Fair Processing Notice


As an NHS organisation, Camden Clinical Commissioning Group (CCG) operate at a number of different levels in regards to processing personal data to support the commissioning, planning and paying for health services within the borough.

Within these pages we describe instances where Camden CCG is the “Data Controller”, for the purposes of the Data Protection Act 1998, and where we direct or commission the processing of patient data to help deliver better healthcare, or to assist the management of healthcare services.

For commissioning purposes and to help us to model and plan services to best meet your future needs, Camden CCG has to understand the health, social and general wellbeing issues that our population in Camden are facing today. The only way that we can achieve this is by using information that your GP, your hospital (including Mental Health and community), local care providers or your social care services enter into your care record as well as some information that is provided via external public sources. This information may exist on paper or in electronic format and Camden CCG ensure that these are kept safe and secure in an appropriate way.

CCG Oversight

The Governing Body are supported by a number of key roles within the CCG led by the Senior Information Risk Owner, who is accountable to the Governing Body in regards to information risk management within the CCG and the Caldicott Guardian who advises the Governance Body on specific issues relating use of PCD. These roles supported by the Information Governance Manager and other key support roles have oversight of the handling of information within the CCG or by any support organisation we may commission / purchase services from.

  • Our SIRO is Ian Porter, Director of Corporate Services, North Central London CCGs
  • Our Caldicott Guardian is Dr Neel Gupta, Chair.

To contact these individuals please use the following generic enquiries email below.

Camden Clinical Commissioning Group
Stephenson House
75 Hampstead Road
t: 0203 688 1700 
e: CamdenCCG.IG@nhs.net

Key External Support

In addition to the work completed by the CCG, we also engage a number of key other groups / bodies to support the work we do. These are:

  • NHS Digital – throughout this document you will see reference to NHS Digital. This body are the national provider of information and data for commissioners such as our CCG.  NHS Digital has a legal basis (NHS Health and Social Care Act 2012 (and subsequent amendments, related acts) to collect personal confidential data
  • NEL - They provide administrative support for a number of CCG functions for several local CCGs.


While we have tried to make this notice as easy to read and understandable as possible we realise that some places will need to use technical / legal phrases and terms which will require specific clarification. See definitions here.

Why we collect information about you

In carrying out role and responsibilities as a commissioner of services for people working and living in Camden, it is essential that the CCG have an understanding of the health and social care needs of our community so as to ensure that appropriate services are correctly identified and made available across our responsible area. 

We do not however, need to have and use all the information that is available and provided. Where excessive data is identified, information is either removed or de-identified either in the DSCRO or ASH (see section four on this page) prior to being shared with the rest of the CCG for its use. 

We may keep your information in written format and/or in digital format and may include basic details about you, such as your name and address or may also contain more sensitive information about your health and social care conditions, usage of current services and also information such as outcomes of needs assessments.

How your information is used to help the wider NHS

Your information will be used to help assess the needs of the general population and support the CCG make informed decisions about the provision of future services.  Information can also be used to conduct health research and development and monitor NHS performance. 

Where information is used for statistical purposes, stringent measures are taken to ensure individual patients cannot be identified.  Anonymous statistical information may also be passed to organisation with a legitimate interest, including universities, community safety units and research institutions.

Why we keep your information confidential and safe

It is everyone's legal right to expect that information held and used about you is safe and secure, and is only used for the agreed purpose(s). 

Everyone working for the NHS is subject to the Common Law Duty of Confidence. Information provided in confidence will only be used for the purpose(s) advised with consent given by the patient, unless there are other specific circumstances covered by the current UK and European legislation. 

Camden CCG take this responsibility very seriously and has ensured that it has robust and effective process and procedures in place to achieve this expectation for you and the information we hold and process about you. 

Supporting this approach, under various UK Legislation and NHS guidance and directions such as the Common Law Duty of Confidence and the NHS Confidentiality Code of Practice, all our staff are also required to protect your information, tell you of how your information will be used, and allow you to decide if and how your information can be shared.

Processing your personal data

Mechanisms for processing your data

The CCG process personal data for a number of reasons in various ways – these are outlined below:

  • For the purpose of internal operations, the CCG will use both electronic and manual mechanisms to process personal confidential information relating to its employees and visitors to our sites and services. This is based on explicit consent provided by each employee at the time of joining and updated when any changes are made through internal communications.
  • For the purpose of direct patient care, the CCG will ensure that any information collected about is you is initially provided by you, and where any additional information is collected or used will be with your explicit consent to do the purpose.
  • For the provision of indirect care, and to maintain rules for use of information, the CCG uses a number of approved and secure services / systems to process information about you such as:
    - Data Services for Commissioners Regional Offices (DSCRO) – this is a regional secure service provided by NHS Digital via the NEL Commissioning Support Unit (NEL CSU). Further information can be found on the NHS Digital website
    - Accredited Safe Haven (ASH) – this is a local secure service within Camden CCG to receive Personal Confidential Data from various sources, and then able to share de-identified data for commissioning purposes. The process for accreditation was established and managed by the Health and Social Care Information Centre, where our ASH was one of the first to be accredited. 
    - Controlled Environment for Finance – this is another established group provide by NELCSU on behalf of NHS England to support Invoice Validation. This service was established under a Section 251 exemption of the Health and Social Care Act 2012 to allow commissioning organisations to validate invoices it received ensuring correct payments are identified and made on behalf of the CCG.

How we use the patient information that we collect

While in some cases, Camden CCG needs to be able to identify and individual (please see “What we use your information for”,. where we have no legal basis to see personal confidential data, we have in place a number of safeguards to prevent its staff from identifying individuals from the data that we receive either directly via our ASH, using “local flows” from services we commission in Camden or indirectly via the DSCRO using national flows from various NHS organisations as outlined in the previous section. 

Information from your health and social care records can be received into either the ASH or the DSCRO and any information that might allow others to identify you is removed. This means that no one can know:

  • Your name
  • Your exact date of birth – this is replaced with just the year of birth
  • Your postcode (is replaced with standard area called Lower Layer Super Output Area – the name reflects a national standard that is based on the total population and number of houses in an area)
  • They may also contain more sensitive information about your health and also information such as outcomes of needs assessments but these are mainly coded. 

Your NHS number, GP practice and treatment details are kept so that your information from each service can be linked together. This information provides the CCG a fuller picture of the health of people in Camden and the services required to support them to stay healthy.

We use this information to provide and improve health services. This data also enables us to target patients who may benefit from additional preventive care.

These uses are in line with the purposes outlined in our registration with the Information Commissioners Office and the reference number is ZA007805.

How is direct patient care defined?

The Caldicott Review in 2013 defined direct patient care as a clinical, social or public health activity concerned with the prevention, investigation and treatment of illness and the alleviation of suffering of individuals. It includes supporting individuals' ability to function and improve their participation in life and society.

It includes the assurance of safe and high quality care and treatment through local audit, the management of untoward or adverse incidents, person satisfaction including measurement of outcomes undertaken by one or more registered and regulated health or social care professionals and their team with whom the individual has a legitimate relationship for their care.

What we use your information for

Analysis – Risk Stratification (Population Health Management)


Pseudonymised / Anonymised / Aggregate Data

Data Source

Primary / Secondary and Community

Legal Basis for use

Section 251 NHS Act 2006 -

Consent Option(s)

Implied Consent - Patients can ’opt out’ of their data being used by contacting their GP practice directly.


Patients that have opted out of use outside of the GP Practice or by NHS Digital for secondary purposes are excluded automatically.

Your information may be used to help assess the needs of the general population both on a local, regional and national level to help make informed decisions about the provision of future services.  Information can also be used to conduct health research and development, monitor NHS performance in order to allow the NHS plan for the future. 

As part of our planning and continuous development, Camden CCG will identify key areas to concentrate on concerning the health of Camden’s residents.  In these circumstances, the use of data will be reviewed to ensure that it is still within the same meaning of this publication and the reasons for collecting data. You can read about our current areas of focus at our “What We Do” section of the Camden CCG web site page.

Information provided by NHS Digital (via the DSCRO) and GP Services once collected is pseudonymised and linked together to provide a level of information that can be used to support population health management. This is used to support the CCG in planning and developing services that are key for the health of our patients such as ensuring they are sufficiently resourced and located in relevant areas.

Paying for services 


Pseudonymised / Anonymised


Secondary Care

Legal Basis for use

NHS Constitution (Health and Social Care Act 2012)

Consent Option

Implied Consent – arrived from agreement to use services.  No opt out is available

Other Data Processors

NHS Shared Business Services

NHS England

Where care is provided that the CCG is responsible for it will need to provide payment to the care provider.  See the rules for who pays. In most cases limited data is used to make such payments. In some instances information to confirm that you are registered at a GP within the correct CCG is needed to make such payments. This is done in line with the NHS England "Who Pays - Invoice Validation" Guidance. 

Invoice validation


Personal Confidential Data (Sensitive) / Anonymised


Secondary Care / Commissioned Services

Legal Basis for use

NHS Care Act 2013

Consent Option

Sect 251 Exemption, Health and Social Care Act

CCGs and NHS England, which includes Commissioning Support Units, do not have a legal right to access personal confidential data (PCD) for the purpose of validating invoices. The invoice validation process supports the delivery of patient care across the NHS by: 

  • Ensuring that service providers are paid for the patient’s treatment appropriately.
  • Enabling services to be planned, commissioned, managed, and subjected to financial control, and enabling commissioners to confirm that they are paying appropriately for the treatment of patients for whom they are responsible.
  • Fulfilling commissioners’ duties of fiscal probity and scrutiny.
  • Enabling invoices to be challenged and disputes or discrepancies to be resolved more effectively and quickly.

Camden CCG commissioned the NEL CSU to provide the CEfF function for its organisation to reduce the level of personal identifiable data being provided to the CCG. This function continues to be operated as outlined in the Section 251 approved document.

Handling Continuing Healthcare (CHC) Applications


Personal Confidential Data (Sensitive)


Primary Care and Secondary Care

Legal Basis for use

Direct Care Provision

Consent Option

Explicit Consent

If you make an application for Continuing Healthcare (CHC) funding, Camden CCG will use the information you provide and where needed request further information from care providers to identify eligibility for funding.  If agreed, arrangements will be put in place to arrange and pay for the agreed funding packages with appointed care providers. This process is nationally defined and we follow a standard process and use standard information collection tools to decide whether someone is eligible.  

Personal Health Budgets


Personal Confidential Data (Sensitive)


Primary Care and Secondary Care

Legal Basis for use

Direct Care Provision

Consent Option

Explicit Consent - withdraw can be made at any time but will impact on provision of services.

A personal health budget is an amount of money to support the identified healthcare and wellbeing needs of an individual, which is planned and agreed between the individual, or their representative, and the CCG. To support this process, Camden CCG will process personal confidential data including sensitive data to evaluate, agree and monitor any personal health budgets

Handling Individual Funding Requests (IFR) applications 


Personal Confidential Data (Sensitive)


Primary Care and Secondary Care

Legal Basis for use

Direct Care Provision

Consent Option

Explicit Consent – withdraw can be made at any time prior to submition of request.


If you make an Individual Funding Request (IFR) to fund specialist drugs or rare treatments, Camden CCG will use the information you provide and where needed request further information from care providers to identify eligibility for funding. If agreed, arrangements will be put in place to arrange and pay for the agreed funding packages with appointed care providers. 

Supporting Medicines Management 


Personal Confidential Data (Sensitive)


Primary Care and Secondary Care

Legal Basis for use

Direct Care Provision

Consent Option

Explicit Consent – withdraw can be made at any time but will impact on provision of services

CCGs support local GP practices with prescribing queries which generally don’t require identifiable information.

Where specialist support is required, e.g., to order a drug that comes in solid form in gas or liquid the medicines management team will order this on behalf of a GP to support your care.



Personal Confidential Data (Sensitive)


Primary Care, Secondary Care and Community Care

Legal Basis for use

Care Act 2012

Consent Option


Advice and guidance is provided to care providers to ensure that adult and children’s safeguarding matters are managed appropriately.  Access to identifiable information will be shared in some limited circumstances where it’s legally required for the safety of the individuals concerned. 

Find more information about the CCG involvement on our Safeguarding page. 

Integrated Urgent Care Service (IUC) - covering Out of Hours and NHS 111 services


Personal Confidential Data (Sensitive)


Primary Care, Secondary Care and Community Care

Legal Basis for use

Direct Care

Consent Option

Explicit Consent – consent

Relevant Parties Involved

LCW – Service Provider

CCG (Camden, Islington, Harringey, Barnet and Enfield)

Local Health Providers

NHS England

London Ambulance Services

The IUC service has been commissioned by the North Central London clinical commissioning groups.

Sharing information

In order for Camden CCG to perform its commissioning functions, information is shared from various organisations which include but not limited to: General practices, acute and mental health hospitals, other CCGs, community services, walk-in centres, nursing homes directly from service users and London Borough of Camden Social Care services.

Information Sharing With Other NHS Agencies and Non-NHS Organisations

As part of our commissioning function, we may share your information for health purposes and for your benefit with other organisations such as NHS England, NHS Trusts, General Practitioners, etc. We may also need to share information with our partner organisations. 

Information may also need to be shared with other non-NHS organisations, from which you are receiving care, such as The London Borough of CamdenCamden Community Health Services and other similar providers from which we commission services and goods. 

Where information sharing is required with third parties, we will always have a relevant contractual obligation and Data Sharing Agreement in place and will not disclose any detailed health information without your explicit consent unless there are exceptional circumstances such as when the health or safety of others is at risk or where the law requires it or to carry out a statutory function. 

We are required by law to report certain information to the appropriate authorities. This is only provided after formal permission has been given by a qualified health professional. There are occasions when we must pass on information, such as notification of new births and infectious diseases which may endanger the safety of others, such as meningitis or measles (but not HIV/AIDS), and where a formal court order has been issued.

 Our guiding principle is that we are holding your information in strictest confidence

 We may be asked to share basic information about you, such as your name and address which does not include sensitive information where the CCG holds such information. This would normally be to assist another organisation to carry out their own statutory duties. In these circumstances, where it is not practical to obtain your explicit consent, we will inform you through a Fair Processing Notice, under the Data Protection Act (such as this one). 

Camden CCG will publish and maintain a list of all active data sharing agreements including a summary of the purpose on its website.

Local Data Sharing Initiatives

In addition to those listed above, the CCG will occasionally engage in local projects / services that are considered to support delivery of care and support.

Our Local Sharing Project – Care Integrated Digital Record (CIDR)


Personal Confidential Data (Sensitive)


Primary Care, Secondary Care and Community Care

Legal Basis for use

Provision of Direct Care

Consent Option

Explicit Consent (based on registration at GP Practice).  Originally based on implied consent following patient engagement program in January 2014.

Relevant Parties

Camden CCG

London Borough of Camden (Adult Social Care)

University College London Hospital NHS Foundation Trust

Central and North West London Community Hospital

Camden and Islington Mental Health Trust

Royal Free London NHS Foundation Trust

Camden Primary Care Services (GP Practices)

Coordinate My Care (Royal Marsden NHS Foundation Trust)


Follow this link for more information on the Care Integrated Digital Record Project (CIDR). 

National Fraud Initiative



We are required by law to protect the public funds we administer. We may share information provided with other bodies responsible for auditing or administering public funds, in order to prevent and detect fraud.  The Cabinet Office is responsible for carrying out data matching exercises. 

Data matching involves comparing computer records held by one body against other computer records held by the same or another body to see how far they match. This is usually personal information. Computerised data matching allows potentially fraudulent claims and payments to be identified. Where a match is found it may indicate that there is an inconsistency which requires further investigation. No assumption can be made as to whether there is fraud, error or other explanation until an investigation is carried out.  

We participate in the Cabinet Office's National Fraud Initiative: a data matching exercise to assist in the prevention and detection of fraud – see guidance https://www.gov.uk/guidance/taking-part-in-national-fraud-initiative   

The processing of data by the Cabinet Office in a data matching exercise is carried out with statutory authority under its powers in Part 6 of the Local Audit and Accountability Act 2014. It does not require the consent of the individuals concerned under data protection legislation or the General Data Protection Regulation (GDPR).  For further information on the reasons why it matches particular information, see https://www.gov.uk/government/publications/fair-processing-national-fraud-initiative/fair-processing-level-3-full-text  

For further information on data matching at the North Central London Clinical Commissioning Group please contact Erin Sims, Counter Fraud Specialist, by emailing erin.sims@nhs.net .  Further information on how the NFI has assisted the NHS and other public sector organisations can also be found at https://www.gov.uk/government/publications/national-fraud-initiative-case-studies/nfi-public-sector-case-studies 

National Initiatives

If you would like to find out about what national initiatives may affect you, you can visit:

NHS England  

NHS Digital (formerly known as HSC IC) 

Coordinate My Care (CMC)        

Summary Care Record 

The Care Record Guarantee

Your right to withdraw / opt out

For most of the data processing that is carried out by Camden CCG, you have the right to withdraw your permission (consent) for us to use your information.  This can also be called opting out of data sharing. 

As the CCG use information from Primary care services primarily, you can opt out at any time by speaking to your GP practice reception but please do be clear about which scheme you want to opt-out of (The process is the same for many local data sharing, and national schemes).

For National Schemes - these include

Type 1 opt-outs

If you do not want information that identifies you to be shared outside your GP practice, for purposes beyond your direct care you can register a type 1 opt-out with your GP practice. This prevents your personal confidential information from being used other than in particular circumstances required by law, such as a public health emergency like an outbreak of a pandemic disease. 

Type 2 opt-outs

NHS Digital collects information from a range of places where people receive care, such as hospitals and community services. If you do not want your personal confidential information to be shared outside of NHS Digital, for purposes other than for your direct care you can register a type 2 opt-out with your GP practice.

A direction from the Secretary of State sets out the Department of Health policy as to how type 2 opt-outs must be applied and instructs NHS Digital to apply type 2 opt-outs from 29 April 2016.  It was not possible for NHS Digital to honor type 2 opt-outs made before this date. 

This means that information may have been shared without respecting these opt-outs between January 2014 and April 2016. NHS Digital publishes registers of approved data releases showing where data has been released. 

When NHS Digital have collected information about your type 2 opt out from your GP practice we use that to create a record of all current type 2 opt outs. NHS Digital then use that record to check against any set of data that is to be made available by NHS Digital to another organisation (such as Camden CCG) and remove all of your personal confidential information if it is in that data set, before that data are made available. 

The direction sets out the scope of when your type 2 opt out does not apply such as when there is a legal requirement to release information, or where you have given your consent to a specific release of your information.  For more information on how we collect and use opt-out information see Applying Type 2 Opt Outs

Accessing your information

Information about how to access information held by Camden CCG. 

Under the Data Protection Act 1998 you have the right to see or be given a copy of personal data held about you. To gain access to your information you will need to make a Subject Access Request (SAR) to NHS Camden CCG. 

We may charge a reasonable fee for the administration of the request, set down in law as follows:

  • If the information is only held electronically we may charge up to £10 for complying
  • If the information is only held wholly or partly in paper format we may charge up to £50 for complying.

This right of subject access means that you can make a request to any organisation processing your personal data. If you think that Camden CCG holds information about you and you would like access to it, please complete the Subject access request form.

To find out more about what a SAR is please contact:

Camden CCG
4th Floor
Stephenson House
75 Hampstead Road
London  NW1 2PL
You can also email CamdenCCG.IG@nhs.net 

Note: In order to deal with a SAR, Camden CCG will need to share information with the NEL Commissioning Support Unit (NEL CSU).