How we use your information

NHS Manchester Clinical Commissioning Group (CCG) is responsible for securing, planning, designing and paying for your NHS services, including planned and emergency hospital care, mental health services, rehabilitation and community services.

This is known as commissioning.  We need to use information about you to enable us to do this effectively, efficiently and safely.

What is this Privacy Notice about?

Our Privacy Notice provides a summary of how we use your information. Here, we’ll tell you about the information we collect and hold about you, what we do with it, how we will look after it and who we might share it with.

It is part of how we ensure we are open and transparent in the data processing activities we carry out in order to meet our commissioning obligations. It covers information we collect directly from you or receive from other individuals or organisations.

We will keep our privacy notice under regular review. This privacy notice was last reviewed in August 2020.

Our commitment to data privacy and confidentiality

We are committed to protecting your privacy and will only process personal confidential data in accordance with the General Data Protection Regulation 2016 and Data Protection Act 2018 (Data Protection Legislation), the Common Law Duty of Confidentiality and the Human Rights Act 1998.

NHS Manchester CCG is a Data Controller under the terms of the Data Protection Legislation. We are legally responsible for ensuring that all personal information that we process i.e. hold, obtain, record, use or share about you, is processed in compliance with the Data Protection Principles.

All data controllers must notify the Information Commissioner’s Office (ICO) of all personal information processing activities. Our ICO Data Protection Register number is ZA237023 and our entry can be found in the Data Protection Register on the Information Commissioner’s Office website.

Everyone working for the NHS has a legal duty to keep information about you confidential

The NHS Care Record Guarantee and NHS Constitution provide a commitment that all NHS organisations and those providing care on behalf of the NHS will use records about you in ways that respect your rights and support your health and wellbeing.

If you are receiving services from the NHS, we share information that does not identify you (anonymised) with other NHS and social care partner agencies for the purpose of improving local services, research, audit and public health.

We only share information that identifies you when we have a fair and lawful basis

This includes:

  • for the purposes of the provision of health or social care or treatment or the management of health or social care systems
  • when we are lawfully able to for example in order to carry out our official functions as a CCG and in the public interest
  • when we are lawfully required to report certain information to the appropriate authorities e.g. to prevent fraud or a serious crime
  • to protect children and vulnerable adults
  • you have given us permission
  • when a formal court order has been served
  • emergency planning reasons such as for protecting the health and safety of others
  • when permission is given by the Secretary of State or the Health Research Authority to process confidential information without the explicit consent of individuals.

In general the CCG will only rely on consent where it is clearly necessary in law.  Where we have a legal basis for sharing and using data without consent we will do so.  This notice informs individuals about their information is shared.

All information that we hold about you will be held securely and confidentially

We use administrative and technical controls to do this including strict procedures and encryption. We use strict controls to ensure that only authorised staff are able to see information that identifies you. This means a limited number of authorised staff have access to information that identifies you where it is appropriate to their role and is strictly on a need-to-know basis.

All of our staff, contractors and committee members receive appropriate and on-going training to ensure they are aware of their personal responsibilities. Our staff have contractual obligations to uphold confidentiality, enforceable through disciplinary procedures.

We will only use the minimum amount of information necessary about you.

We will only keep information in accordance with the schedules set out in the Records Management Code of Practice for Health and Social Care 2016. When appropriate we will confidentially and securely dispose of information in accordance with the Code of Practice.

How each of our services uses your information

You can view the privacy notices for each of our services:

Overseas transfers

Your information will not be sent outside of the United Kingdom where the laws do not protect your privacy to the same extent as the law in the UK. We will never sell any information about you.

Your rights

You have certain legal rights, including a right to have your information processed fairly and lawfully and a right to access any personal confidential data we hold about you.

These rights are:

  • The right to be informed
  • The right of access
  • The right to rectification
  • The right to erasure
  • The right to restrict processing
  • The right to data portability
  • The right to object

Rights in relation to automated decision making and profiling

You have the right to privacy and to expect the NHS to keep your information confidential and secure.

You also have a right to request that your confidential information is not used beyond your own care and treatment and to have your objections considered. Any individual has the right to register for a national data opt-out, to make such a request, please follow the link to the NHS Digital website. These are commitments set out in the NHS Constitution.

You can contact us if you have any questions or concerns about your data protection rights. We’ll discuss alternative arrangements you can make and explain the consequences.

There is profiling, see Risk Stratification below involved there is no automated decision making, no decision is taken about any individual without a ‘human view’ of the information.

Your right to opt out of data sharing and processing

The NHS Constitution states ‘You have a right to request that your personal confidential information is not used beyond your own care and treatment and to have your objections considered’.

There are several forms of opt-outs available at different levels:

Type 1 opt-out

If you do not want personal confidential information that identifies you to be shared outside your GP practice you can register a ‘Type 1 opt-out’ with your GP practice. This prevents your personal confidential information from being used except for your direct health care needs and in particular circumstances required by law, such as a public health emergency like an outbreak of a pandemic disease. Patients are only able to register the opt-out at their GP practice and your records will be identified using a particular code that will stop your records from being shared outside of your GP Practice.

National data opt-out

The national data opt-out was introduced on 25 May 2018 and replaces the previous ‘type 2’ opt-out. NHS Digital collects information from a range of places where people receive care, such as hospitals and community services. The new programme provides a facility for individuals to opt-out from the use of their data for research or planning purposes. For anyone who had an existing type 2 opt-out, it will have been automatically converted to a national data opt-out from 25 May 2018 and will receive a letter giving them more information and a leaflet explaining the new national data opt-out. The national data opt-out choice can be viewed or changed at any time by using an online service.

There are some circumstances where there is a legal obligation for us to process your personal confidential information and you will not be able to opt-out. These include:

  • to protect children and vulnerable adults
  • when a formal court order has been served upon us
  • when we are lawfully required to report certain information to the appropriate authorities e.g. to prevent fraud or a serious crime
  • emergency planning reasons such as for protecting the health and safety of others
  • when permission is given by the Secretary of State or the Health Research Authority to process confidential information without the explicit consent of individuals

Complaints and suggestions

We try to meet the highest standards when collecting and using personal information. We encourage people to bring concerns to our attention if they think that our collection or use of information is unfair, misleading or inappropriate. We also welcome any suggestions for improving our procedures. Please see our Customer Services page for more information.

Manchester CCGs Data Protection Officer is Shavarnah Purves who can be contacted by email at

You can contact the Information Commissioner’s Office (ICO) for independent advice about data protection, privacy and data-sharing issues.

Information Commissioner, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF.

Phone: 08456 30 60 60 or 01625 54 57 45

Subject access requests

Individuals can find out if we hold any personal information by making a subject access request under the Data Protection legislation. If we do hold information about you we will:

  • confirm that we are processing your personal data
  • provide a copy of your personal information
  • provide additional information, such as the reason why we hold your information, who we may have shared information with, how long we hold information.

If you would like to receive a copy of information we hold about you your request should be made in writing by post or email to:

NHS Manchester CCG, Information Governance Department, Second Floor, Parkway 3, Parkway Business Centre, Princess Road, Manchester, M14 7LU


Confidentiality advice and support

A Caldicott Guardian is a senior person responsible for protecting the confidentiality of service user and service user information, as well as enabling appropriate and lawful information-sharing.

The contact detail of our Caldicott Guardian is as follows:
Dr Manisha Kumar (Medical Director) Tel: 0161 225 6699

Personal information we collect and hold

As a commissioner, we do not routinely hold or have access to your medical records. However, we may need to hold some personal information about you, for example:

  • if you have made a complaint to us about healthcare that you have received and we need to investigate
  • if you ask us to provide funding for Continuing Healthcare services
  • if you are using our referral support service
  • if you ask us for our help or involvement with your healthcare, or where we are required to fund specific specialised treatment for a particular condition that is not already covered in our contracts with organisations that provide NHS care
  • if you ask us to keep you regularly informed and up-to-date about the work of the CCG, or if you are actively involved in our engagement and consultation activities or service user groups.

Our records may include relevant information that you have told us, or information provided on your behalf by relatives or those who care for you, or from health professionals and other staff directly involved in your care and treatment.

Our records may be held on paper or in a computer system. The types of information that we may collect and use include:

Personal data: is defined in Data Protection Legislation as data or information about a living person, which also identifies that person or allows that person to be identified when combined with other information held by the organisation. Identifying information includes name, address, date of birth, postcode and NHS number.

Special Category Data: is defined in Data Protection Legislation as information about an identifiable individual’s: race, ethnic origin. Politics, religion, trade union membership, genetics, biometrics, health, sex life, sexual orientation. Criminal offence data will also be included.

Confidential Information: including both information ‘given in confidence’ and ‘that which is owed a duty of confidence’ this also includes ‘special category data’ as defined in the Data Protection Legislation.

Personal Confidential Data: may include your name, address, postcode, date of birth and NHS number; information about your appointments and clinic visits; reports and notes about your health, treatment and care; relevant information about people who care for you, such as next-of-kin and other health professionals.

Pseudonymised Information: this is data that has undergone a technical process that replaces your identifiable information such as NHS number, postcode, date of birth with a unique identifier, which obscures the ‘real world’ identity of the individual patient to those working with the data.

Anonymised Information: This is data rendered into a form which does not identify individuals and where there is little or no risk of identification.

The data used may relate to Primary or Secondary care. Primary Care data relates to primary care services such as GPs, pharmacists and dentists, including military health services and some specialised services.

Secondary care services include planned hospital care, rehabilitative care, urgent and emergency care community health services, mental health services and learning disability services.