Home » Privacy Notice

Privacy Notice


What is a Privacy Notice?

A Privacy Notice is a statement to patients, service users, visitors, carers, the public, and staff on how we collect, use, store, share, and delete the personal information that we use.  Privacy Notices are also known as a Privacy Statement, Fair Processing Statement, or Privacy Policy.
This Privacy Notice is part of our commitment to ensure that we process personal information/data fairly and lawfully.

Data Controller

NHS Tameside and Glossop Clinical Commissioning Group is named as the controller of the personal information.
We are registered with the Information Commissioner with the registration number ZA007036

The CCG’s Data Protection Officer:

The Data Protection Officer’s role is to ensure that the personal data used within the Organisation is used responsibly, safely, and within the data protection laws.
The CCG’s Data Protection Officer is Sandra Stewart, Director of Governance and Pensions at TMBC. Her contact email address is Sandra.Stewart@tameside.gov.uk

What is personal data and how is it collected?

Personal data is information that relates to a living individual who can be identified from that data.

These may include:

  • Demographic information such as name, address, date of birth, telephone numbers, and next of kin
  • Details and records of treatment and care including medical notes, letters between different care providers, letters to your GP, letters to the patient, and reports on the patient’s health
  • Information from people who care for you and know you well such as health professionals and relatives.
We may also have information that is classed as ‘personal sensitive’ such as sexuality, race, your religion or beliefs, and whether you have a disabilities, allergies, or health conditions.
This information is collected in a number of different ways such as via your healthcare professional, referral information provided by for GP, or directly given by you.
We also collect surveillance images/video for the prevention and detection of crime.

How we use your information

  • To help inform decisions that we make about your care
  • To ensure that your treatment is safe and effective
  • To work effectively with other organisations who may be involved in your care
  • To support the health of the general public
  • To review care provided to ensure it is of the highest standard possible
  • To train healthcare professionals
  • For research and audit purposes
  • To prepare statistics on NHS performance
  • To monitor how we spend public money. 

Additionally we use the information to:

  • Improve individual care
  • Understand more about disease risks and causes
  • Plan services
  • Improve patient safety
  • Evaluate Government, NHS, and Social Care policy. 
    It helps you because:
  • Accurate and up-to-date information assists us in providing you with the best possible care. 
    Where possible, when using information to inform future services and provision, non-identifiable information will be used.

Who do we share your information with?

We will not disclose your information to any other third parties without your permission unless there are exceptional circumstances, such as when either your or somebody else’s health and safety is at risk; or the law requires us to pass on information.
We use the following lawful basis for direct care when processing your information:
  • Common Law Duty of Confidence
  • Health & Social Care Act, section 251 [b]
  • General Data Protection Regulation, article 6 [1] [e]
  • General Data Protection Regulation, article 9 [2] [h]
Nationally there are strict controls on how your information is used for these purposes. These control whether your information has to be de-identified first and with whom we may share identifiable information.
You can find out more about these purposes, which are also known as secondary uses, on the NHS England and NHS Digital websites:
We use the following lawful bases for indirect care when processing your information:
Clinical Commissioning Group/commissioning and planning purposes
  • Common Law Duty of Confidence
  • Control of Patient Information Regulations 2002
  • General Data Protection Regulation, article 6 [1] [c]
  • General Data Protection Regulation, article 9 [2] [h]. 

Staff information

We process information on staff members in order to fulfil a contract of employment; the information is protected the same as patient information.
The lawful basis for processing the information related to staff is:
  • General Data Protection Regulation, article 6 [1] [e]
  • General Data Protection Regulation, article 9 [2] [b]
  • Data Protection Act 2018, article 10
  • Safeguarding Vulnerable Groups Act 2006 (DBS). 

Transferring information

We only transfer information with companies whose purposes for processing match ours.  It is very rare that personal information is processed outside of the NHS.  
No personal information is sent outside of the European Union.

How we protect your information?

It is important that we keep your information safe and secure  To do this we restrict access using technology.
Everyone working for the CCG is subject to the Common Law Duty of Confidentiality and the General Data Protection Regulation (2016).  Information provided in confidence will only be used for matters relating to your care provision unless there are other circumstances in which case we will ask for your consent.
Under the NHS Confidentiality Code of Conduct all staff are required to protect your information.  All staff are required to undertake annual training in data protection, information governance, and confidentiality.
We store your data securely and use the NHS Retention Schedule to determine how long we keep these records.  The length of time for retention is determined on the type and format of the record. 
The retention schedule is accessible at the following link: https://www.nhsbsa.nhs.uk/sites/default/files/2017-05/records-management-retention-schedule.xls

Your rights under the General Data Protection Regulation (2016) and Data Protection Act 2018

The Data Protection Act (1998) has been replaced by new data protection laws called the General Data Protection Regulation (GDPR) 2016 and Data Protection Act 2018. 
These laws are very similar to the old Data Protection Act (1998), with additional rights for the data subject. 
These rights are:
  • Right of access by the data subject (GDPR Art. 15), often called a Subject Access Request – SAR). You have the right to receive the personal data concerning you in a commonly used electronic format for no charge.  We are required to complete this request within a calendar month.  Additional copies of notes may incur a fee.
  • The right to rectification (GDPR Art. 16). You have the right for your personal information to be changed if it is found to be incorrect.   
  • This, for instance, could be because of inaccurate personal data, how a name is spelt, to change your next of kin details, or a new address.
  • The right to restriction of processing (GDPR Art. 18). You have the right to restrict how data relating to you is collected, used, and stored.
  • The right to data portability (GDPR Art. 20), this is closely linked with Art. 15, the Right of Access to the Data Subject.  You have the right to receive the personal data concerning yourself in a commonly used electronic format for no charge.  
  • The right to object (GDPR Art. 21), under the General Data Protection Regulation you have the right to object to us processing your information. 
If we change any of your information due to a request from you, we will contact you and tell you what we have changed.  

In some cases upholding the rights to objection, rectification, and the restriction of data may affect our ability to address your concerns or complaints.
We may refuse to uphold the request. There is the provision for this in the regulations subject to specific restrictions. If this is the case we will inform you without undue delay, and within one month of the request. 
We will tell you:
  • The reason why we are not taking action
  • Your right to complain to the Information Commissioner’s Office
  • Your right to enforce the right via legal means. 
If you require access to the details we hold about you  will need to make a written request to:
Customer Care Team
NHS Tameside and Glossop Clinical Commissioning Group,
Dukinfield Town Hall,
King Street,
SK16 4LA
Tel: 0161 342 5608
Email TGCCG.customercare@nhs.net
The CCG can only provide access to the information it holds. Therefore, for example, to see the records held by your GP you will have to contact your GP surgery.

If something goes wrong

We take confidentiality very seriously. Should something go wrong and your data be compromised we will contact you, and the Information Commissioner’s Office to inform you both of the breach. 
If the incident is part of a wider breach and it is impossible to inform all those affected personally we will contact the media news outlets to inform people of the data breach

Contacting us / Raising a concern

If you would like to contact us regarding any concerns about your care or treatment, or that of a relative, we need to know as soon as possible so we can take action to improve the situation.
Please contact:
Customer Care Team
NHS Tameside and Glossop Clinical Commissioning Group,
Dukinfield Town Hall,
King Street,
SK16 4LA
Tel: 0161 342 5608
Email TGCCG.customercare@nhs.net

Information Commissioner’s Office

The General Data Protection Regulation 2016 requires the CCG to lodge a notification with the Information Commissioner to describe the purposes for which we process information.
The details are publicly available from the Information Commissioner’s Office:
The Information Commissioner’s Office
Wycliffe House
Water Lane
Telephone: 01624 545 745
Website www.ico.gov.uk
Twitter @ICOnews