majority of the work that the CCG carries out, we do not need to use personal confidential data and wherever possible, anonymised data is used. Anonymised data refers to the process of turning personal and/or sensitive data into a form which does not identify individuals and where identification is not likely to take place. The Data Protection Act 2018 / GDPR only applies to personal identifiable information and therefore anonymised data is not covered by the act as there is only a slim, to no, chance of the information being re-identifiable.

We hold information centrally which is used for statistical purposes to allow us to plan the commissioning (funding) of healthcare services. We will only use anonymised data for this. Examples of this include:
• To check the quality and efficiency of the health services we commission.
• To prepare performance reports on the services we commission.
• Checking NHS accounts and services.
• Working out what illnesses people will have in the future so that we can work with the local services to make sure that patient needs are met.
• Reviewing the care we commission to make sure it is of the highest standard.

As the CCG is a commissioning organisation responsible for funding services, we do not provide any healthcare services and therefore we do not routinely hold medical records or patient confidential data. There are some specific areas, however, where we do hold and use personal confidential information. In order to process that information we will have met a legal requirement, as follows:
• Meeting a legal basis for processing under the Data Protection Act 2018.
• To protect children or vulnerable adults.
• Where there is an overriding public interest in using the information e.g. in order to safeguard an individual, or to prevent a serious crime.
• Where there is a legal requirement that will allow us to use or provide information (e.g. a formal court order).
• Where we have special permission for health or research purposes (granted by the Health Research Authority Section 251).
• For the health and safety of others, for example to report an infectious disease.

The CCG has a limited number of functions, where personal confidentiality is required. Full details of these functions are included within the Data Flows Map section.

Your Rights (including opt outs and accessing your data)

The GDPR / Data Protection Act 2018 provides the following rights for individuals depending on the legal basis for processing as identified within the data flows map at the end of this notice:
• Right to be informed
• Right of access
• Right to rectification
• Right to erasure
• Right to restrict processing
• Right to data portability
• Right to object
• Rights related to automated decision making including profiling.

Further information on these rights can be accessed here.

If you wish to exercise any of the rights available to you, or to speak to somebody to understand what impact this may have, if any, please contact the Data Protection Officer using the contact details in the complaints or questions section below:

Data Subject Access Requests

Under the GDPR / Data Protection Act 2018, you have the right to make a request to see or obtain copies of the information that the CCG holds about you; this is referred to as a Subject Access Request. Under the Act you are entitled to be told if any personal information is held about you, and if it is, to be given:

  • A copy of the information in permanent form if requested.
  • An explanation of any technical or complicated terms e.g. medical terminology or abbreviations.
  • An explanation of where we got your information from.
  • A description of the information, the purposes for processing the information, who we are sharing the information with, if anyone, and how long we will be keeping the information.
  • Information on the safeguards in place for any data being transferred outside of the European Union
  • An explanation of the logic involved in any automated decisions (if you have specifically asked for this)
  • Information regarding your other rights under the GDPR / Data Protection Act 2018.

To view or access a copy of your health records please write to the Data Protection Officer using the contact details in the complaints or questions section below, giving as much detail as possible on the record(s) you wish to access.

We will ask you for proof of your identity and proof of your address. The CCG then has one month to respond to your request, from receipt of the above information.

The CCG is able to extend the period of compliance by a further two months where requests are complex or numerous. If this is the case, the CCG will inform you within one month of the receipt of the request and explain why the extension is necessary.

As noted above, the CCG holds limited health information about you where it can use this for direct care purposes. You may also need to contact those NHS organisation(s) where you are being, or have been treated.

Further information on Data Subject Access Requests can be found via the Information Commissioners Office (ICO).

Can I access the records of my children?

You may be able to access the records of your child/children.  However, if a clinician has stated that he/she believes your child/children to be competent to make their own decisions, then you will not have an automatic right of access. If this is the case, any requests for copies of your child’s records will need to be with the consent of your child

To apply for access, please use the procedure above.

How long will it take?

We are obliged to comply with our obligations promptly, within one month from the date your request is received. If clarification of your request is needed, the one month period does not start until that is received.

How much will it cost?

The CCG will provide a copy of your information free of charge. However, the CCG can charge a ‘reasonable fee’ when a request is manifestly unfounded or excessive, particularly if it is repetitive. The CCG may also charge a reasonable fee to comply with requests for further copies of the same information. This does not mean that the CCG will charge for all subsequent access requests. The fee will be based on the administrative cost of providing the information.

Can I be refused access to my health records?

You can be refused access to your records or part of them if:

  • Your healthcare provider/clinician thinks you or someone else could be harmed as a result of the disclosure.
  • The information relates to, or was provided by, a third party (that is someone other than yourself) and they have not given their permission for their comments to be divulged to you.Manifestly unfounded or excessive requests
  • Where requests are manifestly unfounded or excessive, in particular because they are repetitive, the CCG can
  • Charge a reasonable fee taking into account the administrative costs of providing the information; or
  • Refuse to respond.Where the CCG refuses to respond to a request, we will provide a full explaination as to the reasons why to the individual, informing them of their right to complain to the Information Commissioners Office and to a judicial remedy without undue delay, at the latest within one month.

Should you be unhappy with the outcome of your request, you should in the first instance contact the CCG who will discuss your request and any ongoing concerns you may have.

You are also free to contact the Information Commissioner’s Office directly in the event you remain dissatisfied whose contact details are included within the questions and complaints section below.

Can I access the records of a deceased person?

Under the Access to Health Records Act 1990, you may request access to the records of a deceased person if you are the executor of their will, or if you have a claim on them.  However, if the deceased person has stated in their will that they do not wish anyone to have access, their wishes must be upheld.

To request access to a deceased person’s records please write to the following:

Primary Care Support England
Faith House, 2 St Faiths Street,
Maidstone Kent ME14 1LL

General Enquiries: 01622 655 000

Opting out

How the NHS and care services use your information

Swale Clinical Commissioning Group is one of many organisations working in the health and care system to improve care for patients and the public.

Whenever you use a health or care service, such as attending Accident & Emergency or using Community Care services, important information about you is collected in a patient record for that service. Collecting this information helps to ensure you get the best possible care and treatment.

The information collected about you when you use these services can also be used and provided to other organisations for purposes beyond your individual care, for instance to help with:

  • Improving the quality and standards of care provided.
  • Research into the development of new treatments
  • Preventing illness and diseases
  • Monitoring safety
  • Planning services

This may only take place when there is a clear legal basis to use this information. All these uses help to provide better health and care for you, your family and future generations. Confidential patient information about your health and care is only used like this where allowed by law.

Most of the time, anonymised data is used for research and planning so that you cannot be identified in which case your confidential patient information isn’t needed.

You have a choice about whether you want your confidential patient information to be used in this way. If you are happy with this use of information you do not need to do anything. If you do choose to opt out your confidential patient information will still be used to support your individual care.

To find out more or to register your choice to opt out, please visit  On this web page you will:

  • See what is meant by confidential patient information.
  • Find examples of when confidential patient information is used for individual care and examples of when it is used for purposes beyond individual care.
  • Find out more about the benefits of sharing data.
  • Understand more about who uses the data.
  • Find out how your data is protected.
  • Be able to access the system to view, set or change your opt-out setting.
  • Find the contact telephone number if you want to know any more or to set/change your opt-out by phone.
  • See the situations where the opt-out will not apply.

You can also find out more about how patient information is used at: (which covers health and care research); and (which covers how and why patient information is used, the safeguards and how decisions are made)

You can change your mind about your choice at any time.

Data being used or shared for purposes beyond individual care does not include your data being shared with insurance companies or used for marketing purposes and data would only be used in this way with your specific agreement.

Health and care organisations have until 2020 to put systems and processes in place so they can be compliant with the national data opt-out and apply your choice to any confidential patient information they use or share for purposes beyond your individual care. Our organisation is currently compliant with the national data opt-out policy.

Retaining and Destroying Information


Any information obtained by the CCG will be retained for as long as is necessary for the purpose we collected it for.

Records are kept in accordance with Data Protection Act 2018 principles and are maintained in line with the Records Management Code of Practice for Health and Social Care retention schedule which determines the length of time records should be kept. Further information on retention periods is included within the data flows map under the ‘Information the CCG collects and how we use it’ section above.

For further information regarding how your records are managed, stored and retained please see the Records of Management Code of Practice.


Destruction of data will only happen following a review of the information at the end of its retention period. Where data has been identified for disposal we have the following responsibilities:

  • To ensure that information held in manual form (regardless of whether originally or printed from the IT systems) is destroyed using a reputable confidential waste company that complies with European Standard EN15713.
  • To ensure that electronic storage media used to hold or process information are destroyed or overwritten to current CESG standards.
  • To retain copies of all relevant overwriting verification reports and/or certificates of secure destruction of NHS information at the conclusion of the contract (where we have contracted with external organisations to do this for us).
  • To ensure that any arrangement made to sub-contract secure disposal services from another provider, complies with clause GC12 of the NHS Standard Contract and with assurance that the sub-contractor’s organisational and technical security measures comply with the Data Protection Act 2018.

Complaints and questions

This notice is not exhaustive. However, we are happy to provide any additional information or explanation needed. Any requests for this should be sent to the CCGs Data Protection Officer, Helen Foreman, at this email address:

Or by post to: Dartford Gravesham and Swanley CCG, Governance Team, 2nd Floor, Gravesham Civic Centre, Windmill Street, Gravesend, Kent, DA12 1AU

Phone: 03000 424903

Further information on the Data Protection Officer’s role and responsibilities can be found under the section below on our commitment to data privacy, security and confidentiality.

For independent advice about data protection, privacy and data-sharing issues, or to make a complaint about how your data is used and processed, you can contact:

The Information Commissioner, Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF

Phone: 08456 30 60 60 or 01625 54 57 45


Reviews and changes to this page

We will keep our privacy notice under regular review. This privacy notice was last reviewed in May 2018.

A full copy of the data flows map which details individual data processor activities, including the purposes and rationale for why we collect and process information can be accessed HERE

A word version of this document can be downloaded HERE