Welcome to our website


Ipswich and East Suffolk CCG - Privacy Notice

The purpose of this notice is to inform you of the type of information (including personal information) that the Clinical Commissioning Group (CCG) holds; how that information is used; who we may share that information with; and how we keep it secure and confidential.

This privacy statement only covers NHS Ipswich & East Suffolk CCG and does not cover any other organisations or organisations that can be linked to from this site.

The CCG has a duty to ensure that your personal confidential data is kept confidential, secure and used appropriately.


NHS Ipswich and East Suffolk Clinical Commissioning Group (CCG)
Endeavour House
8 Russell Road

Information Commissioners Office registration number: Z3612955

Data Protection Officer Paul Cook (IG) – email: iesccg​.dpo​@nhs​.net 

NHS Ipswich and East Suffolk CCG are responsible for implementing the commissioning roles as set out in the Health and Social Care Act 2012.

Clinical Commissioning Groups are overseen by NHS England, all GP practices now belong to a CCG, and together they are responsible for commissioning most health and care services for the local community, for example hospital services, nursing in the community and mental health services. NHS Ipswich and East Suffolk CCG is made up of the 40 GP practices that are based in the Ipswich and East Suffolk area.

The CCG also manages the performance of services that it commissions to make sure that they are safe, provide high quality care and meet the needs of local people. Part of this performance management role includes responding to any concerns from our patients about those services.

As a Clinical Commissioning Group we have many other functions, but these do not generally need data that may identify a person.


For the majority of our work we do not need to know the personal details of individuals who live in our community, and this is our preferred way of working. It should be noted that information which cannot identify an individual does not come under the Data Protection Act 2018. There are different types of information collected and used across the NHS.

We use six types of information/data:

1.      Anonymised data, which is data about you but from which you cannot be personally identified;

2.      De-identified data with pseudonym identifier, which is data about you but we are able to track you through the patient pathway without using your personal information, and you cannot be personally identified;

3.      De-identified data with weakly pseudonym identifier such as the NHS number. We use this to link two or more types of datasets together using your NHS number. For example, using your NHS number to link and analyse datasets such as acute hospital data with community data to see the full picture of your patient pathway. No other personal information is used during this process and you will not be personally identified. However, there may be times whereby you may be re-identified in the event of patient safety requirements, or re-identified for direct care purposes where we pass on information to your GP to treat you;

4.      Anonymised information (for commissioning purposes), which is de-identified data about you but from which you cannot be personally identified within a commissioning (CCG) environment.

5.      Personal data from which you can be personally identified; and

6.      Sensitive information/data about you from which you can be identified.

We hold information centrally which is used for statistical purposes to allow us to plan the commissioning of healthcare services. We will only use anonymised data for this purpose which will mean you would not be able to be identified from that information. Examples of this include:

  • Evaluation and review of services such as checking their quality and efficiency
  • Checking NHS accounts and services
  • Working out what illnesses people will have in the future so that we can work with the local primary care services, community services and hospital services to make sure that patient needs are met
  • Preparing performance reports about the services we commission
  • Reviewing the care we commission to make sure it is of the highest standard.

We will only use information that may identify you (known also as personal confidential data) in accordance with the: Data Protection Act 2018 – The Data Protection Act requires us to have a legal basis if we wish to process any personal information.

NHS Care Record Guarantee – sets out high level commitments for protecting and safeguarding your information, particularly in regard to your rights to access your information, how information will be shared, how decisions on sharing information will be made and investigating and managing inappropriate access (audit trails)

NHS Constitution for England – this states that you have the right to privacy and confidentiality and to expect the NHS to keep your confidential information safe and secure.

Caldicott Principles – sets out a number of general principles that health and social care organisations should use when reviewing its use of patient information.  All staff are expected to follow these principles to ensure that information is protected and only shared in the best interests of their patients.

A Duty of Confidence

We also have to honour any duty of confidence attached to information and apply Common Law Duty of Confidentiality requirements. This will mean where a legal basis does not exist to use your personal or confidential information we will not do so.

Therefore, as a commissioning organisation we do not routinely hold medical records or patient confidential data. There are some specific areas, however, because of our assigned responsibilities where we do hold and use personal information. In order to process that information we will have met a legal requirement, in general this is where we have complied with one of the following:

  • The information is necessary for facilitating direct healthcare for patients (GDPR Article 6 (1)(e), Article 9 (2)(h))
  • We have received consent from individuals to be able to use their information for a specific purpose (GDPR Article 6 (1)(a))
  • There is an overriding public interest in using the information e.g. in order to safeguard an individual, or to prevent a serious crime (GDPR Article 6 (1)(e), Article 9 (2)(g))
  • There is a legal requirement that will allow us to use or provide information (e.g. a formal court order) (GDPR Article 6 (1)(c))
  • We have special permission for health purposes (granted by the Health Research Authority Section 251)
  • For the health and safety of others, for example to report an infectious disease such as meningitis or measles (GDPR Article 6 (1)(e), Article 9 (2)(i))

Circumstances where we might need to use personal information

The areas where we use personal information are:

  • Individual funding requests – a process where patients and their GPs can request special treatments not routinely funded by the NHS
  • Continuing Healthcare Assessments (a package of care for those with complex medical needs)
  • The Medicines Management team work closely with the GP practices to support effective prescribing
  • Responding to your queries, concerns or complaints
  • Incident investigations
  • Assessment and evaluation of safeguarding concerns for individuals
  • If you are a member of our patient participation group, or have asked us to keep you up to date about our work and involved in our engagement and public consultations

For all of the above you are under a statutory obligation to provide personal data, apart from complaints and as a member of a PPG where the information is provided under consent.

We keep your information in written form and / or on a computer securely and confidentially.

The records may include basic personal details about you, such as your name, address and NHS number. They may also contain more sensitive information about your health and also information such as outcomes of needs assessments, funding requests or details relating to your complaint investigation.

Our organisation uses Microsoft Teams to communicate and share files internally. Through working for a related organisation, if you are given the option to be added as a guest to our tenancy, please be aware that we will be able to read your name, email address and photo (if you have one connected to your account).


Patient Related Information:

Your information may be used to help assess the needs of the general population both on a local and national level to help make informed decisions about the provision of future services. Information may be used to conduct health research and development, public health activities and to monitor NHS performance in order to allow the NHS to plan for the future.  Only anonymised or pseudonymised information will be used for this purpose.

Pseudonymisation is a technical process that replaces identifiable information such as a NHS number, postcode, date of birth with a unique identifier, which obscures the ‘real world’ identity of the individual patient to those working with the data.

Data may be linked and de-identified so that it can be used to improve health care and development and monitor NHS performance.  For example linking those who receive Home Care and District Nurses, to understand how we might improve the patient’s experience.  This is often referred to as a ‘secondary use’ of data.  Where data is used for these statistical purposes, stringent measures are taken to ensure individual patients cannot be identified.

Risk Stratification

Risk stratification is a process GPs use to help them to identify a person who may benefit from a targeted healthcare intervention and to help prevent un-planned hospital admissions or reduced the risk of certain diseases developing such as type 2 diabetes.  This is called risk stratification for case-finding.

The CCG uses risk stratified data to understand the health needs of the local population in order to plan and commission the right services.  This is called risk stratification for commissioning.  The CCG does not have access to your personal data.  The information is pseudonymised.

Financial Validation

Where care is provided and the CCG is responsible for it, we will need to provide payment to the care provider. In most cases limited data is used to make such payments. In some instances information to confirm that you are registered at a GP Practice within the CCG is needed to make such payments. This is done in line with the Who Pays Invoice Validation Guidance issued by NHS England.

We will use limited information about individual patients when validating invoices received for your healthcare, to ensure that the invoice is accurate and genuine.  This will be performed in a secure environment and will be carried out by a limited number of authorised staff.  These activities and all identifiable information will remain with the Controlled Environment for Finance approved by NHS England.

The legal basis for data flows (Section 251 of the NHS Act 2006)

The Secretary of State for Health gives limited permission for the CCG (and other NHS commissioners) to use certain confidential patient information when it is necessary for our work for purposes other than direct care such as information from NHS Digital for commissioning, Risk Stratification and Invoice Validation.

This approval is given under Regulations made under Section 251 of the NHS Act 2006 and is based on the approval of the Health Research Authority’s Confidentiality and Advisory Group.

This allows the Secretary of State for Health to make regulations to set aside the common law duty of confidentiality for defined medical purposes. Section 251 came about because it was recognised that there were essential activities of the NHS, and important medical research, that required the use of identifiable patient information – but, because patient consent had not been obtained to use people’s personal and confidential information for these other purposes, there was no secure basis in law for these uses.

Section 251 was established to enable the common law duty of confidentiality to be overridden to enable disclosure of confidential patient information for medical purposes, where it was not possible to use anonymised information and where seeking consent was not practical, having regard to the cost and technology available.

More information about Section 251 is available from the Health Research Authority web site.

Digital Ethics Charter

Ipswich & East CCG are now part of the Digital Ethics Charter. The Digital Ethics Charter is a set of common principles that digital professionals and those working with "technology for public use" can adhere to. If you sign up, you are pledging your support for promoting the rights of the people and organisations you serve. This charter has been developed by digital leaders in the public sector.

To see their Privacy Notice go to www​.ethicscharter​.co​.uk


The CCG now offers a free Data Protection Officer Service to the GPs in Ipswich & East Suffolk. This means that the CCG supports with all things relating to data protection. The General Practices that the CCG is DPO for are:

  • Barham & Claydon Surgery 
  • Bildeston Health Centre 
  • Constable Country Rural Medical Practice 
  • Drs Solway & Mallick 
  • Eye Health Centre 
  • Fressingfield Medical Centre 
  • Hadleigh Health Centre 
  • Holbrook & Shotley Practice  
  • Little St Johns Street Surgery 
  • Needham Market Country Practice 
  • Orchard Medical Practice 
  • Peninsula Practice 
  • Ravenswood Medical Practice 
  • Two Rivers Medical Centre 
  • Wickham Market Medical Centre
We also act as DPO for Suffolk Primary Care. 


The law provides some NHS bodies, particularly the Health and Social Care Information Centre, with ways of collecting and using patient data that cannot identify individuals. This helps Commissioners such as the CCG, to design and procure the combination of services that best suit the population they serve.

Data may be linked and de-identified by these special bodies so that it can be used to improve health care and development and monitor NHS performance. This is often referred to as a ‘secondary use’ of data. Where data is used for these statistical purposes, stringent measures are taken to ensure individual patients cannot be identified.

From time to time the CCG may collect information about you in order to perform its duties or answer queries, enquiries or complaints you have raised and it applies to:

  • Visitors to our website
  • Complainants and other individuals
  • People who use the CCG’s services
  • Staff of the CCG

Visitors to our website

When someone visits the CCG’s website http:/​​/​​www​​.ipswichandeastsuffolkccg​​.nhs​​.uk/​​  information is collected in a standard internet log to enable the CCG to monitor how the website is used. This is done to find out things such as the number of visitors to the various parts of the site. This information is collected in such a way that does not identify people who have visited our websites.

From time to time, you may be asked to submit personal information about yourself (e.g. name and email address) in order to receive or use services on our website. Such services include bulletins, email updates, website feedback, requesting investigation of complaints and any other enquiries.

By entering your details in the fields requested or sending us an email, you enable the CCG and its service providers to provide you with the services you select. Any information you provide will only be used by the CCG, or our agents or service providers, and will not be disclosed to other parties unless we are obliged or permitted to do so.


We work with a number of other NHS and partner agencies to provide health and social care services to you. We may also share anonymised statistical information with them for the purpose of improving local services, for example understanding how conditions spread across our local area compared against other areas.

We contract with other organisations to provide a range of services to us such as IT services, Payroll and other support service. In these instances, we ensure that our partner agencies have contracts which outline that your information is processed under strict conditions and in line with the law.

We ensure our external data processors that support us are legally and contractually bound to operate and prove security arrangements are in place where data that could or does identify a person are processed.

Current external data processors:

Data Services for Commissioners Regional Offices (DSCRO) this is a regional secure service provided to the CCG by NHS Digital via North of England Commissioning Support Unit (NECSU).

Information may also be required to be shared for your benefit with other non NHS organisations, from which you are also receiving care, such as social services and other providers from which we commission services. Where information sharing is required with third parties, we will not disclose any health information without your explicit consent unless it is to facilitate direct care or there are exceptional circumstances or a legal obligation such as;

In the event that we are obligated to release information as described above, this will usually only be done with the approval of our Caldicott Guardian.

The CCG is party to a number of information sharing agreements which are drawn up to ensure information is shared in a way that complies with relevant legislation. These NHS and non-NHS organisations may include, but are not restricted to social services, education services, local authorities, police, and public health.


All staff have contractual obligations of confidentiality, enforceable through disciplinary procedures. All staff will receive appropriate training on confidentiality of information and staff who have regular access to personal confidential data will have received additional specialist training.

We take relevant organisational and technical measures to make sure that the information we hold is secure – such as holding information in secure locations, restricting access to information to authorised personnel, protecting personal and confidential information held on equipment such as laptops with encryption and information is transferred safely and securely. 

The CCG does not transfer personal confidential information overseas.

Under the Data Protection Act 2018, the CCG is required to register with the Information Commissioner’s Office detailing all purposes for which personal identifiable data is collected, held and processed.

The CCG has a legal duty to protect any information we collect from you. We use leading technologies and encryption software to safeguard your data and keep strict security standards to prevent any unauthorised access to it.

The CCG will not pass on your details to any third party or other government department unless you consent to this or when it is necessary and or required to by law. 

Subject to some legal exceptions, you have the right to:

  • request a copy of the personal information the CCG holds about you;
  • to have any inaccuracies corrected;
  • to have your personal data erased;
  • to place a restriction on our processing of your data;
  • to object to processing; and
  • to request your data to be ported (data portability).

On some occasions we will be processing your information with your consent. For example, the complaints team need your consent. You have the right to withdraw your consent at any time. To do this either let the individual you are working with know or email iesccg.dpo@nhs.net

To learn more about these rights please see the ICO website.

If you are dissatisfied with our response you can complain to the Information Commissioner's Office

Information Commissioner's Office
Wycliffe House
Water Lane

Telephone: 0303 123 1113 (local rate) or 01625 545 745 


Automated decision-making is the process of making a decision by automated means without any human involvement. These decisions can be based on factual data, as well as on digitally created profiles or inferred data.

We do not use automated decision making for anything within the Clinical Commissioning Group.


Information about your health and care helps us to improve your individual care, speed up diagnosis, plan your local services and research new treatments. The NHS is committed to keeping patient information safe and always being clear about how it is used.

How your data is used

Information about your individual care such as treatment and diagnoses is collected about you whenever you use health and care services. It is also used to help us and other organisations for research and planning such as research into new treatments, deciding where to put GP clinics and planning for the number of doctors and nurses in your local hospital.  It is only used in this way when there is a clear legal basis to use the information to help improve health and care for you, your family and future generations.

Wherever possible we try to use data that does not identify you, but sometimes it is necessary to use your confidential patient information.

You have a choice

You do not need to do anything if you are happy about how your information is used. If you do not want your confidential patient information to be used for research and planning, you can choose to opt out securely online or through a telephone service. You can change your mind about your choice at any time.

Will choosing this opt-out affect your care and treatment?

No, choosing to opt out will not affect how information is used to support your care and treatment. You will still be invited for screening services, such as screenings for bowel cancer.

What do you need to do?

If you are happy for your confidential patient information to be used for research and planning, you do not need to do anything.

To find out more about the benefits of data sharing, how data is protected, or to make/change your opt-out choice visit www​.nhs​.uk/​your-nhs-data-matters


There are different retention schedules for different types of information and types of record. In the NHS, all commissioners and providers apply retention schedules in accordance with the Information Governance Alliance’s Records Management Code of Practice for Health and Social Care which determines the length of time records should be kept​​.

NHS data are subject to legal retention periods and should not be destroyed unless specific instructions to do so has been determined and received from the Data Controller. 


If our privacy notice changes in any way, we will place an updated version on this page. Regularly reviewing the page ensures you are always aware of what information we collect, how we use it and under what circumstances, if any, we will share it with other parties.


If you have any questions regarding the information we hold about you or you believe the CCG has not complied with the Data Protection Act 2018 in the way we have processed your personal information, you have the right to make a complaint by contacting:

Data Protection Officer Paul COOK (IG) at Email: iesccg​.dpo​@nhs​.net

In order to investigate your complaint we will need to process the information you provide us with along with other information we may already hold about you which is relevant to your complaint.  If as part of investigating your complaint we need to share some information about you with a health or social care provider, we will ask for your permission to do so.

The record of your complaint will be retained in line with the Records Management Code of Practice for Health and Social Care.

For independent advice about data protection, privacy and data-sharing issues, you can contact:

The Information Commissioner, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF


Select font size
Site colour