NHS Stockport Clinical Commission Group Privacy Notice

Covid-19 and Your Information

This notice describes how we may use your information to protect you and others during the Covid-19 outbreak. It supplements our main Privacy Notice which is available below.

The health and social care system is facing significant pressures due to the Covid-19 outbreak. Health and care information is essential to deliver care to individuals, to support health and social care services and to protect public health. Information will also be vital in researching, monitoring, tracking and managing the outbreak. In the current emergency it has become even more important to share health and care information across relevant organisations.

Existing law which allows confidential patient information to be used and shared appropriately and lawfully in a public health emergency is being used during this outbreak. Using this law, the Secretary of State has required NHS Digital; NHS England and Improvement; Arm’s Length Bodies (such as Public Health England); local authorities; health organisations and GPs to share confidential patient information to respond to the Covid-19 outbreak. Any information used or shared during the Covid-19 outbreak will be limited to the period of the outbreak unless there is another legal basis to use the data.

During this period of emergency, opt-outs will not generally apply to the data used to support the Covid-19 outbreak, due to the public interest in sharing information.  This includes National Data Opt-outs.  However, in relation to the Summary Care Record, existing choices will be respected. Where data is used and shared under these laws your right to have personal data erased will also not apply.  It may also take us longer to respond to Subject Access requests, Freedom of Information requests and new opt-out requests whilst we focus our efforts on responding to the outbreak.

In order to look after your health and care needs, we may share your confidential patient information including health and care records with clinical and non-clinical staff in other health and care providers, for example neighbouring GP practices, hospitals and NHS 111. We may also use the details we have to send public health messages to you, either by phone, text or email.

During this period of emergency, we may offer you a consultation via telephone or videoconferencing. By accepting the invitation and entering the consultation you are consenting to this. Your personal/confidential patient information will be safeguarded in the same way it would with any other consultation.

We will also be required to share personal/confidential patient information with health and care organisations and other bodies engaged in disease surveillance for the purposes of protecting public health, providing healthcare services to the public and monitoring and managing the outbreak.

NHS England and Improvement and NHSX have developed a single, secure store to gather data from across the health and care system to inform the Covid-19 response. This includes data already collected by NHS England, NHS Improvement,

Public Health England and NHS Digital. New data will include 999 call data, data about hospital occupancy and A&E capacity data as well as data provided by patients themselves.  All the data held in the platform is subject to strict controls that meet the requirements of data protection legislation.

In such circumstances where you tell us you’re experiencing Covid-19 symptoms we may need to collect specific health data about you.  Where we need to do so, we will not collect more information than we require, and we will ensure that any information collected is treated with the appropriate safeguards.

We may amend this privacy notice at any time so please review it frequently. The date at the top of this page will be amended each time this notice is updated.


Who we are

NHS Stockport Clinical Commissioning Group are committed to ensuring that we’re transparent about the ways in which we use your personal information and that we have the right controls in place to ensure it is used responsibly and is kept safe from inappropriate access, theft or misuse.

We are responsible for securing, planning, designing and paying for your NHS services, including planned and emergency hospital care, mental health services, rehabilitation and community services. This is known as commissioning. We need to use information about you to enable us to do this effectively, efficiently and safely.

This privacy notice is part of our programme to make transparent the data processing activities we carry out in order to deliver our commissioning activities.

This privacy notice explains how we use your personal information and tells you about your privacy rights and how the law protects you.

Our Commitment to Data Protection and Confidentiality.

Stockport CCG is committed to protecting your privacy and will only process personal confidential data in accordance with the Data Protection Act 2018, the Common Law Duty of Confidentiality and the Human Rights Act 1998

Everyone working for the NHS has a legal duty to keep information about you confidential. The NHS Care Record Guarantee and NHS Constitution provide a commitment that all NHS organisations and those providing care on behalf of the NHS will use records about you in ways that respect your rights and promote your health and wellbeing.

If you are receiving services from the NHS, we share information that does not identify you (anonymised) with other NHS and social care partner agencies for the purpose of improving local services, research, audit and public health.

We would not share information that identifies you unless we have a fair and lawful basis such as:

  • You have given us permission;
  • To protect children and vulnerable adults;
  • When a formal court order has been served upon us;
  • and/or
  • When we are lawfully required to report certain information to the appropriate authorities e.g. to prevent fraud or a serious crime;
  • Emergency Planning reasons such as for protecting the health and safety of others;
  • When permission is given by the Secretary of State or the Health Research Authority on the advice of the Confidentiality Advisory Group to process confidential information without the explicit consent of individuals.

All information that we hold about you will be held securely and confidentially. We use administrative and technical controls to do this. We use strict controls to ensure that only authorised staff are able to see information that identifies you. Only a limited number of authorised staff have access to information that identifies you where it is appropriate to their role and is strictly on a need-to-know basis.

All of our staff, contractors and committee members receive appropriate and on-going training to ensure they are aware of their personal responsibilities and have contractual obligations to uphold confidentiality, enforceable through disciplinary procedures.

We require our service providers to implement appropriate industry standard security measures. We only permit them to process your personal information for specified purposes in accordance with our contractual instructions

We will only retain information in accordance with the schedules set out in the Records Management Code of Practice for Health and Social Care 2016.

Personal information

Personal information can be anything that identifies and relates to a living person. This can include information that when linked with other information, allows a person to be uniquely identified. For example, this could be your name and contact details.

The law treats some types of personal information as ‘special’ because the information requires more protection due to its sensitivity. This information consists of:

  • racial or ethnic origin
  • sexuality and sexual life
  • religious or philosophical beliefs
  • trade union membership
  • political opinions
  • genetic and bio-metric data
  • physical or mental health
  • criminal convictions and offences

Pseudonymised Information: This is data that has undergone a technical process that replaces your identifiable information such as a NHS number, postcode, date of birth with a unique identifier, which obscures the ‘real world’ identity of the individual patient to those working with the data. Anonymised Information: This is data rendered into a form which does not identify individuals and where there is little or no risk of identification (identification is not likely to take place)

Purposes of processing personal information

As a commissioner, we do not routinely hold or have access to your medical records. However, we may need to hold some personal information about you, for example:

  • if you have made a complaint to us about healthcare that you have received and we need to investigate
  • if you ask us to provide funding for Continuing Healthcare services
  • If you ask us for our help or involvement with your healthcare, or where we are required to fund specific specialised treatment for a particular condition that is not already covered in our contracts with organisations that provide NHS care.
  • if you ask us to keep you regularly informed and up-to-date about the work of the CCG, or if you are actively involved in our engagement and consultation activities or service user participation groups
  • it is in our legitimate interests (or those of a third party) provided your interests and fundamental rights do not override those interests
  • it’s necessary to protect public health
  • you, or your legal representative, have given consent
  • you have entered into a contract with us
  • it’s necessary for employment related purposes
  • it’s necessary to deliver health or social care services

Our records may include relevant information that you have told us, or information provided on your behalf by relatives or those who care for you and know you well, or from health professionals and other staff directly involved in your care and treatment. Our records maybe held on paper or in a computer system. The types of information that we may collect and use include the following:

Pseudonymised Information: This is data that has undergone a technical process that replaces your identifiable information such as a NHS number, postcode, date of birth with a unique identifier, which obscures the ‘real world’ identity of the individual patient to those working with the data. Anonymised Information: This is data rendered into a form that does not identify individuals and where there is little or no risk of identification, (identification is not likely to take place).

The Information we process and share.

Your personal information may also be shared with other organisations, such as those who assist us in providing services and those who perform technical operations on our behalf.

These practical arrangements and the laws governing the sharing and disclosure of personal information often differ from one service to another.

The following table lists the purposes and rationale for why we collect and process information.

Further information regarding service specific processing activities includes the following:

Stockport CCG data sharing projects

  • Brinnington practice with Stepping Hill Foundation Trust heart failure service
  • Heaton Moor practice with Stepping Hill podiatry service
  • St Annes hospice with Brinnington practice
  • Cheadle Heald Green and Gatley practices with Foundation Trust Cheadle and Gatley District Nurses
  • Emergency Department of Stockport NHS Foundation Trust to view (read only) the General Practice medical record
Purpose for processing Legal Basis / Rationale
Complaints To process your personal information if it relates to a complaint where you have asked for our help or involvement
Funding of Treatments We will collect and process your personal information where we are required to fund specific treatment for you for a particular condition that is not already covered in our contracts
Continuing Healthcare We will collect and process your identifiable information where you have asked us to undertake assessments for Continuing Healthcare (a package of care for those with complex medical needs) and commission resulting care packages.
Safeguarding We will collect and process identifiable information where we need to assess and evaluate any safeguarding concerns
Human Resources We will collect and process identifiable information in relation to CCG employees.
Risk stratifications This is a process that allows the CCG to identify and manage patients who are at high risk of emergency hospital admission.
Invoice Validation A small amount of information that could identify you is used within a special secure area within the commissioning environment, known as a Controlled Environment for Finance (CefF), so that the organisations that have provided care for you can be paid


Confidentiality Advice and Support

The CCG has a Caldicott Guardian who is a senior person responsible for protecting the confidentiality of service user and service user information and enabling appropriate and lawful information sharing.

The contact detail of our Caldicott Guardian is as follows:

Antia Rolfe, Executive Nurse.

Detect and prevent fraud or crime

By law, we have to protect the public funds we administer. We may use any of the information you provide to prevent and detect fraud. We may share this information with organisations responsible for auditing or administering public funds including the Audit Commission, the Department for Work and Pensions, other local authorities, HM Revenue and Customs, and the Police.

We may use data matching to identify errors and potential frauds and we take part in national data matching exercises undertaken by the Audit Commission where permitted under the Data Protection Act.

We may share the information we hold with organisations such as the Police to prevent or detect crime, apprehend or prosecute offenders or prevent the risk of harm to an individual.

Data Transfers beyond European Union

Your information will not be sent outside of the United Kingdom where the laws do not protect your privacy to the same extent as the law in the UK. We will never sell any information about you.

Data Retention/criteria

We will only keep your personal information for as long as the law specifies. Where the law does not specify this, we will keep your personal information for the length of time determined by our business requirements. This is available in the individual privacy notices.

How we keep your information safe

We are committed to ensuring your personal information is safe and protected from accidental loss or alteration, inappropriate access, misuse or theft.

As well as technical, physical and organisational controls, we recognise that a ‘well trained’, informed and security alert workforce minimises privacy risks from human error and/or threats.

We require our service providers to implement appropriate industry standard security measures. We only permit them to process your personal information for specified purposes in accordance with our contractual instructions.

Your Rights

You have certain legal rights, including a right to have your information processed fairly and lawfully and a right to access any personal data we hold about you.

You may exercise the rights listed below in relation to our use of your personal information. Some rights are absolute and others are not.

To find out more about how these rights apply in particular circumstances, please refer to our Guide to exercising you rights Data Subject Rights. For more information about your rights, visit the Information Commissioner’s web site at

To raise a concern about the handling of your personal information by the Stockport CCG, please contact us  Data Protection Officer (DPO) telephone: 0161 426 9900

To request any of the following, please write to NHS Stockport Clinical Commissioning Group, 4th Floor Stopford House, Piccadily, StockportSK1 3XE. Whether you are exercising your rights or raising a concern, you will normally need to include documents that prove your identity as well as a clear and precise description of your request/concern.

We will process requests in accordance within the legislative framework and the statutory time scales and inform you should an extension of time be necessary.


Individuals can find out if we hold any personal information by making a ‘subject access request’ under the Data Protection Act 2018. If we do hold information about you, we will:

  • Give you a description of it;
  • Tell you why we are holding it;
  • Tell you who it could be disclosed to; and
  • Let you have a copy of the information in an intelligible form.

To make a request to any personal information we may hold you need to put the request in writing to our contact address provided further below.

Rectification & Erasure:

You may request that we rectify or delete any of your personal information if you consider it is incomplete, factually incorrect, processed unlawfully or, is unnecessary or no longer needed.

Review of automated decision-making:

Our Guide to exercising you Rights [link] outlines the procedure to ask us for an automated decision to be reviewed by an appropriate officer.


You may object, at any time, to your personal information being processed.

This applies to processing:

  • carried out in performance of our statutory functions or in the public interest, including ‘profiling’
  • For direct marketing purposes

Restriction of Processing:

You may request restriction of processing (quarantining) of your personal information reasons, such as, for example:

  • If you have objected to the processing or asked us for erasure and we need time to consider your request and let you know our decision
  • You require us to retain your information for the establishment, exercise or defence of your own legal rights

Data Portability:

In defined circumstances, either where the processing relies on your consent or arises out of a legal contract, you may request we supply a copy of personal information that you have provided to us in a portable and machine-readable format.

Stockport Health and Care Record

The Stockport Health Care Record is a system which provides a single point of reference used by health and social care professionals directly involved with your care. It brings together relevant parts of your health and social care records, currently held by different organisations, in one place.

By sharing your information across services health and social care professionals will be able to see the most up-to-date health information about you and be able to make better and quicker decisions about your care and treatment. This will be especially helpful when care is being provided by a range of professionals, is unplanned or in an emergency.

What types of information do we use?

We only share data with the Stockport Health Care Record which will support in the delivery of an integrated primary care service for Stockport residents.  This includes key information such as; your name, address and telephone number, gender, date of birth, GP name and address and NHS number.  Also included will be health data including; diagnosis list, medications, allergies, test results, referrals, clinic letters and discharge information.  We also share details regarding race and ethnic origin in addition to religious beliefs in order to provide suitable care for all individuals.

What is the legal basis for using your information?

Under Article 6 (1) (e) of the GDPR 2016/679 – Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.

Under Article 9 (2) (h) of the GDPR 2016/679 – Processing is necessary for the purposes of preventative or occupational medicine for the assessment of the working capacity of the employee, medical diagnosis, the provision of health and social care or treatment or the management of health and social care systems.

Schedule 1, Part 1, s (2)(1) Data Protection Act 2018 – This condition is met if the processing is necessary for health or social care purposes.

Schedule 1, Part 1, s (2)(2)(c)(d)(e) Data Protection Act 2018 – In this paragraph “health or social care purposes” means the purposes of—

(c) medical diagnosis,

(d) the provision of health care or treatment,

(e) the provision of social care,

Where do we get your information?

The information included in the Stockport Health Care Record comes from various source systems used by NHS organisations in the Stockport area.  This includes GP’s, Stockport NHS Foundation Trust, Pennine Care, Stockport Child Health Information Service and Stockport Metropolitan Borough Council.  In addition to this, we also receive information for The Christie.

Who do we share your information with?

Information may be shared with clinicians from the following organisations: GP’s, Stockport NHS Foundation Trust, Pennine Care, Stockport Child Health Information Service and Stockport Metropolitan Borough Council, Mastercall (out of hours GP Service), St Anne’s Hospice, Viaduct Care and The Christie.

How long do we keep your information?

Our retention periods match national guidelines.

Transferring your information outside of the European Union (EU)

Your information will not be transferred outside the EU.

Automated decisions using your information?

There is no automated decision making included.  All decisions involve human intervention.

Your data could also be shared with other localitites within Greater Manchester for the purposes of direct care.  Please see the GM Care Record Privacy Notice for further information on this.

(Research and Development)

Stockport Clinical Commissioning Group is one of many organisations working in the health and care system to improve care for patients and the public.

Whenever you use a health or care service, such as attending Accident & Emergency or using Community Care services, important information about you is collected in a patient record for that service. Collecting this information helps to ensure you get the best possible care and treatment.

The information collected about you when you use these services can also be used and provided to other organisations for purposes beyond your individual care, for instance to help with:

  • improving the quality and standards of care provided
  • research into the development of new treatments
  • preventing illness and diseases
  • monitoring safety
  • planning services

This may only take place when there is a clear legal basis to use this information. All these uses help to provide better health and care for you, your family and future generations. Confidential patient information about your health and care is only used like this where allowed by law.

Most of the time, anonymised data is used for research and planning so that you cannot be identified in which case your confidential patient information isn’t needed.


National data opt-out programme

You have a choice about whether you want your confidential patient information to be used in this way. If you are happy with this use of information you do not need to do anything. If you do choose to opt out your confidential patient information will still be used to support your individual care.

To find out more or to register your choice to opt out, please visit  On this web page you will:

  • See what is meant by confidential patient information
  • Find examples of when confidential patient information is used for individual care and examples of when it is used for purposes beyond individual care
  • Find out more about the benefits of sharing data
  • Understand more about who uses the data
  • Find out how your data is protected
  • Be able to access the system to view, set or change your opt-out setting
  • Find the contact telephone number if you want to know any more or to set/change your opt-out by phone
  • See the situations where the opt-out will not apply

You can also find out more about how patient information is used at:

You can change your mind about your choice at any time.

Data being used or shared for purposes beyond individual care does not include your data being shared with insurance companies or used for marketing purposes and data would only be used in this way with your specific agreement.

Health and care organisations have until 2020 to put systems and processes in place so they can be compliant with the national data opt-out and apply your choice to any confidential patient information they use or share for purposes beyond your individual care.

Stockport CCG  is committed to working towards compliance with the national data opt-out policy within this time-frame.

Complaints (ICO)

If you are not satisfied with the way we have answered a request from you or handled your personal information, you have the right to make a complaint to the Information Commissioner

This right is not dependant on you raising a complaint with us first but we would encourage you to contact us by emailing so we can consider your concerns as quickly as possible.


When you visit or any sub-domain of, we use cookies to gather information and details about your visit. We do this to find out things such as the most popular areas of the website.

To find out about how we use cookies please see our cookie notice [link].


We may update or revise this privacy notice at any time so please refer to the version published on our website for the most up to date details.