Who we are

NHS Tameside and Glossop Clinical Commissioning Group (CCG) is responsible for securing, planning, designing and paying for your NHS services, including planned and emergency hospital care, mental health services, rehabilitation and community services. This is known as commissioning. We need to use information about you to enable us to do this effectively, efficiently and safely.

For further information please refer to the ‘who we are’ page on our website. This is available at http://www.tamesideandglossopccg.org/about-us/who-we-are-and-what-we-do .

What is this Privacy Notice about?

This Privacy Notice is part of our programme to make transparent the data processing activities we are carrying out in order to deliver on our commissioning activities.

This Privacy Notice tells you about information we collect and hold about you, what we do with it, how we will look after it and who we might share it with.

It covers information we collect directly from you or receive from other individuals or organisations.

This notice is not exhaustive. However, we are happy to provide any additional information or explanation needed. Any requests for this should be sent to this email address – TGCCG.customercare@nhs.net or by post to:

Tameside One,
Market Place,
Ashton Under Lyne,

Reviews of and Changes to our Privacy Notice

We will keep our privacy notice under regular review. This privacy notice was last reviewed in February 2019.

Our Commitment to Data Privacy and Confidentiality Issues

We are committed to protecting your privacy and will only process personal confidential data in accordance with the Data Protection Act 2018, the Common Law Duty of Confidentiality, the Human Rights Act 1998 And General Data Protection Regulation (GDPR).

NHS Tameside and Glossop CCG is a Data Controller under data protection law we are legally responsible for ensuring that all personal information that we process i.e. hold, obtain, record, use or share about you is done in compliance with the 8 Data Protection Principles as set out in Article 5 under GDPR and Data Protection 2018.

All data controllers must notify the Information Commissioner’s Office (ICO) of all personal information processing activities. Our ICO Data Protection Register number is ZA007036 and our entry can be found in the Data Protection Register on the Information Commissioner’s Office website

Everyone working for the NHS has a legal duty to keep information about you confidential. The NHS Care Record Guarantee and NHS Constitution provide a commitment that all NHS organisations and those providing care on behalf of the NHS will use records about you in ways that respect your rights and promote your health and wellbeing.

If you are receiving services from the NHS, we share information that does not identify you (anonymised) with other NHS and social care partner agencies for the purpose of improving local services, research, audit and public health.

We would not share information that identifies you unless we have a fair and lawful basis such as:

  • You have given us permission;
  • To protect children and vulnerable adults;
  • When a formal court order has been served upon us;
  • When permission is given by the Secretary of State or the Health Research Authority on the advice of the Confidentiality Advisory Group to process confidential information without the explicit consent of individuals;
  • and/or when we are lawfully required to report certain information to the appropriate authorities such as to prevent fraud or a serious crime or to protect the health and safety of others.

All information that we hold about you will be held securely and confidentially. We use administrative and technical controls to do this. We use strict controls to ensure that only authorised staff are able to see information that identifies you. Only a limited number of authorised staff have access to information that identifies you where it is appropriate to their role and is strictly on a need-to-know basis.

All of our staff, contractors and committee members receive appropriate and on-going training to ensure they are aware of their personal responsibilities and have contractual obligations to uphold confidentiality, enforceable through disciplinary procedures.

We will only use the minimum amount of information necessary about you.

We will only retain information in accordance with the schedules set out in the Records Management Code of Practice for Health and Social Care 2016.

Overseas Transfers

Your information will not be sent outside of the United Kingdom where the laws do not protect your privacy to the same extent as the law in the UK. We will never sell any information about you.

Your Rights

You have certain legal rights, including a right to have your information processed fairly and lawfully and a right to access any personal confidential data we hold about you.

You have the right to privacy and to expect the NHS to keep your information confidential and secure.

You also have a right to request that your confidential information is not used beyond your own care and treatment and to have your objections considered.

These are commitments set out in the NHS Constitution, for further information please visit


You have the right to withdraw consent to us sharing your personal information if you do not wish us to process or share your information

If you do not agree to certain information being processed or shared with us or by us, or have any concerns then please let us know. We may need to explain the possible

impact this could have on our ability to help you and discuss the alternative arrangements that are available to you.

You have the right to refuse/withdraw consent to information sharing at any time. The possible consequences can be fully explained to you and could include delays in receiving care. If you wish to discuss withdrawing consent please contact the Customer Care Manager on 0161 304 5307.

What is the patient opt-out?

The NHS Constitution states "You have the right to request that your confidential information is not used beyond your own care and treatment and to have your objections considered".

There are several forms of opt- outs available at different levels. These include for example:

A. Information directly collected by the CCG:

Your choices can be exercised by withdrawing your consent for the sharing of information that identifies you, unless there is no overriding legal obligation.

B. Information not directly collected by the CCG, but collected by organisations that provide NHS services.


Type 1 opt-out

If you do not want personal confidential data information that identifies you to be shared outside your GP practice, for purposes beyond your direct care you can register a type 1 opt-out with your GP practice. This prevents your personal confidential information from being used other than in particular circumstances required by law, such as a public health emergency like an outbreak of a pandemic disease.

Patients are only able to register the opt-out at their GP practice.

Records for patients who have registered a type 1 opt-out will be identified using a particular code that will be applied to your medical records that will stop your records from being shared outside of your GP Practice.

National data opt-out

National data opt-out. The national data opt-out was introduced on 25 May 2018, enabling patients to opt-out from the use of their data for research or planning purposes, in line with the recommendations of the National Data Guardian in her Review of Data Security, Consent and Opt-Outs.

By 2020 all health and care organisations are required to apply national data opt-outs where confidential patient information is used for research and planning purposes. NHS Digital has been applying national data opt-outs since 25 May 2018. Public Health England has been applying national data opt-outs since September 2018.

The national data opt-out replaces the previous ‘type 2’ opt-out, which required NHS Digital not to share a patient’s confidential patient information for purposes beyond their individual care. Any patient that had a type 2 opt-out recorded on or before 11 October 2018 has had it automatically converted to a national data opt-out. Those aged 13 or over were sent a letter giving them more information and a leaflet explaining the national data opt-out. For more information go to National data opt out programme https://digital.nhs.uk/services/national-data-opt-out-programme


Complaints or questions

We try to meet the highest standards when collecting and using personal information. For this reason, we take any complaints we receive about this very seriously. We encourage people to bring concerns to our attention if they think that our collection or use of information is unfair, misleading or inappropriate. We would also welcome any suggestions for improving our procedures.

Subject Access Requests

Individuals can find out if we hold any personal information by making a ‘subject access request’ under the Data Protection Act 2018. If we do hold information about you we will:

  • Give you a description of it;
  • Tell you why we are holding it;
  • Tell you who it could be disclosed to; and
  • Let you have a copy of the information in an intelligible form.

To make a request to any personal information we may hold you need to put the request in writing to our contact address provided further below.

If we do hold information about you, you can ask us to correct any mistakes by, once again, contacting us at the contact address further below.

Confidentiality Advice and Support

The CCG has a Caldicott Guardian who is a senior person responsible for protecting the confidentiality of service user and service user information and enabling appropriate and lawful information-sharing.

The contact detail of our Caldicott Guardian is as follows:

Ms Gill Gibson Director Of Quality and Safeguarding and Caldicott Guardian Email: Gill.gibson@nhs.net Telephone number: 0161 342 5611 (personal assistant)

They are supported by another senior member of staff who is responsible for information risk and information security, this person is called the Senior Risk Owner (SIRO). The contact details of our SIRO are as follows:

Kathy Roe- Director Of Finance

Tel:0161 342 5609 (personal assistant)

Email: Kathy.roe@nhs.net

The CCG also have a Data Protection Officer (DPO) who is responsible for monitoring compliance data protection legislations, information governance policies, providing advice and guidance, raising awareness, training and audits. The DPO acts as a contact point for the ICO, employees and the public. They co-operate with the ICO and will consult on any other matter relevant to Data Protection. The contact details of our DPO are follows:

Tel: 0161 342 8355

Email: information.governance@tameside.gov.uk

Personal Information we collect and hold about you

As a commissioner, we do not routinely hold or have access to your medical records. However, we may need to hold some personal information about you, for example:

  • if you have made a complaint to us about healthcare that you have received and we need to investigate
  • if you ask us to provide funding for Continuing Healthcare services
  • if you ask us for our help or involvement with your healthcare, or where we are required to fund specific specialised treatment for a particular condition that is not already covered in our contracts with organisations that provide NHS care.
  • if you ask us to keep you regularly informed and up-to-date about the work of the CCG, or if you are actively involved in our engagement and consultation activities or service user participation groups

Our records may include relevant information that you have told us, or information provided on your behalf by relatives or those who care for you and know you well, or from health professionals and other staff directly involved in your care and treatment. 0

Our records maybe held on paper or in a computer system. The types of information that we may collect and use include the following:

Personal Confidential Data: This term describes personal information about identified or identifiable individuals, which should be kept private or secret. For the purposes of this guide ‘personal’ includes the DPA definition of personal data, but it is adapted to include dead as well as living people. ‘Confidential’ includes both information ‘given in confidence’ and ‘that which is owed a duty of confidence’ and is adapted to include ‘sensitive’ as defined in the Data Protection Act. Used interchangeably with ‘confidential’ in this document.

Pseudonymised Information: This is data that has undergone a technical process that replaces your identifiable information such as a NHS number, postcode, date of birth with a unique identifier, which obscures the ‘real world’ identity of the individual patient to those working with the data.

Anonymised Information: This is data rendered into a form which does not identify individuals and where there is little or no risk of identification (identification is not likely to take place).



Our Uses of Information

Although this is not an exhaustive detailed listing, the following table lists key examples of the purposes and rationale for why we collect and process information:

Purpose Activity



To process your personal information if it relates to a complaint where you have asked for our help or involvement.

Legal Basis

We will need to rely on your explicit consent to undertake such activities.

Complaint Processing Activities

When we receive a complaint from a person we make up a file containing the details of the complaint. This normally contains the identity of the complainant and any other individuals involved in the complaint.

We will only use the personal information we collect to process the complaint and to check on the level of service we provide.

We usually have to disclose the complainant’s identity to whoever the complaint is about. This is inevitable where, for example, the accuracy of a person’s record is in dispute.

If a complainant doesn’t want information identifying him or her to be disclosed, we will try to respect that. However, it may not be possible to handle a complaint on an anonymous basis.

We will keep personal information contained in complaint files in line with NHS retention policy. It will be retained in a secure environment and access to it will be restricted according to the ‘need to know’ principle.

We will publish service user stories, following upheld complaints, anonymously via our governing body. The service user stories will provide a summary of the concern, service improvements identified and how well the complaints procedure has been applied. Consent will always be sought from the service user and


carer or both before we publish the service user story.

Funding treatments


We will collect and process your personal information where we are required to fund specific treatment for you for a particular condition that is not already covered in our contracts.

This may be called an “Individual Funding Request” (IFR).

Legal Basis

The clinical professional who first identifies that you may need the treatment will explain to you the information that we need to collect and process in order for us to assess your needs and commission your care and gain your explicit consent.

Continuing Healthcare

We will collect and process your identifiable information where you have asked us to undertake assessments for Continuing Healthcare (a package of care for those with complex medical needs) and commission resulting care packages.

Legal Basis

The clinical professional who first sees you to discuss your needs will explain to you the information that they need to collect and process in order for us to assess your needs and commission your care and gain your explicit consent.


We will collect and process identifiable information where we need to assess and evaluate any safeguarding concerns.

Legal Basis

Because of public Interest issues, e.g. to protect the safety and welfare of vulnerable children and adults, we will rely on a statutory basis rather than consent to process information for this Use

Risk stratification

Risk stratification is a process for identifying and managing patients who are at high risk of emergency hospital admission.

Legal Basis

GDPR Art. 6(1) and Art.9 (2) (h). The use of identifiable data by CCGs and GPs for risk stratification has been approved by the Secretary of State, through the Confidentiality Advisory Group of


the Health Research Authority (approval reference (CAG 7-04)(a)/2013)) and this approval has been extended to the end of September 2020 NHS England Risk Stratification which gives us a statutory legal basis under Section 251 of the NHS Act 2006 to process data for risk stratification purposes which sets aside the duty of confidentiality. We are committed to conducting risk stratification effectively, in ways that are consistent with the laws that protect your confidentiality.

Commissioning Benefits

Typically this is because patients have a long term condition such as Chronic Obstructive Pulmonary Disease. NHS England encourages CCGs and GPs to use risk stratification tools as part of their local strategies for supporting patients with long-term conditions and to help and prevent avoidable admissions.

Knowledge of the risk profile of our population will help the CCG to commission appropriate preventative services and to promote quality improvement in collaboration with our GP practices.

Data Processing activities for Risk Stratification

Risk stratification tools use various combinations of historic information about patients, for example, age, gender, diagnoses and patterns of hospital attendance and admission and primary care data collected in GP practice systems.

The CCG will use pseudonymised information to understand the local population needs, whereas GPs will be able to identify which of their patients are at risk in order to offer a preventative service to them.

The service provider that is for our data processor for Risk Stratification purposes is the NHS Arden and Greater East Midlands (GEM) Commissioning Support Unit (CSU).

The CCG has commissioned NHS Arden and Greater East Midlands (GEM) Commissioning Support Unit (CSU) to conduct risk stratification on behalf of itself and its GP practices.


This processing for risk stratification takes place under contract with the NHS Arden and Greater East Midlands (GEM) Commissioning Support Unit (CSU), following these steps below:

 The CCG has asked the HSCIC to provide data identifiable by your NHS Number about your Acute Hospital attendances for risk stratification purposes and has signed an HSCIC data sharing contract for the SUS data.
 Your GP practice instructs its GP IT system supplier to provide primary care data identifiable by your NHS Number for those patients that have not objected to Risk Stratification or there is no Type 1 objection made by the Patient. The data, containing the same verified NHS numbers, are sent via secure transfer, directly into the landing stage of the NHS Arden and Greater East Midlands (GEM) Commissioning Support Unit (CSU) system.
 Within the landing stage, the risk stratification system automatically links and pseudonymises the identifiable data from GPs and the HSCIC. No identifiable data of any patient is seen by NHS Tameside & Glossop CCG staff in doing this.
 NHS Arden and Greater East Midlands (GEM) Commissioning Support Unit (CSU) has set up a formula to analyse the data in pseudonymised form to produce a risk score for each patient.

The risk scores are only made available to authorised users within the GP Practice where you are registered via a secure portal.

This portal allows only the GPs to view the risk scores for the individual patients registered in their practice in identifiable form.

If you do not wish information about you to be included in our risk stratification programme, please contact your GP Practice. They can add a code to your records that will stop your information from being used for this purpose.


Further information about risk stratification is available from: https://www.england.nhs.uk/ourwork/tsd/ig/risk-stratification/

Invoice Validation

A small amount of information that could identify you is used within a special secure area within the commissioning environment, known as a Controlled Environment for Finance (CefF), so that the organisations that have provided care for you can be paid.


The process ensures that those who provide you with care and treatment are reimbursed correctly for this.

Legal Basis

GDPR Art. 6(1) and Art.9 (2) (h). Tameside and Glossop CCG is an accredited Controlled Environment for Finance (CEfF) under a Section 251 exemption which enables us to process patient identifiable information without consent for the purposes of invoice validation – CAG 7-07(a)(b)(c)/2013. and this approval has been extended to the end of September 2020 NHS England Invoice Validation which gives us a statutory legal basis under Section 251 of the NHS Act 2006 to process data for invoice validation purposes which sets aside the duty of confidentiality. We are committed to conducting invoice validation effectively, in ways that are consistent with the laws that protect your confidentiality.

Commissioning Benefits

Where we pay for care, particularly where different providers are caring for the same person, we may ask for evidence before paying, or we may design a service where the payment is all or partly based on the providers ensuring the service user has a healthy outcome. In such instances, we your personal confidential data to ensure that we are paying the right amount for the right services to the right people.

Processing Activities

We have a signed Controlled Environment for Finance assurance


statement which we submitted to NHS England.

The Invoice validation process involves using your NHS number and occasionally your postcode or date of birth to establish which NHS organisation is responsible for paying for your treatment.

The minimum amount of information about you is used.

We conduct this in our Controlled Environments for Finance.

All invoices received through this service are stored securely within the Controlled Environment for Finance and are accessible only to authorised team members.

The requirements which they comply with, within the Controlled Environment for Finance to protect your privacy, can be found on the NHS England website.

Further information about invoice validation may found at:


Patient and Public Involvement

If you have asked us to keep you regularly informed and up to date about the work of the CCG or if you are actively involved in our engagement and consultation activities or patient participation groups, we will collect and process personal confidential data which you share with us.


Legal Basis

We will rely on your consent for this purpose



Where you submit your details to us for involvement purposes, we will only use your information for this purpose. You can opt out at any time by contacting us using our contact details at the end of this document.



To collect NHS data about service users that we are responsible for.

Legal Basis

Our legal basis for collecting and processing information for this purpose is statutory.



Processing Activities

Hospitals and community organisations that provide NHS-funded care must submit certain information to the Health and Social Care Information Centre (HSCIC) about services provided to our service users.

This information is generally known as commissioning datasets. The CCG obtains these datasets from the HSCIC and they relate to service users registered with GP Practices that are members of the CCG.

These datasets are then used in a format that does not directly identify you, for wider NHS purposes such as managing and funding the NHS, monitoring activity to understand and plan the health needs of the population and to gain evidence that will improve health and care through research.

The datasets include information about the service users who have received care and treatment from those services that we are responsible for funding. The CCG is unable to identify you from these datasets. They do not include your name, home address, NHS number, post code or date of birth. Information such as your age, ethnicity and gender as well as coded information about any clinic or accident and emergency attendances, hospital admissions and treatment will be included.

The specific terms and conditions and security controls that we are obliged to follow when using those commissioning datasets can also be found on the HSCIC website .

More information about how this data is collected and used by the Health and Social Care Information Centre (HSCIC) is available on their website http://www.hscic.gov.uk/patientconf

We also receive similar information from GP Practices within our CCG membership that does not identify you. We use this datasets for a number of purposes such as:

 Performance managing contracts;
 Reviewing the care delivered by providers to ensure service users are receiving quality and cost effective care;
 To prepare statistics on NHS performance to understand health needs and support service re-design, modernisation and improvement;
 To help us plan future services to ensure they continue to meet our local population needs;
 To reconcile claims for payments for services received in your GP Practice;
 To audit NHS accounts and services;

If you do not wish your information to be included in these datasets, even though it does not directly identify you to us, please contact your GP Practice and they can apply a code to your records that will stop your information from being included.

For Other organisations to provide support services for us

This often involves those organisations processing data on our behalf, for example we use a Commissioning Support Unit to deliver the Continuing Healthcare service for our service users.

Legal Basis

We have entered into contracts with other NHS organisations to provide some services for us or on our behalf.

These organisations are known as “data processors”.

Below are details of our data processors and the function that they carry out on our behalf:

 NHS Arden and Greater East Midlands (GEM) Commissioning Support Unit (CSU) – Risk Stratification, Invoice Validation, Commissioning Intelligence analysis, Continuing Healthcare, Individual Funding Requests, Medicines Optimisation, HR
 PHS Records Management – Archiving of Records
 360 Assurance – Internal Audit related purposes
 NHSLA – Claims Management
 SaicaNatur - The CCG’s Confidential Waste Disposal Company
 The Greater Manchester Shared Service receives pseudonymised data on behalf of the CCG
 Details of additional data processors can be found at the end of this document in appendix 1
 Shared Business Service –Staff Payroll



These organisations are subject to the same legal rules and conditions for keeping personal confidential data and secure and are underpinned by a contract with us.

Before awarding any contract, we ensure that organisations will look after your information to the same high standards that we do. Those organisations can only use your information for the service we have contracted them for and cannot use it for any other purpose

National Registries


National Registries (such as the Learning Disabilities Register) have statutory permission under Section 251 of the NHS Act 2006, to collect and hold service user identifiable information without the need to seek informed consent from each individual service user.



To support research oriented proposals and activities in our commissioning system

Legal Basis

Your consent will be obtained by the organisation holding your records before identifiable information about you is disclosed for any research.

Sometimes research can be undertaken using information that does not identify you. The law does not require us to seek your consent in this case, but the organisation holding your information will make notices available on the premises and on the website about any research projects that are undertaken.


Researchers can provide direct benefit to individuals who take part in medical trials and indirect benefit to the population as a whole.

Service user records can also be used to identify people to invite them to take part in clinical trials, other interventional studies or


studies purely using information from medical records.

Processing Activities

Where identifiable data is needed for research, service users will be approached by the organisation where treatment was received, to see if they wish to participate in research studies.

If you do not wish your information to be used for research, whether identifiable or non-identifiable, please let you GP Practice know. They will add a code to your records that will stop you information from being used for research.

Appendix 1: Data Processors

The CCG uses the services of additional data processors which provide additional expertise to support the work of the CCG by adding value to the analyses of data that does not directly identify individuals. The details of these additional data processors are as follows.

CCG Name

Additional Data Processor (DARS submitted)

Data Processors

NHS Tameside and Glossop CCG

1. A&G '2. GMSS (Oldham CCG) '3. AQuA (Salford Royal) '4. UM (Greater Manchester Academic Health Science Network)

Data Processor 1 'NHS Arden and Greater East Midlands (GEM) Commissioning Support Unit (CSU) St John’s House, East Street, Leicester, LE1 6NB Data Processor 2 NHS Oldham CCG hosting: Greater Manchester Shared Services Ellen House, Waddington Street, Oldham, OL9 6EE Data Processor 3 Salford Royal NHS Foundation Trust hosting: Advancing Quality Alliance (AQuA), 3rd Floor, Crossgate House, Cross St, Sale, M33 7FT Data Processor 4 North West Utilisation Management Unit Greater Manchester Academic Health Science Network Suite C Third Floor Citylabs Nelson Street Manchester, M13 9NQ


If you have any questions or concerns regarding how we use your information, please contact us at:



NHS Tameside and Glossop Clinical Commissioning Group (CCG)
Tameside One,
Market Place,
Ashton Under Lyne,

Tel: 0161 342 5500

Email: TGCCG.customercare@nhs.net


For independent advice about data protection, privacy and data-sharing issues, you can contact the:

Information Commissioner

Wycliffe House, Water Lane,


Cheshire, SK9 5AF.

Phone: 08456 30 60 60 or 01625 54 57 45

Website: www.ico.gov.uk


Further information

Further information about the way in which the NHS uses personal confidential data and your rights in that respect can be found in: