Privacy Notice

What is a privacy notice?

The EU General Data Protection Regulation (GDPR) requires that data controllers provide certain information to people whose information (personal data) they hold and use. A privacy notice is one way of providing this information. This is sometimes referred to as a fair processing notice.

A privacy notice should identify who the data controller is, with contact details for its Data Protection Officer. It should also explain the purposes for which personal data are collected and used, how the data are used and disclosed, how long it is kept, and the controller’s legal basis for processing.

What we use your information for – Please select the information that is relevant to you from the list below for full details on how your information is used.

How we use information about you

Haringey Clinical Commissioning Group (CCG) is responsible for planning and buying (also known as ‘commissioning’) health services from healthcare providers such as hospitals, as well as directly providing some health services such as continuing healthcare, Personal Health Budgets and Individual Funding Requests.

We are a membership body made up of all GP practices in Haringey.  We do not provide healthcare services like a GP practice or hospital. Our role is to make sure the appropriate NHS care is in place for the people of Haringey within our available budget.

As an NHS organisation, Haringey CCG operates at a number of different levels in regards to the processing of personal data. We act as a Data Controller primarily for the management of data relating to our employees and those working on behalf of or with our organisation and also covering some NHS patient provider functions. 

Haringey CCG may collect information about you which helps us to respond to your queries and help us to design services to improve the health needs and outcomes of local people.

Why we collect information about you

In carrying out our role and responsibilities as a commissioner of services for people living in Haringey, it is essential that the CCG has an understanding of the health and social care needs of our community.  The only way that we can achieve this is by using information that your GP, your clinician or your social worker has entered into your care record, as well as some information that is provided via external public sources such, as hospitals and the London Borough of Haringey. This information may exist on paper or in electronic format and Haringey CCG ensures that these are kept safe and secure in an appropriate way.

We do not however, need to have and use all the information that is provided.  Where this is identified, information is de-identified by the Data Services for Commissioners Regional Offices (DSCRO) prior to being shared with the rest of the CCG for its use. (For further explanation, see section below on mechanisms for processing your data).

We may keep your information in written form and / or in digital form. The records may include basic details about you, such as your name and address or may also contain more sensitive information about your health and social care usage and also information such as outcomes of needs assessments.

How the NHS and care services use your information

This relates to NHS Barnet, Enfield, Camden, Islington and Haringey Clinical Commissioning Groups, (hereafter NCL CCGs) which are a group of many organisations working in the health and care system to improve care for patients and the public.
Whenever you use a health or care service, such as attending Accident & Emergency or using Community Care services, important information about you is collected in a patient record for that service. Collecting this information helps to ensure you get the best possible care and treatment.

The information collected about you when you use these services can also be used and provided to other organisations for purposes beyond your individual care, for instance to help with:

• improving the quality and standards of care provided
• research into the development of new treatments
• preventing illness and diseases
• monitoring safety
• planning services

This may only take place when there is a clear legal basis to use this information. All these uses help to provide better health and care for you, your family and future generations. Confidential patient information about your health and care is only used like this where allowed by law.

Most of the time, anonymised data is used for research and planning so that you cannot be identified in which case your confidential patient information isn’t needed.

You have a choice about whether you want your confidential patient information to be used in this way. If you are happy with this use of information you do not need to do anything.

If you do choose to opt out your confidential patient information will still be used to support your individual care.

To find out more or to register your choice to opt out, please visit  On this web page you will
• See what is meant by confidential patient information
• Find examples of when confidential patient information is used for individual care and examples of when it is used for purposes beyond individual care
• Find out more about the benefits of sharing data
• Understand more about who uses the data
• Find out how your data is protected
• Be able to access the system to view, set or change your opt-out setting
• Find the contact telephone number if you want to know any more or to set/change your opt-out by phone
• See the situations where the opt-out will not apply

You can also find out more about how patient information is used at: (which covers health and care research); and (which covers how and why patient information is used, the safeguards and how decisions are made)

You can change your mind about your choice at any time.

Data being used or shared for purposes beyond individual care does not include your data being shared with insurance companies or used for marketing purposes and data would only be used in this way with your specific agreement.

Health and care organisations have until 2020 to put systems and processes in place so they can be compliant with the national data opt-out and apply your choice to any confidential patient information they use or share for purposes beyond your individual care. Our organisation ‘is currently’ compliant with the national data opt-out policy.

CCG oversight and responsibility

The Haringey CCG Governing Body is supported by a number of key roles within the CCG led by the Senior Information Risk Owner, who is accountable to the Governing Body for information risk management within the CCG; The Caldicott Guardian who advises the Governing Body on specific issues relating to the use of patient confidential data and the Data Protection Officer who provide advice and support to the CCG on Data Protection compliance and monitoring obligation These roles have oversight of the handling of information within the CCG or by any support organisations we may buy services from.

The Senior Information Risk Officer for the CCG is Karl Thompson, Senior Head of Corporate Services NCL CCGs. Email address:

The Caldicott Guardian for the CCG is Dominic Roberts, Clinical Director, Islington CCG. Email address:

The Data Protection Officer for the CCG is Dayo Adebari, Information Governance & FOI Manager, NCL CCGs. Email

NELprovides administrative support for a number of CCG functions. You can visit their website for further information here.

Definition questions                                                        

To help you in reading this information, the following definitions have been used in this notification and across the CCG. 

Personal confidential data is a term used in the Caldicott Information Governance Review and describes personal information about identified or identifiable individuals, which should be kept private or confidential and includes dead as well as living people.

The review interpreted 'personal' as including the Data Protection Act definition of personal data, but included data relating to deceased as well as living people, and 'confidential' includes both information 'given in confidence' and 'that which is owed a duty of confidence' and is adapted to include 'sensitive' as defined in the Data Protection Act.

Examples of identifiable data are:

  • name
  • address
  • postcode
  • date of birth
  • NHS number

As per the EU General Data Protection Regulation (GDPR) and the Data Protection Act 2018, and defined by the Information Commissioner's Office. Personal data means data which relate to a living individual who can be identified:

(a) From those data, or

(b) from those data and other information which is in the possession of, or is likely to come into the possession of, the data controller, and includes any expression of opinion about the individual and any indication of the intentions of the data controller or any other person in respect of the individual.

Sensitive personal data is different from personal data. Sensitive personal data means personal data consisting of information as to:

(a) the racial or ethnic origin of the data subject,
(b) their political opinions,
(c) their religious beliefs or other beliefs of a similar nature,
(d) whether a member of a trade union (within the meaning of the Trade Union and Labour Relations (Consolidation) Act 1992),
(e) their physical or mental health or condition,
(f) their sexual life,
(g) the commission or alleged commission of any offence,
(h) any proceedings for any offence committed or alleged to have been committed, the disposal of such proceedings or the sentence of any court in such proceedings

Secondary care data is information we have obtained from local hospitals, other care providers and other external public sources.

Primary care data is information that is provided by your GP surgery and other community service providers.

The Caldicott Review defined direct patient care as a clinical, social or public health activity concerned with the prevention, investigation and treatment of illness and the alleviation of suffering of individuals.

It includes supporting individuals' ability to function and improve their participation in life and society.

It includes the assurance of safe and high quality care and treatment through local audit, the management of untoward or adverse incidents, person satisfaction including measurement of outcomes undertaken by one or more registered and regulated health or social care professionals and their team with whom the individual has a legitimate relationship for their care.

Indirect patient care is defined by the Caldicott Review as activities that contribute to the overall provision of services to a population as a whole or a group of patients with a particular condition, but which fall outside the scope of direct care. It covers health services management, preventative medicine, and medical research. Examples of activities would be risk prediction and stratification, service evaluation, needs assessment, financial audit.

A Data Controller is a person who (either alone or jointly or in common with other persons) determines the purposes for which and the manner in which any personal data are, or are to be, processed.

A person who has expert knowledge of data protection law and practice. This person report to the highest management level of the organisation. The DPO, advice the organisation on Data Protection compliance and monitoring.

Data Services for Commissioners Regional Offices is a regional secure service provided by the Health and Social Care Information Centre (NHS Digital) to process information for NHS organisations. For more information please visit the Health and Social Care Information Centre (NHS Digital).

Your information may be used to help assess the needs of the general population and make informed decisions about the provision of future services. Information can also be used to conduct health research and development and monitor NHS performance.

Where information is used for statistical purposes, stringent measures are taken to ensure individual patients cannot be identified.  Anonymous statistical information may also be passed to organisations with a legitimate interest, including universities, community safety units and research institutions.

Haringey CCG processes personal data for a number of reasons and in various ways. These are outlined below:

  • For the purpose of internal operations, Haringey CCG will use both electronic and manual mechanisms to process personal confidential information relating to its employees and visitors to our sites and services. This is based on explicit consent provided by each employee at the time of joining and updated when any changes are made through internal communications.
  • For the purpose of direct patient care, Haringey CCG will ensure that any information collected about you is initially provided by you and where any additional information is collected or used this will be with your explicit consent.
  • For the provision of indirect care and to maintain rules for use of information,HaringeyCCG uses a number of approved and secure services / systems to process information about you such as: 
    • Data Services for Commissioners Regional Offices – this is a regional secure service provided by the Health and Social Care Information Centre via the North and East London (NEL). Further information can be found on the Health and Social Care Information Centre (NHS Digital) website.
    • Controlled Environment for Finance (CEfF) – this is another established group provided by the North and East London Commissioning Support Unit (NELCSU) on behalf of NHS England to support invoice validation. This service was established under a Section 251 exemption of the Health and Social Care Act 2012 to allow commissioning organisations to validate invoices it received ensuring correct payments are identified and made on behalf of Haringey CCG.

Last updated: 24/03/2020