Your information and how we use it

Fair processing notice for NHS Coastal West Sussex Clinical Commissioning Group
1 The Causeway, Goring-by-Sea, Worthing, West Sussex BN12 6BT

NHS Coastal West Sussex Clinical Commissioning Group (CCG) holds some information about you. This page provides information about why, how it is used, with whom we share information, how we keep your information confidential and your rights in relation to the information we hold about you.

What we do

NHS Coastal West Sussex CCG is the local NHS organisation that brings together local GPs and experienced health professionals to take on planning, buying and monitoring responsibilities (also known as commissioning) for local health services. The CCG is responsible for planning, buying and monitoring:

  • the care and treatment you may need in hospital and community health services, including district nurses, physiotherapy and other therapies
  • the medicines you may be prescribed
  • mental health services
  • and support and services for people living with learning disabilities.

We also have a role which includes managing patient feedback, including complaints, from our patients about services offered. This helps us to understand what is working well and what is causing problems for our patients.

Further information about our work is available online.

What kind of information do we use?

The CCG uses the following types of information/data:

  • identifiable - containing details that identify individuals
  • pseudonymised - about individuals but with identifying details (such as name or NHS number) replaced with a unique code
  • anonymised - about individuals but with identifying details removed
  • aggregated - anonymised information grouped together so that it doesn't identify individuals.

What do we use anonymised data for?

We use anonymised data to plan health care services. Specifically we use it to:

  • check the quality and efficiency of the health services we commission
  • prepare performance reports on the services we commission.
  • predict what illnesses people will have in the future, so we can plan and prioritise services and ensure these meet the needs of patients in the future
  • review the care being provided to make sure it is of the highest standard.

What do we use your sensitive and personal information for?

There are some limited exceptions where we may hold and use sensitive personal information about you. For example the CCG is required by law to perform certain services that involve the processing of sensitive personal information.

The areas where we regularly use sensitive personal information include:

  • a process where you or your GP can request special treatments that are not routinely funded by the NHS, which are known as individual funding requests
  • when your GP refers you to our patient choice navigators to help you to get care at a provider of your choice
  • assessments for continuing healthcare and appeals
  • responding to your queries, compliments or concerns
  • assessment and evaluation of safeguarding concerns
  • where there is a provision permitting the use of sensitive personal information under specific conditions, for example to:
    • understand the local population needs and plan for future requirements, which is known as “risk stratification for commissioning".
    • ensure that the CCG is billed accurately for the treatment of its patients, which is known as “invoice validation”.
    • monitor access to services, waiting times and particular aspects of care, for which the CCG is considered to be an “accredited safe haven”.

Sensitive personal information may also be used in the following cases:

  • the information is necessary for your direct healthcare
  • CCGs responding to patients, carers or member of Parliament communication
  • you have freely given your informed agreement (consent) for us to use your information for a specific purpose
  • there is an overriding public interest in using the information e.g. in order to safeguard an individual, or to prevent a serious crime
  • there is a legal requirement that will allow us to use or provide information (e.g. a formal court order).

In each of these circumstances the information the CCG holds will be different, as it will be dependent on what is necessary for the individual area of our work.

Sometimes we will need information about you including personal details such as your:

  • name;
  • address;
  • date of birth;
  • NHS number;
  • health/medical information;
  • treatments you have received and where you received them.

However, the information held will only be relevant to the area of work.

For example, you may have only provided your name, address and email address to sign up for our ePanel, but if you are receiving NHS Continuing Healthcare then the team will have records about your care to date and your condition.

Do you share my information with other organisations?

We commission a number of organisations (both within and outside the NHS) to provide healthcare services to you. We may also share anonymised statistical information with them for the purpose of improving local services, for example understanding how health conditions spread across our local area compared against other areas.

In order to perform our commissioning functions, information may be shared between various organisations including: acute and mental health hospitals, GP practices, community services, other CCGs, commissioning support units (CSU), ambulance services, local councils (social services and public health) and voluntary sector and other health organisations.

The law provides some NHS bodies, particularly NHS Digital (formerly the Health and Social Care Information Centre) ways of collecting and using patient data that cannot identify a person. This information helps commissioners to design and procure the combination of services that best suit the population they serve.

We may also share information with NHS England and NHS Digital. If you do not want your information to be used for purposes beyond providing your care you can choose to opt-out. If you wish to do so, please inform your GP practice and they will mark your choice in your medical record. You can opt out of your data being used for some purposes. You can withdraw your opt-out choice at any time by informing your GP practice. More information is available on NHS Digital Your personal information choices and in the section ‘Your right to Opt Out’ below.

NHS Digital takes the responsibility for looking after care information very seriously. Please follow links on how NHS Digital look after information for more detailed documentation.

NHS England recognises the importance of protecting personal and confidential information in all that they do, direct or commission and takes care to meet its legal duties. Follow the links on the How NHS England uses your information page for more details.

NHS Coastal West Sussex CCG is an Accredited Safe Haven (ASH) under a NHS Act 2006 Section 251 exemption which enables us to hold and process NHS numbers for commissioning purposes. We have a signed Data Sharing Agreement with NHS Digital (formerly the Health & Social Care Information Centre) for them to provide us with weakly pseudonymised data (i.e. your NHS Number). All information received through this service is stored securely within an accredited safe haven environment accessible only to authorised team members.

Data may be de-identified and linked so that it can be used to improve health care and development and monitor NHS performance. Where data is used for these statistical purposes, stringent measures are taken to ensure individual patients cannot be identified.

When analysing current health services and proposals for developing future services it is sometimes necessary to link separate individual datasets to be able to produce a comprehensive evaluation. This may involve linking primary care GP data with other data such as secondary uses service (SUS) data (hospital inpatient, outpatient and A&E data). In some cases there may also be a need to link local datasets which could include a range of acute-based (hospital) services such as radiology, physiotherapy, audiology etc, as well as mental health and community-based services such as Improving Access to Psychological Therapies (IAPT), district nursing, podiatry etc. When carrying out this analysis, the linkage of these datasets is always done using a unique identifier that does not reveal a person’s identity as the CCG does not have any access to patient identifiable data for this purpose.

We may also contract with other organisations to process data. These organisations are known as data processors. We ensure external data processors that support us are legally and contractually bound to operate and prove security arrangements are in place where data that could or does identify a person are processed. Currently, the external data processors we work with are listed in the table below under ‘For other organisations to provide support services to us’.

Our uses of information

Although this is not an exhaustive detailed listing, the following lists key examples of the purposes and rationale for why we collect and process information;


To process your personal information if it relates to a complaint where you have asked for our help or involvement. We will need to rely on your explicit consent to undertake such activities.

Complaint processing activities

The CCG uses NHS South Central and West Commissioning Support Unit to help us manage complaints. When we receive a complaint from a person we make up a file containing the details of the complaint. This normally contains the identity of the complainant and any other individuals involved in the complaint.

We will only use the personal information we collect to process the complaint and to check on the level of service being provided.

We usually have to disclose the complainant’s identity to whoever the complaint is about. This is inevitable where, for example, the accuracy of a person’s record is in dispute.

If a complainant doesn’t want information identifying him or her to be disclosed, we will try to respect that. However, it may not be possible to handle a complaint on an anonymous basis.

We will keep personal information contained in complaint files in line with NHS retention policy. It will be retained in a secure environment and access to it will be restricted according to the ‘need to know’ principle.

We may use service user stories, following upheld complaints, but always anonymously, via our Quality Committee. The service user stories will provide a summary of the concern, service improvements identified and how well the complaints procedure has been applied. Consent will always be sought from the service user and carer or both before we use the service user story.

Funding treatments

We will collect and process your personal information where we are required to fund specific treatment for you for a particular condition that is not already covered in our contracts. This may be called an “individual funding request” (IFR).

The clinical professional who first identifies that you may need the treatment will explain to you the information that we need to collect and process in order for us to assess your needs and commission your care, and gain your explicit consent.

Continuing Healthcare

We will collect and process your identifiable information where you have asked us to undertake assessments for Continuing Healthcare (a package of care for those with complex medical needs) and funded nursing care, and commission resulting care packages.

The clinical professional who first sees you to discuss your needs will explain to you the information that they need to collect and process in order for us to assess your needs and commission your care and gain your explicit consent.

CWS CCG uses an electronic system known as Caretrack provided by CHS Healthcare Limited, who are based at 1 Wrens Court, 53 Lower Queen Street, Sutton Coldfield, West Midlands B72 1RT. Caretrack is used to record the detail of those service users who have applied for Continuing Healthcare and Funded Nursing Care, and for recording the actions taken by Continuing Healthcare staff in the management of the service.

We also use an electronic system called INTEND, which is provided by West Sussex County Council. This system is used to obtain suitable packages of care for service users from an approved list of care providers.

To improve the assessment processing of retrospective continuing healthcare claims, the CCG has contracted CHS Healthcare Limited to assess some claims. The process is explained to affected claimants and explicit consent is obtained before any personal information is shared.

To help patients get care at their provider of choice

We will collect and process your personal information where you have asked us to support you to choose a health provider.

Your GP will discuss your needs with you, and when together you have agreed that you need to be referred for specialist treatment, your GP practice will forward your referral to our team of Patient Choice Navigators (PCNs) at the CCG. Using the NHS e-Referral System (formerly Choose and Book) we will help you to make an informed choice. Information will only be shared when you have agreed with your GP that a referral is the best course of action.

In accordance with the NHS Constitution, you have the right to choose when and where you wish to be treated and in a timely manner.

When you need to be seen by a specialist, the CCG is committed to ensuring that whenever possible, you receive a timely outpatient appointment at a provider of your choice. Your GP will provide you with a booking card and a telephone number for you to contact the team. You are then asked to contact the Patient Choice Navigators five days after seeing your GP so they can work with you to book your appointment.

Following discussion with you, the Patient Choice Navigators will send your referral on to the hospital or community provider of your choice, who will then contact you to confirm your appointment. If you do not make contact with the PCN within 10 days of the team receiving your referral then an appointment may be booked for you.

If you have any concerns or questions about your information being passed to the Patient Choice Navigators then please speak to a member of the practice team.


We will collect and process identifiable information where we need to assess and evaluate any safeguarding concerns.

Because of public interest issues, e.g. to protect the safety and welfare of vulnerable children and adults, we will rely on a statutory basis rather than consent to process information for this use

Managing medicines

With your consent, we use information to enable pharmacists, pre-registration pharmacist trainees and technicians to work with CWS GP practices to optimise prescribing and medicines use; to enable the processing of financial, clinical and usage information about specialist medicines prescribed by our healthcare partners and paid for by the CCG;

We are committed to supporting GPs and hospitals that we commission services from to optimise your medicines effectively, in ways that are consistent with the laws that protect your confidentiality. The use of identifiable data by pharmacists, CCGs and GPs for managing medicines use is supported through NHS England policy and direction. Your clinician will ask for your consent to share information with us.

Data processing activities

Your GP will discuss your medicines needs with you, and when together you have agreed that you would benefit from a review of your medicines with or by a pharmacist, your GP practice will forward your details to our team of pharmacists working with your GP surgery. The pharmacists will be employed by the CCG, but working as a member of the practice team and will follow all practice processes to protect your confidentiality.

For processing patient data about certain specialist medicines prescribed and supplied to you by hospitals, the CCG works with a system called Blueteq, which processes patient information using a secure hosted system. The doctor or specialist nurse completes one of a choice of ‘tick box forms’ to provide assurance that the treatment is clinically and financially appropriate, the Blueteq system then creates an individual patient record held in a central secure location, the hospital pharmacy team view the partially completed submission on Blueteq and add further information about the medicine, basic details such as your NHS number, hospital number and your age, along with information about your health and wellbeing relevant to your application is then available for the CCG to view to ensure all such treatments are clinically appropriate and match the invoices sent to CCG.

Pro-active care management: risk stratification

Pro-active care management is a process that helps your GP to help you manage your health. To do this population data is analysed to provide lists of patients to GPs where a person may benefit from a targeted healthcare intervention: we call this risk stratification. Risk stratification is based on research that shows a person who has a recognised history and characteristics may avoid an undesirable health outcome if the signs are recognised and a particular action is taken early enough.

We are committed to conducting risk stratification effectively, in ways that are consistent with the laws that protect your confidentiality.

The use of identifiable data by CCGs and GPs for risk stratification has been approved by the Secretary of State, through the Confidentiality Advisory Group of the Health Research Authority and this approval has been extended to April 2017.

Commissioning benefits

NHS England encourages CCGs and GPs to use risk stratification tools as part of their local strategies for supporting patients with long-term conditions and to help and prevent avoidable admissions.

Knowledge of the risk profile of our population will help the CCG to commission appropriate preventative services and to promote quality improvement in collaboration with our GP practices.

Data processing activities for risk stratification

Risk stratification tools use various combinations of historic information about patients, for example, age, gender, diagnoses and patterns of hospital attendance and admission and primary care data collected in GP practice systems. The CCG will use pseudonymised information to understand the local population needs, whereas GPs will be able to identify which of their patients are at risk in order to offer a preventative service to them.

The risk stratification system commissioned by the CCG is called the ‘Sussex Combined Predictive Model’ and is provided by South East Commissioning Support Unit, who are based at 1 Lower Marsh, Waterloo, London SE1 7NT, they are our data processors. This processing for risk stratification takes place under contract with South East Commissioning Support Unit, following these steps below:

  • The CCG has asked NHS Digital to provide data identifiable by your NHS Number about your Acute Hospital attendances for risk stratification purposes and has signed an NHS Digital (formerly HSCIC) data sharing contract for the SUS (secondary care/hospital) data.
  • Your GP practice instructs its GP IT system supplier to provide primary care data identifiable by your NHS number for those patients that have not objected to risk stratification or there is no type 1 objection made by the patient. The data, containing the same verified NHS numbers, are sent via secure transfer, directly into the landing stage of Sussex Combined Predictive Model system.
  • Within the landing stage, the risk stratification system automatically links and pseudonymises the identifiable data from GP’s and the NHS Digital. No identifiable data of any patient is seen by NHS CWS CCG staff.

South East Commissioning Support Unit has set up a formula to analyse the data in pseudonymised form to produce a risk score for each patient. The risk scores are only made available to authorised users within the GP practice where you are registered via a secure portal managed by CWS CCG.

This portal allows only the GPs to view the risk scores for the individual patients registered in their practice in identifiable form.

If you do not wish information about you to be included in our risk stratification programme, please contact your GP practice. They can add a code to your records that will stop your information from being used for this purpose.

Further information about risk stratification is available from NHS England.

Invoice processing

The process ensures that those who provide you with care and treatment can be paid.

NHS Shared Business Services process invoices on behalf of NHS CWS CCG. They do not require and should not receive any patient confidential data to provide their services. NHS England has published guidance on how invoices must be processed and commissioners have a duty to detect, report and investigate and breaches of confidentiality.

Further information about invoice processing is available from NHS England.

Invoice validation

The validation of financial invoices is undertaken within a controlled environment for finance within the NHS South Central and West Commissioning Support Unit (SCW CSU) which is based at Omega House, 112 Southampton Road, Eastleigh, SO50 5PB. This service ensures that the invoice is accurate and genuine and supports our CCG in ensuring public monies are spent appropriately.

The dedicated SCW CSU team receives patient level information direct from the hospital providers and undertakes a number of checks to ensure that the invoice is valid and that it should be paid for by the CCG. The CCG does not receive or see any patient level information relating to these invoices. There may be occasions when patients contact us directly, or initiate the invoice, such as a claim for transport costs or a review of retrospective NHS Continuing Healthcare funding, when patient's details may be shared in order to pay the individual, and this process is communicated at the time.

Further information about invoice validation is available from NHS England.

Contacting the CCG online via a website form

To give members of the general public or staff at NHS trusts an additional option when contacting the CCG. The website form enables people to contact us even when they are using a computer which doesn't have an email client (e.g. Outlook) installed and configured for their use.

The form is one of several options provided on the website to contact us (also post, email, telephone or in person at our office). Use of the form and the nature of the information included is entirely at the user's discretion. There are two required fields (name and email) which enable us to contact the sender back if required, and a third free-text field for the user's message. Messages sent via the form are received at Automatic administrative emails from our website to our website users are provided by SMTP2GO.

Patient and public involvement

If you are a member of the CWS CCG ePanel, we will collect and process personal confidential data which you share with us. This data is held offline locally and is managed by the Communications and Engagement Team.

If you have completed an online survey then the responses (but not your personal details unless you voluntarily included them within your response) are held by the survey tool Survey Monkey.

If you are actively involved in our engagement and consultation activities or patient participation groups, but you are NOT a member of the ePanel we will collect and process personal confidential data which you share with us. This data is held locally and is managed by the Communications and Engagement Team.

Where you submit your details to us for involvement purposes, we will only use your information for this purpose. You can opt out at any time by contacting us using our contact details at the end of this document.


To collect NHS data about service users that we are responsible for. Our legal basis for collecting and processing information for this purpose is statutory.

Processing activities

Hospitals and community organisations that provide NHS-funded care must submit certain information to NHS Digital about services provided to our service users.

This information is generally known as commissioning datasets. The CCG obtains these datasets from NHS England and they relate to service users registered with GP practices that are members of the CCG.

These datasets are then used in a format that does not directly identify you, for wider NHS purposes such as managing and funding the NHS, monitoring activity to understand and plan the health needs of the population, and to gain evidence that will improve health and care through research.

The datasets include information about the service users who have received care and treatment from those services that we are responsible for funding. The CCG is unable to identify you from these datasets. They do not include your name, home address, NHS number, post code or date of birth. Information such as your age, ethnicity and gender, as well as coded information about any clinic or accident and emergency attendances, hospital admissions and treatment will be included.

The specific terms and conditions and security controls that we are obliged to follow when using these commissioning datasets can also be found on the NHS Digital website.

More information about how this data is collected and used by NHS Digital, and the specific terms, conditions and security controls that we are obliged to follow when using these commissioning datasets is available on the NHS Digital website.

We also receive similar information from GP practices within our CCG membership that does not identify you. We use this datasets for a number of purposes such as:

  • Performance managing contracts;
  • Reviewing the care delivered by providers to ensure service users are receiving quality and cost effective care;
  • To prepare statistics on NHS performance to understand health needs and support service re-design, modernisation and improvement;
  • To help us plan future services to ensure they continue to meet our local population needs;
  • To reconcile claims for payments for services received in your GP practice;
  • To audit NHS accounts and services.

If you do not wish your information to be included in these datasets, even though it does not directly identify you to us, please contact your GP practice and they can apply a code to your records that will stop your information from being included.

For other organisations to provide support services to us

The CCG will use the services of these additional data processors, who will provide additional expertise to support the work of the CCG:

We have entered into contracts with other organisations to provide some services for us or on our behalf. These organisations are known as “data processors”. Below are details of our data processors and the function that they carry out on our behalf:

  • NHS South Central and West Commissioning Support Unit CSU: Commissioning intelligence analysis (add value to the analyses of data that does not directly identify individuals), human resources, complaints management, freedom of information request management, contracting support, information governance support.
  • NHS South East Commissioning Support Unit: Risk Stratification, IT Network supplier, primary care IT
  • NHS Brighton and Hove CCG: provide patient safety and serious incident co-ordinations services.
  • Western Sussex Hospitals NHS Trust: provision of specialist decontamination advice.
  • CHS Healthcare Limited: Assessment of retrospective continuing healthcare claims, provision of Caretrack electronic system to record continuing healthcare applications and actions.
  • Blueteq Limited: To help manage medicines as stated above in the section managing medicines.
  • Arun Health Safety Services: provision of health and safety services
  • Joint Commissioning Unit (with West Sussex County Council and Horsham and Mid-Sussex CCG) - children and families, and mental health commissioning
  • East Sussex Hospitals NHS Trust: Provide staff payroll services
  • BoardIQ: An on-line system that allows the CCG to produce electronic meeting packs for committee members (does not include patient confidential data)
  • Surface Impression: Provide the content management of the website
  • PHS Limited and NHS Property Services: Archiving of CCG Records (archived by function/type – individuals not identified)
  • TIAA Internal Audit: Audit our accounts and services (add value to the analyses of data that does not directly identify individuals)
  • NHS Litigation Authority – Claims Management (we rely on your consent)
  • Coast2Coast Computers: provide a service to securely dispose of redundant IT equipment
  • NHS Property Services (subcontracted to SITA) to securely dispose of confidential waste in a secure environment?
  • NHS Shared Business Service – provide a service to manage invoices (see invoice validation and invoice processing section above)
  • West Sussex County Council – work with them in the management of safeguarding enquiries and as part of statutory local safeguarding children’s and adult’s boards
  • Survey Monkey – provide our public survey tool
  • SMTP2GO – enables us to send automatic administrative emails from our website to our website users


These organisations are subject to the same legal rules and conditions for keeping personal data confidential and secure and are underpinned by a contract with us.

Before awarding any contract, we ensure that organisations will look after your information to the same high standards that we do. Those organisations can only use your information for the service we have contracted them for and cannot use it for any other purpose.


To support research oriented proposals and activities in our commissioning system

Your consent will be obtained by the organisation holding your records before identifiable information about you is disclosed for any research.

Sometimes research can be undertaken using information that does not identify you. The law does not require us to seek your consent in this case, but the organisation holding your information will make notices available on the premises and on the website about any research projects that are undertaken.


Researchers can provide direct benefit to individuals who take part in medical trials and indirect benefit to the population as a whole.

Service user records can also be used to identify people to invite them to take part in clinical trials, other interventional studies or studies purely using information from medical records.

Processing activities

Where identifiable data is needed for research, service users will be approached by the organisation where treatment was received, to see if they wish to participate in research studies.

If you do not wish your information to be used for research, whether identifiable or non-identifiable, please let your GP Practice know. They will add a code to your records that will stop your information from being used for research.

What are your rights?

Where information from which you can be identified is held, you have the right to ask to:

  • View this or request copies of the records by making a subject access request.
  • request information is corrected
  • have the information updated where it is no longer accurate
  • ask us to stop processing information about you where we are not required to do so by law – although we will first need to explain how this may affect the care you receive

Gaining access to the data we hold about you

The CCG holds limited records containing personal information, for example continuing healthcare applications; it does not hold personal healthcare records. If you wish to have sight of, or obtain copies of your own personal health care records you will need to apply to your GP practice, the hospital or NHS organisation which provided your health care.

Everybody has the right to see, or have a copy, of data we hold that can identify you, with some exceptions. You do not need to give a reason to see your data, but you may be charged a fee.

If you want to access your data you must make the request in writing. Under special circumstances, some information may be withheld.

If you wish to have a copy of the information we hold about you, please note that there may be a charge for this (of up to £50). Please contact:

What safeguards are in place to ensure data that identifies me is secure?

We only use information that may identify you in accordance with the Data Protection Act 1998. The Data Protection Act requires us to process personal data only if there is a legitimate basis for doing so and that any processing must be fair and lawful.

There may be certain circumstances where we are legally required to give your information to other people without your consent, for example:

  • a court order
  • notifiable diseases
  • to safeguard an individual
  • to prevent disorder or crime

In these circumstances, you will not be able to ‘opt-out’ of your information being shared.

Within the health sector, we also have to follow the common law duty of confidence, which means that where identifiable information about you has been given in confidence, it should be treated as confidential and only shared for the purpose of providing direct healthcare. Your information is also handled in line with the Caldicott principles.

The NHS Constitution makes certain pledges which go above and beyond your legal rights and are a commitment to provide high-quality health services. You can see all the pledges the NHS makes to patients by downloading the NHS Constitution. In respect of your information, the NHS Constitution sets out the following rights:

  • The right of access to your own health records and to have any factual inaccuracies corrected
  • The right to be informed of how your information will be used
  • The right to request that your confidential information is not used beyond your own care and treatment and to have your objections considered, and where your wishes cannot be followed, to be told the reasons and the legal basis

There is also a helpful handbook to the NHS Constitution, which is designed to give the public and patients, including their carers and families, all the information you may need about the NHS Constitution for England

This sets out the rules that govern how patient information is used in the NHS and what control you can have over this. It covers:

  • people's access to their own records;
  • controls on others' access;
  • how access will be monitored and policed;
  • options people have to further limit access;
  • access in an emergency;
  • and what happens when someone cannot make decisions for themselves.

Everyone who works for the NHS or for organisations delivering services under contract to the NHS also has to comply with the NHS Care Record Guarantee which was first published in 2005 and is regularly reviewed by the National Information Governance Board to ensure it remains clear and continues to reflect the law and best practice. For more information you can download the NHS Care Record Guarantee version 5 (2011).

The NHS Digital Code of Practice on Confidential Information and NHS Confidentiality Code of Practice applies to all of our staff, and they are required to protect your information, inform you of how your information will be used, and allow you to decide if and how your information can be shared. All CCG staff are expected to make sure information is kept confidential and receive annual training on how to do this. This is monitored by the CCG and can be enforced through disciplinary procedures.

We also ensure the information we hold is kept in secure locations and on secure systems, and is securely destroyed when no longer required. We restrict access to information to authorised personnel only, protect personal and confidential information held on equipment such as laptops with encryption (which masks data so that unauthorised users cannot see or make sense of it).

We ensure external data processors that support us are legally and contractually bound to operate and prove security arrangements are in place where data that could or does identify a person are processed.

The CCG’s Clinical Director is responsible for protecting the confidentiality of patient information. This person is called the Caldicott Guardian. They are supported by another executive member of staff who is responsible for information risk and information security, this person is called the Senior Information Risk Owner or SIRO. The SIRO and Caldicott Guardian can be contacted via (tel: 01903 708400).

The CCG is registered with the Information Commissioner’s Office (ICO) as a data controller and collects data for a variety of purposes. A copy of the registration is available through the ICO website (search by Coastal West Sussex Clinical Commissioning Group).

How long do you hold confidential information for?

All records held by the CCG will be kept for the duration specified by national guidance from the Department of Health.

Your right to opt out

In some instances, you are allowed to request that your confidential information is not used beyond your own care and treatment and to have your objections considered. If your wishes cannot be followed, you will be told the reasons (including the legal basis) for that decision.

If you wish to exercise your right to opt-out, or to speak to somebody to understand what impact this may have, if any, please contact us.

There are several forms of opt-outs available at different levels. These include for example:

  1. Information directly collected by the CCG:
    Your choices can be exercised by withdrawing your consent for the sharing of information that identifies you, unless there is an overriding legal obligation.
  2. Information not directly collected by the CCG, but collected by organisations that provide NHS services

Type 1 opt-out

If you do not want personal confidential data information that identifies you to be shared outside your GP practice, for purposes beyond your direct care, you can register a ‘Type 1 opt-out’ with your GP practice. This prevents your personal confidential information from being used other than in particular circumstances required by law, such as a public health emergency like an outbreak of a pandemic disease.

Patients are only able to register the opt-out at their GP practice.

Records for patients who have registered a ‘Type 1 opt-out’ will be identified using a particular code that will be applied to your medical records that will stop your records from being shared outside of your GP Practice.

Type 2 opt - out

NHS Digital collects information from a range of places where people receive care, such as hospitals and community services.

To support those NHS constitutional rights, patients within England are able to opt out of their personal confidential data being shared by NHS Digital for purposes other than their own direct care, this is known as a 'Type 2 opt-out'

If you do not want your personal confidential information to be shared outside of the NHS Digital, for purposes other than for your direct care, you can register a ‘Type 2 opt-out’ with your GP practice.

Patients are only able to register the opt-out at their GP practice.

For further information and support relating to Type 2 opt-outs please contact NHS Digital at referencing 'Type 2 opt-outs - Data requests' in the subject line; or

Alternatively, call NHS Digital on (0300) 303 5678; or visit the NHS Digital website for information about type 2 opt-outs.

What is the right to know?

The Freedom of Information Act 2000 (FOIA) gives people a general right of access to information held by or on behalf of public authorities, promoting a culture of openness and accountability across the public sector.

What sort of information can I request?

In theory, you can request any information that Coastal West Sussex CCG holds, that does not fall under an exemption. You may not ask for information that is covered by the Data Protection Act under FOIA. However you can request this under a Subject Access Request – see section above ‘Gaining access to the data we hold about you’.

How do I make a request for information?

Your request must be in writing and can be either posted or emailed to us as follows:

Post to:

The FOI Co-ordinator, Coastal West Sussex Clinical Commissioning Group
1 The Causeway, Goring-by-Sea West Sussex BN12 6BT

Or email to:

Freedom of Information Requests are managed by a team at South Central and West Commissioning Support Unit).

Further advice and information

For independent advice about data protection, privacy, data sharing issues and your rights you can contact:

Information Commissioner’s Office

Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF

Telephone: 0303 123 1113 (local rate) or 01625 545 745


Visit the ICO website.

Complaints or questions

We try to meet the highest standards when collecting and using personal information. For this reason, we take any complaints we receive about this very seriously. We encourage people to bring concerns to our attention if they think that our collection or use of information is unfair, misleading or inappropriate. Please contact:

  • Telephone: 01903 708400
  • Email:
  • Write: Comments and Complaints Team, NHS Coastal West Sussex CCG, 1 The Causeway, Goring-by-Sea, West Sussex, BN12 6BT