Collecting information on your health

The healthcare professionals and organisations that provide your care, for example your GP practice, hold your personal information. We do not hold or process personal information for the vast majority of patients. The exceptions are generally limited to:

  • Managing a complaint you have made about a service.
  • Managing individual funding requests for care.

And the information is likely to be:

  • Your name, address, date of birth and details of your GP.
  • Your medical condition and the treatment(s) that you receive.

Some teams may also occasionally have access to your information under particular circumstances. These could include:

  • Continuing healthcare.
  • Medicines management.
  • Safeguarding.
  • Corporate complaints team.

The secondary uses service (SUS) is the single comprehensive repository for healthcare data in England (with the exception of data from the GP practices currently being addressed), which enables a range of reporting and analysis to support the NHS in the delivery of healthcare services.

We need to use data identifiable at the level of NHS number to provide intelligence to support commissioning of health services. The NHS number is required to ensure that analysis of health care provision can be completed to support the needs of the health profile of the population within west Herts based on analysis of patient data across health pathways. As a result of this:

  • SUS data flow from Health and Social Care Information Service (HSCIC) to North East London Data Services for Commissioning Regional Office (DSCRO) identifiable at the level of NHS Number (weakly pseudonymised).
  • Data quality management and standardisation of data is completed by the DSCRO. As the CCG could not directly connect to the DSCRO to receive the data because of the Regional Processing Centre governance, North East London Commissioning Support Unit (NEL CSU) (ASH (Accredited Safe Haven) Stage 1) is used as a landing stage, receiving the data from the DSCRO. NEL CSU completes no additional processing of the data
  • North East London Commissioning Support Unit (NEL CSU) (ASH Stage 1) securely transfers the data to MedeAnalytics, who hold the SUS data within their secure Data Centre on N3, for the addition of derived fields, linkage of relevant data sets and analysis, (please note that at this time HVCCG had not acquired ASH status accreditation until December 2014 by which time a data sharing agreement delegating responsibility for this function had been signed with MedeAnalytics and is still in place). The MedeAnalytics systems that hold SUS data are limited to those administrative staff with authorised NHS Smart Cards used for identification and authentication
  • HVCCG authorised users log into the MedeAnalytics secure system to access the processed data identifiable at the level of NHS number via N3 connection as do the local GPs (Data Controllers)
  • Once in receipt of the data, the CCG completes aggregation of required data for our management use, including but not restricted to: commissioning patient services with providers, budgets, audits, validating invoices, performance management of providers, research, statutory returns, etc

Only members of staff directly involved in reviewing your care or complaint are able to see your information. Everyone who does see your information must keep it confidential.

We may keep your information in written form and/or on a computer. 

How patients’ records are used to help the NHS

General information about patients may be used to help assess the needs of the general population and make informed decisions about the provision of future services.  Information can also be used to conduct health research and development and monitor NHS performance.

Where information is used for statistical purposes, stringent measures are taken to ensure individual patients cannot be identified. Anonymous statistical information may also be passed to organisations with a legitimate interest, including universities, community safety units and research institutions. 

Where it is not sufficient to use anonymised information, person identifiable information may be used, but only for essential NHS purposes.  This may include research and auditing services.  This will only be done with your consent, unless the law requires information to be passed on to improve public health.

Your information will not be sold to the private sector for marketing purposes.

How we keep your records confidential

Everyone working for the NHS is subject to the Common Law Duty of Confidence.  This means that the information you provide to us in confidence will only be used for the purposes that you have consented to, unless there are other circumstances covered by the law.

Under the NHS Confidentiality Code of Conduct, all our staff are also required to protect your information, inform you of how your information will be used, and allow you to decide if and how your information can be shared. 

Organisations we may share your information with

In those rare occasions when the CCG does hold your personal health information (as above), we may share your information, for health purposes,  with other NHS organisations such as hospitals trusts or with organisations that have contracts with the NHS to deliver care to patients such as GP practices.

There are rare occasions when we are required by law to report certain types of information to relevant authorities.  This information is only reported after formal permission has been given by a qualified health professional.  Occasions when we must pass on information include-

  • where we encounter infectious diseases which may endanger the safety of others, such as meningitis or measles (but not HIV/AIDS)
  • where a formal court order has been issued

Our guiding principle is that we are holding your records in strictest confidence.

Direct care rationale and benefits

The reason health and social care organisations, both locally and nationally, need to use patient based data include:

  • supporting the administrative and operational processes of the provision and management of appropriate care, whether within primary care, within secondary care or across care and/or organisational boundaries
  • to enable appointments with relevant clinicians and clinics to be made
  • ensuring case notes and relevant information are provided in the process of care
  • providing information from the referring clinician to the subsequent service, such as laboratory tests to enable the appropriate service to be provided
  • Providing clinical information from the referring clinician to another clinician for investigations, tests and treatment to be undertaken/provided

Examples of benefits arising include:

  • ensuring that the patients receive the care that they need
  • minimising the repetition of information gathering from patients by clinicians
  • managing the workload of clinicians and associated resources, such as clinics, test machinery and buildings
  • supporting the safe delivery of services

Sharing your information with non NHS organisations

On the rare occasions when we might hold your individual information, we may also share this with non NHS organisations who provide care to you.  These may include social services and other organisations from which we commission services.  Where we are required to share information with these types of organisations we will not disclose any health information without your explicit consent, unless there are exceptional circumstances, such as when the health or safety of others is at risk or where the law requires it.

We may be asked to share basic information about you, such as your name and address which does not include sensitive information.  This would normally be to assist them to carry out their statutory duties.  In these circumstances, where it is not practical to obtain your explicit consent, we are informing you through this notice, which is referred to as a Privacy Notice, under the Data Protection Act.

Where patient information is shared with other non-NHS providers, an information sharing agreement is drawn up to ensure information is shared in a way that complies with relevant legislation.  These non-NHS organisations may include, but are not restricted to social care, education services, local authorities, the police, voluntary and private sector providers.

You have the right to withdraw consent for us to share your personal information

You have the right to refuse/withdraw consent to information sharing at any time.  The possible consequences will be fully explained to you and could include delays in receiving care.

How can you get access to your own health records?

The Data Protection Act 1998 gives you the right to see or have a copy of your health records.  You do not need to give a reason but you may be charged a fee.   

If you want to access your health records you should make a written request to the NHS organisation(s) where you are being treated now or have been treated in the past.  You should also be aware that in certain circumstances your right to see some of the details contained in your health records may be limited in your own interest or for other reasons.

Further information

If you would like to know more about how Herts Valleys Clinical Commissioning Group uses your information, you can find out more by sending an email to This email address is being protected from spambots. You need JavaScript enabled to view it. (please write 'Information Governance' in the subject box) or by writing to our Information Governance team at the postal address provided on our website (address below).

Further information can also be obtained from the Data Protection Act 1998, the Care Record Guarantee and the NHS Confidentiality Code of Conduct, accessible via the internet or you local library.