How we use your information

Last updated September 2016

Your information - what you need to know

NHS Liverpool Clinical Commissioning Group is responsible for planning NHS services across the city, and works with other clinicians and healthcare providers to ensure they meet the needs of local people. We do not provide healthcare like a GP Practice or hospital. Our role is to make sure the appropriate NHS care is in place for the people of Liverpool, within the budget we have.

Why we collect information about you

In carrying out some of these roles we may collect information about you which helps us respond to your queries or plan health services. This information is collected by the services you use and sent to us routinely. We may keep your information in written form and/or on a computer.

In most cases the information we receive does not contain any identifiable data such as your name or your date of birth. However some records may include basic details about you, such as your name and address, if there is a legal basis for us to receive this information. They may also contain more sensitive information about your health and information such as outcomes of need assessments.

How your records are used to help the NHS

Your information may be used to: -

  • Help assess the needs of the general population and make informed decisions about the provision of future services.
  • Improve outcomes for the population by identifying which services or health care is most effective.
  • Help understand which patient groups are likely to get ill and attend hospital (risk stratification).
  • Information can also be used to conduct health research and development, monitor NHS performance, to help the NHS plan for the future
  • To investigate complaints in respect of the services we commission.

Using your information in this way can help us to identify patients who will benefit from early intervention and plan care which has a greater chance of improving health outcomes for patients.

We will not publish any information that identifies you or routinely disclose information about you without your express permission. You have the right to refuse/withdraw consent to information sharing at anytime. The possible consequences will be fully explained to you, such as potential delays in receiving care.  See below “Choices about your personal information”  for further information. 

There may be circumstances where we are legally bound to share information about you, for example in the event of a pandemic and in accordance with the Data Protection Act to protect the public's interests.

Anyone who receives information from us is also under a legal duty to keep this information confidential.

Working in partnership with other organisations

There are a number of NHS organisations who work on our behalf or with us to ensure that data we receive is accurate and securely transferred and managed. These organisations can be called data processors. They collect information from a range of places where people receive care, such as hospitals and community services and send it to us securely. Our main NHS data processors are Arden and GEM Commissioning Support Unit (CSU), Midlands and Lancs CSU and NHS Digital (previously Health and Social Care Information Centre).

As an NHS organisation we often work in partnership with a range of NHS providers and commissioners and we also work closely with the Liverpool City Council who provide social care related services. In addition, we sometimes may work with a third party data provider to help undertake some analysis. Your information may at times be shared with these partners to support the care you receive and the planning of services. All information is shared only if there is a legal basis to do so with a comprehensive sharing agreement and strict security features in place in line with national policy over data transfer and storage.   

The data collected about you may be used to influence whether you, or people with similar characteristics, are at risk of needing NHS care in the future. This analysis is described as risk stratification. The data is then made available to services which will identify and prioritize patients who are most at risk and would benefit the most from proactive intervention and care.

Linking data

To help us identify risks we obtain data from the health ans social care services you use  and ‘link’ this data. This is a very important process without which we have very limited understanding of how health and social care is connected. The data is then pseudonymised, which means any identifying details (such as name or NHS number) is replaced with a unique code. No other patient identifiable data such as name or address is received for data linkage. This data is always stored securely and only shared with those who are part of the risk stratification process.

We receive data from hospitals (via a portal called the Secondary Uses System) and GP records (EMIS) to enable this analysis to take place individual people cannot be identified.

A data sharing agreement is signed between NHS Digital and ourselves to ensure that agreement over how we use the data is maintained.

Financial validation

We will use limited information about individual patients when validating invoices received for your healthcare, to ensure that the invoice is accurate and genuine. The limited information includes name, DOB, GP Practice and service code and is normally only used for patients who have visited a secondary care organisation outside the area we serve, such as a hospital in another city. This will be performed in a secure environment and will be carried out by a limited number of authorised staff. These activities and all identifiable information will remain with the Controlled Environment for Finance (CEfF), approved by NHS England. You have the right to refuse your information being disclosed for this purpose. This would not affect your care but would make it difficult for us to validate that costs of these services should be charged against our budget.

National Fraud Initiative (2014/15)

NHS Liverpool CCG is required by law to protect the public funds it administers. It may share information provided to it with other bodies responsible for auditing or administering public funds, in order to prevent and detect fraud.

The Cabinet Office requires NHS organisations to participate in data matching exercises to assist in the prevention and detection of fraud. Data matching involves comparing computer records held by one NHS organisation against computer records held by the same or another organisation to see how they match. This is usually personal information. Computerised data matching can help us to identify and investigate potentially fraudulent claims,  payments and errors.

Information on the type of data we are required to share is set out in the Cabinet Office’s guidance which can be found here. Data matching is subject to a Code of Practice and is detailed here.

The use of data by the Cabinet office in data matching exercises is carried out with statutory authority under its power in Part 6 of the Local Audit and Accountability Act 2014. It does not require the consent of the individuals concerned under the Data Protection Act 1998.  

For further information on the Cabinet Office's legal powers and the reasons why it matches particular information click here

Further information on data matching at NHS Liverpool CCG please contact:

Joanne Davies 0151 296 7449

Corporate Services Manager – Governance
NHS Liverpool Clinical Commissioning Group
The Department
Lewis’s Building
2 Renshaw Street
L1 2SA

Security of information

Everyone working for the NHS is subject to the Common Law Duty of Confidence. The information we do hold about you whether in paper or electronic form, is therefore protected from unauthorised access. Under the NHS Confidentiality Code of Conduct all our staff are required to protect your information, inform you of how your information will be used and allow you to decide if and how your information can be shared.

Choices about your personal information

There are choices you can make about how your information is used and you can choose to opt out of your information being shared or used for any purpose, beyond providing your care.

If you do not want your information to be used for any purpose beyond providing your care as outlined above, you can choose to ‘opt-out’. If you wish to do so, please inform your GP practice and they will mark your choice in your medical record. This won’t affect the care you receive now, but giving us access to this data helps us to plan and improve services which your friends and family might use in the future.

There are two types of opt-out. You can withdraw either opt-out at any time by informing your GP practice.

  • Type 1 opt-outs
    If you do not want information that identifies you to be shared outside your GP practice for purposes beyond your direct care, you can register a type 1 opt-out with your GP practice. This prevents your personal confidential information from being used other than in particular circumstances required by law, such as a public health emergency like an outbreak of a pandemic disease.
  • Type 2 opt-outs
    NHS Digital, , collects information on our behalf from a range of places where people receive care, such as hospitals and community services. If you do not want your personal confidential information to be shared outside of NHS Digital, for purposes other than for your direct care you can register a type 2 opt-out with your GP practice. When this is done, your record is removed from any data we receive from NHS Digital.

Type 2 opt out does not apply when there is a legal requirement to release information, or where you have given your consent to a specific release of your information, such as for research.

There are also some limited circumstances, which are set out in the direction, when your information may still be shared. These are cases where:

  • The Secretary of State for health has identified the information flow is very important.
  • There are complex technical barriers that make it very difficult to apply opt outs.

For more information on how NHS Digital collect and use opt-out information click here.

Access to your information

Under the Data Protection Act 1998 you have the right to see or be given a copy of personal data held about you. This right can be exercised via submission of a Subject Access Request (SAR) to the NHS Liverpool CCG. We are able to charge a reasonable fee for the administration of the request, however these fees are set down in law as follows:

We may charge up to £10 for complying with a SAR relating to health records if the information is only held electronically.

We may charge up to £50 for complying with a SAR relating to health records if those records are held either wholly or partly in non-electronic form.


In the event that you believe the NHS Liverpool CCG has not complied with the Data Protection Act, either in responding to a Subject Access Request or in the way we have processed your personal information, you have the right to make a complaint and can do so, either by contacting our corporate governance lead, as stated above or by seeking independent advice from the Information Commissioner's Office.

Caldicott Guardian

The Caldicott Guardian is the senior person responsible for protecting the confidentiality of patient and service-user information and enabling appropriate information-sharing. The Guardian plays a key role in ensuring that the NHS, councils with cocial services responsibilities and partner organisations satisfy the highest practicable standards for handling patient identifiable information. The CCG’s Caldicott Guardian is Dr Simon Bowers, CCG Governing Body member. 

How long do we keep your records?

Any records that we have received as detailed above, are stored securely and kept for a period of time in line with NHS Liverpool CCG’s retention policy and the NHS Code of Practice which can be found here. Dependent on the reason we received your data, we may store your information securely for a period of between two and 20 years.  Your records may be kept longer but would not ordinarily be kept longer than 30 years. Following this period of time, information about you would be destroyed under confidential conditions

Further Information

If you would like to know more about how NHS Liverpool CCG uses your information you can find our contact details here.  For more information how data is collected and used across the NHS, please click here. Find out more about our data sharing campaign "We Share Because We Care", here.



NHS Choices logo

Be better informed about your right to choice in the NHS

Enter your postcode below to find nearby services