In this section

Privacy Policy

How we use your information Fair Processing and Privacy Notice

The purpose of this notice is to inform you of the type of information (including personal information) that NHS Wakefield Clinical Commissioning Group holds, how that information is used, who we may share that information with and how we keep it secure and confidential.


If our fair processing and privacy notice changes in any way, we will place an updated version on this page.
Regularly reviewing the page ensures you are always aware of what information we collect, how we use it and under what circumstances, if any, we will share it with other parties.


All staff have contractual obligations of confidentiality, enforceable through disciplinary procedures. All staff receive appropriate training on confidentiality of information and staff (who because of their role) have regular access to personal information receive additional specialist training. We take relevant organisational and technical measures to make sure the information we hold is secure - such as holding information in secure locations, restricting access to information to authorised staff, protecting personal and confidential information held on equipment such as laptops with encryption. Each NHS organisation has a senior person responsible for protecting the confidentiality of patient information and enabling appropriate information sharing. This person is called the Caldicott Guardian, who in NHS Wakefield CCG is Dr D Brown The CCG is registered with the Information Commissioners Office (ICO) as a data controller. Under the Data Protection Act 1998 the CCG is required to register with the Information Commissioners Office detailing all purposes for which personal identifiable information is collected, held and processed. View the CCG’s Notification online via the ICO website. NHS Wakefield Clinical Commissioning Group’s registration number is Z3616468. For information that may identify you we would only use it in accordance with th

  • Data Protection Act 1998 – The Data Protection Act requires us to have a legal basis if we wish to process any personal information.
  • NHS Care Record Guarantee – sets out high level commitments for protecting and safeguarding your information, particularly in regard to your rights to access your information, how information will be shared, how decisions on sharing information will be made and investigating and managing inappropriate access (audit trails).
  • NHS Constitution for England – this states that you have the right to privacy and confidentiality and to expect the NHS to keep your confidential information safe and secure.
  • Caldicott Principles – sets out a number of general principles that health and social care organisations should use when reviewing its use of patient information. All staff are expected to follow these principles to ensure that information is protected and only shared in the best interests of their patients.





In the event that you believe the CCG has not complied with the Data Protection Act 1998 in the way we have processed your personal information, you have the right to make a complaint by contacting:

Complaints Team
NHS Wakefield Clinical Commissioning Group
White Rose House
West Parade
Wakefield West Yorkshire
Telephone: 01924 213050

In order to investigate your complaint we will need to process the information you provide us with along with other information we may already hold about you which is relevant to your complaint.

If as part of investigating your complaint we need to share some information about you with a health or social care provider, we will ask for your permission to do so.


If you would like to find out more information on the wider health and care system approach to using personal information or other useful information, please click on the following links:




The Freedom of Information Act 2000 (FOI) can be used if you wish to exercise the right to access information held by us subject to a number of exemptions. Email the Freedom of Information team at See our website for the full Freedom of Information procedure.


Health and social care information is used in a number of ways to support your personal care and to improve health and social care services for everyone. When you attend a health or social care provider in England the clinicians and administrators you see will record information about your care. You can decide with your clinician on how your data will be used for your direct care. There are choices you can make about how information is used, and you can choose to opt out of your information being shared or used for any purpose beyond providing your care. At any time you have the right to refuse/withdraw consent to information sharing. You have the right, in law and additionally in the NHS Constitution, to request that your confidential information is not used beyond your own care and treatment and to have your objections considered, and where your wishes cannot be followed, to be told the reasons including the legal basis. If you do not want your information to be used for any purpose beyond providing your care you can choose to opt-out. If you wish to do so, please inform your GP practice and they will mark your choice in your medical record. There are two types of opt-out. You can withdraw either opt-out at any time by informing your GP practice.

Type 1 opt-outs

If you do not want information that identifies you to be shared outside your GP practice, for purposes beyond your direct care you can register a type 1 opt-out with your GP practice. This prevents your personal confidential information from being used other than in particular circumstances required by law, such as a public health emergency like an outbreak of a pandemic disease.

Type 2 opt-outs

NHS Digital (formally known as Health and Social Care Information Centre) is the national provider of information, data and IT systems for commissioners, analysts and clinicians in health and social care. NHS Digital collects information from a range of places where people receive care, such as hospitals and community services. If you do not want your personal confidential information to be shared outside of NHS Digital, for purposes other than for your direct care you can register a type 2 opt-out with your GP practice. A direction from Secretary of State set out the Department of Health policy as to how type 2 opt-outs must be applied and instructed NHS Digital to apply type 2 opt-outs from 29 April 2016. NHS Digital collect information about your type 2 opt out from your GP Practice and then create a record of all current type 2 opt outs to check against any set of data that is to be made available by NHS Digital to another organisation. They remove all of your personal confidential information if it is in that data set, before that data are made available. The direction from the Secretary of State set out the scope of when your type 2 opt-out does not apply such as when there is a legal requirement to release information, or where you have given your consent to a specific release of your information. For more information on how NHS Digital collect and use opt-out information see Applying Type 2 Opt Outs. For more information about personal healthcare records and how to access them see NHS Choices. If you wish to exercise your right to withdraw consent / opt-out, or to speak to somebody to understand what impact this may have, if any, please contact your GP Practice.


We will only use information that may identify you (known as personally identifiable information) in accordance with the Data Protection Act 1998. The Data Protection Act 1998 requires us to have a legal basis if we wish to process any personally identifiable information. We also have to honour any duty of confidence attached to information and apply Common Law Duty of Confidentiality requirements. This will mean where a legal basis does not exist to use your personal or confidential information we will not do so. As a commissioning organisation we do not routinely hold medical records or confidential patient data. There are some specific areas, however, because of our assigned responsibilities where we do hold and use personally identifiable information. In order to process that information we will have met a legal requirement, in general this is where we have complied with one of the following: The information is necessary for direct healthcare for patients We have received consent from individuals to be able to use their information for a specific purpose There is an overriding public interest in using the information eg in order to safeguard an individual, or to prevent a serious crime There is a legal requirement that will allow us to use or provide information (eg a formal court order) For the health and safety of others, for example to report an infectious disease such as meningitis or measles. The areas where we use personally identifiable information ar

  • Individual Funding Requests - a process where patients and their GPs can request special treatments not routinely funded by the NHS
  • Continuing healthcare assessments (a package of care for those with complex medical needs)
  • Responding to your queries, concerns or complaints
  • Assessment and evaluation of safeguarding concerns for individuals Incident investigations

We keep your information in written form and / or on a computer securely and confidentially. The records may include basic personal details about you, such as your name, address and NHS number. They may also contain more sensitive information about your health and also information such as outcomes of needs assessments, funding requests or details relating to your complaint investigation.


NHS Wakefield CCG is a clinically led organisation that is made up of local GP’s; we are responsible for buying (also known as commissioning) health services from health care providers such as hospitals and GP Practices for our local population to ensure the highest quality of health care. These care services include: • Planned hospital care • Unplanned care (urgent and emergency care) • Rehabilitation care • Community health services • Primary Care Prescribing • Some mental health and learning disability services. We work with patients and health and social care partners (eg local hospitals, local authorities, local community groups etc) to ensure services meet local needs. We are also responsible for arranging unplanned care services for our registered patients and for commissioning services for any unregistered patients who live within the CCG’s geographic area. All General Practices within our geographic area belong to our Clinical Commissioning Group. We performance manage the services that we commission to ensure that they are safe, provide high quality care and meet the needs of local people. Part of this performance management role includes responding to any concerns from our patients about these services. See our website for further information


For the majority of our work we do not need to know the personal details of individuals who live in our community, and this is our preferred way of working. It should be noted that information which cannot identify an individual does not fall under the Data Protection Act 1998. There are different types of information collected and used across the NHS, we use six types of information/data: 1. Anonymised data, which is data about you but from which you cannot be personally identified; 2. De-identified data with pseudonym identifier, which is data about you but we are able to track you through the patient pathway without using your personal information, and you cannot be personally identified; 3. De-identified data with a weak pseudonym identifier such as the NHS number. We use this to link two or more types of datasets together using your NHS number. For example, using your NHS number to link and analyse datasets such as acute hospital data with community data to see the full picture of your patient pathway. No other personal information is used during this process and you will not be personally identified. However, there may be times whereby you may be re-identified in the event of patient safety requirements, or re-identified for direct care purposes where we pass on information to your GP to treat you; 4. Anonymised information, which is de-identified data about you but from which you cannot be personally identified within a commissioning (CCG) environment; 5. Personal data from which you can be personally identified. Information that will identify you will usually include a combination of the following items; your name, date of birth, address, postcode, NHS Number and other unique identifiers, and; 6. Sensitive information/data about you from which you can be identified. As many people's first point of contact with the NHS, the majority of patient interaction is with primary care services, eg GP Practices. In addition to GP practices, primary care covers dental practices, community pharmacies and high street optometrists. Primary care data relates to information which has been sourced from these types of services. Secondary Care covers treatment and care of a specialised medical service by Clinicians, for example, specialist doctors and nurses, within a health facility or hospital on referral by a primary care clinician (eg your GP). Secondary care data relates to information which have been sourced from these types of services. The Secondary Uses Service (SUS) is the single, comprehensive repository for healthcare data in England which enables a range of reporting and analyses to support the NHS in the delivery of healthcare services. When a patient or service user is treated or cared for, information is collected which supports their treatment. For further information, please visit NHS Digital’s website. SUS data is useful to commissioners and providers of NHS-funded care for 'secondary' purposes - purposes other than direct or 'primary' clinical care. We go into more detail within the ‘Sharing Information’ section below.


Patient Related Information:
Your information may be used to help assess the needs of the general population both on a local and national level to help make informed decisions about the provision of future services. Information may be used to conduct health research and development, public health activities and to monitor NHS performance in order to allow the NHS to plan for the future. Only anonymised or pseudonymised information will be used for this purpose. Often information is used and shared in aggregated statistical form. Pseudonymisation is a technical process that replaces identifiable information such as a NHS number, postcode, date of birth with a unique identifier, which obscures the ‘real world’ identity of the individual patient to those working with the data. However it still enables information to be analysed in such a way that patterns and trends relating to population health can be understood, as well as the impact of health services on public health over time. Anonymisation is a process that ensures the removal of identifiable information such as your name and address, meaning that it is only useful within the specific context for which it is analysed. For instance an individual might appear once or many times in anonymised data, but you would not be able to verify this. Data may be pseudonymised and linked so that it can be used to improve the delivery of health and care, alongside the development and monitoring of NHS and social care performance. For example linking those who receive home care and district nursing services to understand how we might improve the patient’s experience. This is often referred to as a ‘secondary use’ of data. Where data is used for these statistical purposes, stringent measures are taken to ensure individual patients cannot be identified.

Health and Social Care Analysis
This enables us to effectively improve local health and social care services by identifying whether the health and social care initiatives and solutions we commission are having the desired effect. This is done by tracking health and social care outcomes. Outcomes for example might be reduced numbers of admissions to hospital and associated reduced costs, admission to a care home and increased A&E attendances. The data processed in the system has been pseudonymised and the analysts using the system within the CCG and the Council do not have access to service user identifiable information.

Invoice Validation
Where care is provided and the CCG is responsible for it, we need to provide payment to the care provider. In most cases limited data is used to make such payments. In some instances information to confirm that you are registered at a GP Practice within the CCG is needed to make such payments. This is done in line with the Who Pays Invoice Validation Guidance issued by NHS England. The CCG is an accredited Controlled Environment for Finance approved by NHS England under Section 251 of the NHS Act 2006 which enables us to process patient identifiable information without consent for the purposes of invoice validation. We use limited identifiable information about individual patients when validating invoices received for your health care, to ensure that the invoice is accurate and genuine. This is performed in a secure environment and is carried out by a limited number of authorised staff. These activities and all identifiable information remain strictly within our Controlled Environment for Finance.

Risk Stratification
Risk stratification is a process GPs use to help them to identify a person who may benefit from a targeted healthcare intervention and to help prevent un-planned hospital admissions or reduce the risk of certain diseases developing such as type 2 diabetes. This is called risk stratification for case-finding. The CCG also uses risk stratified data to understand the health needs of the local population in order to plan and commission the right services. This is called risk stratification for commissioning. The CCG does not have access to your personal identifiable data. The CCG is able to view aggregated risk stratification data but is not able to identify an individual patient record. Personal identifiable data is only available to your GP or member of your care team. The CCG has commissioned North of England Commissioning Support to conduct risk stratification on behalf of itself and its GP Practices. North of England Commissioning Support will not at any time have access to your personal or confidential data. They act on behalf of the CCG and your GP to organise this service, with appropriate contractual and security measures in place.

The Legal Basis for Data Flows (Section 251 of the NHS Act 2006)
The Secretary of State for Health gives limited permission for the CCG (and other NHS commissioners) to use certain confidential patient information when it is necessary for our work for purposes other than direct care such as information from NHS Digital for commissioning, risk stratification, invoice validation and Stage 1 Accredited Safe Haven status. This approval is given under Regulations made under Section 251 of the NHS Act 2006 and is based on the approval of the Health Research Authority’s Confidentiality and Advisory Group. This allows the Secretary of State for Health to make regulations to set aside the common law duty of confidentiality for defined medical purposes. Section 251 came about because it was recognised that there were essential activities of the NHS, and important medical research, that required the use of identifiable patient information – but, because patient consent had not been obtained to use people’s personal and confidential information for these other purposes, there was no secure basis in law for these uses. Section 251 was established to enable the common law duty of confidentiality to be overridden to enable disclosure of confidential patient information for medical purposes, where it was not possible to use anonymised information and where seeking consent was not practical, having regard to the cost and technology available. More information about Section 251 is available from the Health Research Authority web site.

Staff Related Information:

Job Applicants, Current and Former Employees
When individuals apply to work at the CCG, we will use the information they supply to us to process their application and to monitor recruitment statistics. Where we want to disclose information to a third party, for example where we want to take up a reference we will not do so without informing them beforehand unless the disclosure is required by law. Personal information about unsuccessful candidates will be held for 12 months after the recruitment exercise has been completed, it will then be destroyed or deleted. We retain anonymous statistical information about applicants to help inform our recruitment activities. Once a person has taken up employment with us, we will compile a file relating to their employment. The information contained in this will be kept secure and will only be used for purposes directly relevant to that person’s employment. Once their employment with NHS Wakefield CCG has ended, we will retain the file in accordance with the requirements of our retention schedule and then delete it.

Register of Interests and Register of Gifts and Hospitality
All CCG staff, Governing Body and committee members must declare any conflicts of interest. This is usually a personal interest; if someone is connected to an individual that works within the NHS or an associated organisation. Or this may be a professional interest in another organisation that could conflict with the CCG. Our staff, Governing Body and committee members must also declare any gifts and hospitality. To make sure we have absolute clarity on any conflicts of interest and gifts and hospitality, we publish our registers which list relevant members by name along with their current position in the CCG and details of the conflict of interest, gift or hospitality. In exceptional circumstances, where the public disclosure of information could give rise to a real risk of harm or is prohibited by law, an individual’s name and/or other information may be redacted from the publicly available register(s). Decisions not to publish information are made by the Conflicts of Interest Guardian for the CCG.

Workforce Minimum Data Set
Under the Health and Social Care Act 2012 NHS Wakefield CCG provides individual level employee information to the workforce Minimum Data Set for primary care and secondary care. This data is collected to enable a detailed understanding of the current workforce, its shape, size, skills, competencies and experience. Having this information supports the wider NHS to identify future workforce requirements to ensure we can meet patients’ needs now and in the future. In order to ensure accuracy and reduce duplication some identifying information is required at the start of this process. However, this identifying information is removed from the dataset following the initial automated process so that no one processing the database can identify an individual. The information collected will be analysed and used for workforce planning, accountability, Parliamentary Questions, Freedom of Information requests, and supplied in aggregated reports to GP Practices, Health Education England, Local Education Training Boards, Clinical Commissioning Groups and NHS England. More information about the workforce Minimum Data Set and its uses is available from the Department of Health and Health Education England.

National Fraud Initiative
We participate in the Cabinet Office’s National Fraud Initiative: a data matching exercise to assist in the prevention and detection of fraud. We are required to provide particular sets of staff and supplier data to the Minister for the Cabinet Office for matching for each exercise. View further information here on the Cabinet Office’s legal powers and the reasons why it matches particular information.

Visitors to our Website
When someone visits the CCG’s website information is collected in a standard internet log to enable the CCG to monitor how the website is used. This is done to find out things such as the number of visitors to the various parts of the site. This information is collected in such a way that does not identify people who have visited our website. From time to time, you may be asked to submit personal information about yourself (eg name and email address) in order to receive or use services on our website. Such services include bulletins, email updates, website feedback, requesting investigation of complaints and any other enquiries. By entering your details in the fields requested or sending us an email, you enable the CCG and its service providers to provide you with the services you select. Any information you provide will only be used by the CCG, or our agents or service providers, and will not be disclosed to other parties unless we are obliged or permitted to do so.


We hold information centrally which is used for statistical purposes to allow us to plan the provision of health care services.

Examples of this include:

    Commissioning joined up care, closer to home

    Assessing and evaluating adult and child safeguarding concerns

    Reviewing the care we provide to make sure it is of the highest standard

    Evaluation and review of services such as checking their quality and efficiency Paying service providers for the care they provide

    Checking NHS accounts and services

    Working out what illnesses people will have in the future so we can prioritise NHS services

    Making sure our services can meet patient needs in the future

    Preparing statistics on NHS performance

    Dealing with complaints and enquiries


There are different retention schedules for different types of information and types of record. In the NHS, all commissioners and providers apply retention schedules in accordance with the Information Governance Alliance's Records Management Code of Practice for Health and Social Care. For more information, you can access the document here. NHS records are subject to legal minimum retention periods and should not be destroyed unless specific instructions to do so have been given by the CCG. Where data has been identified for disposal the CCG will ensure tha

  • Information held in manual form is destroyed using a cross cut shredder or is subcontracted to a reputable confidential waste company that complies with European Standard EN15713.
  • Electronic storage media used to hold or process information is destroyed or overwritten to current industry best practice standards.
  • It retains copies of all relevant certificates of secure destruction of information.


We work with a number of other NHS and partner agencies, as well as the Local Authority to provide health and care services to you. We may also share anonymised statistical information with them for the purpose of improving local services, for example understanding how conditions spread across our local area compared against other areas. We may contract with other organisations to provide a range of services such as analyses of data, Human Resource and IT Services. In these instances we make sure that our contractors handle our information under strict conditions of confidentiality and in line with the law. We ensure external data processors that support us are legally and contractually bound to operate and prove security arrangements are in place where data that could or does identify a person are processed. Current external data processors: North of England Commissioning Support (NECS) - who process information in support of risk stratification. NECS process primary care data (identifiable at the level of NHS number) on behalf of the CCG and GPs and link this data with Secondary Uses Service data for the purpose of risk stratification. The output data from this process will be pseudonymised before sharing with the CCG and will be identifiable at the level of NHS Number for GPs to support re-identification for direct care interventions The CCG does not receive any personal identifiable information from this service. eMBED Health Consortium – who process information in support of commissioning and planning services. The output data from this process will be anonymised or pseudonymised before sharing with the CCG. The CCG does not receive any personal identifiable information from this service. Calderdale and Huddersfield NHS Foundation Trust - provide IT Services, services to the CCG. They process personal information linked to the above services on behalf of the CCG. At the moment, among others, we also work wit

  • Local GPs
  • South West Yorkshire Partnership NHS Foundation Trust
  • Mid Yorkshire Hospitals NHS Trust
  • Locala Community Partnerships
  • Wakefield Metropolitan District Council
  • NHS Sheffield Clinical Commissioning Group

Your information will only be shared in accordance with your rights under the Data Protection Act 1998, the Common Law Duty of Confidentiality, the NHS Constitution and in keeping with professional codes of conduct and the Confidentiality NHS Code of Practice. Where information sharing is required with third parties, we will not disclose any health information without your explicit consent unless there are exceptional circumstances or a legal obligation such as;

  • There is a risk of harm to someone or the wider community
  • The prevention or detection of a serious crime
  • Where we are required to do so by law
  • Reporting some infectious diseases

In the event that we are obligated to release information as described above, this will usually only be done with the approval of our Caldicott Guardian.


At any time you have the right to refuse/withdraw consent, in full or in part, to information held about you by the CCG being shared with other organisations. You have the right, in law and additionally in the NHS Constitution, to request that your confidential information is not used beyond your own care and treatment and to have your objections considered, and where your wishes cannot be followed, to be told the reasons including the legal basis. Sometimes there may be exceptional circumstances or an overriding legal obligation to share information about you without your consent such as where there is a risk of harm to someone. If you wish to exercise your right to withdraw consent to information held about you by the CCG being shared or to speak to someone at the CCG who can help to explain what impact or possible consequences this may have for you, such as delays in receiving care, please contact us at the following address: NHS Wakefield Clinical Commissioning Group White Rose House West Parade Wakefield West Yorkshire WF1 1LT


If you have any questions regarding the information we hold on you or the use of your information, please contact us at:

NHS Wakefield Clinical Commissioning Group
White Rose House
West Parade
West Yorkshire
Telephone: 01924 213050

You can contact Dr D Brown our Caldicott Guardian at:

White Rose House
West Parade
West Yorkshire
Telephone: 01924 213050

The record of your enquiry will be retained in line with the Records Management Code of Practice for Health and Social Care.

For independent advice about data protection, privacy and data-sharing issues, you can contact:

The Information Commissioner
Wycliffe House
Water Lane
Wilmslow, Cheshire
Telephone: 08456 30 60 60 or 01625 54 57 45


Where we hold information about you, from which you can be identified you have the right to ask to

  • View this or request copies of your record (by making a Subject Access Request)
  • Request information is corrected
  • Have the information updated where it is no longer accurate
  • Ask us to stop processing information about you where we are not required to do so by law – although we will first need to explain the possible consequences to you such as how this might affect the care services you receive.

If you wish to receive a copy of the information we hold about you, please note that there may be a charge for this (of up to £50). See our website for our Access to Records procedure. Please note the CCG does not directly provide health care services and therefore does not hold personal healthcare records. If you wish to have sight of, or obtain copies of your personal health care records you will need to apply to your GP Practice, the hospital or NHS organisation which provided your health care.