Liverpool CCG Logo

Privacy Policy

NHS Liverpool Clinical Commissioning Group fully appreciates the importance of protecting and managing your data and maintaining your privacy. To ensure that we comply with these requirements all our data management and clinical processes fully recognise the data protection law in force in the UK which is the Data Protection Act 2018 which includes relevant Articles from the EU General Data Protection Regulation (GDPR).

This notice is designed to inform you of the type of information (including personal information) that we, i.e. NHS Liverpool CCG, as your clinical commissioning group (CCG), holds about you, how that information is used, who we may share that information with, and how we keep it secure and confidential and what your rights are in relation to the information which we hold.

Please read the following information carefully to understand how we process your personal data.

Who are we?

Liverpool CCG is responsible for the planning, purchasing and monitoring (commissioning) of health services from healthcare providers such as hospitals and GP practices to ensure the highest quality of healthcare for the people of Liverpool. We do not provide healthcare like a GP practice or a hospital. Our role is to make sure the appropriate NHS care is in place for the people of Liverpool, within the budget we have.

Why we collect information about you

In carrying out our role as a commissioner of health services we may collect and hold some information about you which helps us respond to your queries or secure specialist services. We may keep your information in written form and/or on a computer. The records may contain information about your health and also information such as outcomes of needs assessments. They may also include, where there is a legal basis to do so, basic details such as your name, address and date of birth.  For the purpose of the UK Data Protection Law, the ‘Data Controller’ is NHS Liverpool Clinical Commissioning Group, whose address is The Department, Lewis’s Building, Renshaw Street, Liverpool L1 2SA

When we refer to ‘we’, ‘us’ and ‘our’, we mean NHS Liverpool Clinical Commissioning Group.

Use of Your Personal Information

Maintaining the Confidentiality of Your Records

Legal Basis for Processing

Partner Organisations

Linking Data

Financial Validation

Access to Personal Information and Your Rights

Retention of your Data

Withdrawal of Consent


Updating Personal Details


Use of Your Personal Information

This privacy notice explains why we collect information about you and how that information may be used.

Our health care professionals who provide you with our services maintain records about your health and any treatment or care you have received previously. These records help to provide our clients with the best possible healthcare.

Your records may exist is several formats including electronic, paper or a mixture of both, and we deploy many working organisations and approaches to ensure that such information is maintained within a confidential and secure environment. The records which we could hold about you may include the following information: -

  • Personal details relating to you, including your address and contact details, carer, legal representative and parents’ emergency contact details
  • Any contact we have had or intend to have with you such as appointments, clinic or surgery visits, home visits, etc.
  • Notes and reports about your health which is deemed to be of a sensitive nature
  • Details about your referral, diagnostics procedures, treatment and care
  • Results of any additional relevant investigations
  • Relevant information from other health professionals, relatives or those who care for you

To ensure you receive the highest levels of care, your records will be used to facilitate the care that we provide. Anonymised information held about you could, on occasions, be used to help protect the health and wellbeing of the general public and to help us manage our contracts with commissioners. Information could also be used within our organisation for the purposes of clinical audits which in turn will provide monitoring of the quality of the services we provide.


Some of this information will be used for statistical purposes and we will ensure that individuals cannot be identified. For situations where we may contribute to research projects we will always gain your explicit consent before releasing any relevant information. Back to top

Maintaining the Confidentiality of Your Records

We will take all possible care to protect your privacy and will only use information collected with the law including: -

  • Data Protection Act 2018
  • Human Rights Act 1998
  • Common Law Duty of Confidentiality 
  • Health and Social Care Act 2012 (if appropriate)
  • Codes of Confidentiality, Information Security and Records Management

Our staff are all trained and briefed in data protection principles and understand they have a legal obligation to keep information about you confidential. They also understand that information about you will only be shared with other parties if there is an agreed need to do so or a legal reason. We will only share your data without your permission if there are very exceptional circumstances (i.e. life or death situations), where the law requires information to be passed on and / or in accordance with the Caldicot Principle 7 e.g. to share or not to share. This means that health and social care professionals should have the confidence to share information in the best interests of their patients within the framework set out by the Caldicott Principles. Whilst the Caldicott Principles were originally developed for NHS purposes, we have adopted the underlying principles in order to align with best practice.

All personal information that we manage is stored within the UK within a secure environment and we always use suitably protected methods and systems to transfer your personal information.

Back to top

Our legal basis for processing your data relies on certain conditions set out in GDPR Articles 6 and 9 which come under the UK Data Protection Act 2018. Back to top

Partner Organisations

There are a number of NHS organisations who work on our behalf or with us to ensure that data we receive is accurate, securely transferred and appropriately managed. These organisations are referred to as ‘data processors and they collect information from a range of places where people receive care (e.g. hospitals and community services) and send it to us securely. It may be possible that we will share your information with other organisations, if this is required we will apply very strong controls. The current organisations who we share data with includes: -

  • NHS Trusts
  • Local Authorities e.g. Liverpool City Council
  • Specialist Panels
  • Clinical Commissioning Groups
  • NHS Digital
  • NHS England
  • Midlands and Lancashire Commissioning Support Unit (CSU)
  • Arden and GEM Commissioning Support Unit (CSU)

It is noted that the above list is not exhaustive, and we may contract with other external organisations to undertake processing of your personal information. These 3rd party organisations will abide with our stringent contractual conditions regarding the protection of personal data.

In some cases, you will be requested to provide positive consent if we intend to share your personal details with other organisations. Back to top

Your information may at times be shared with these partners to support the care you receive and the planning of services. All information is shared only if there is a legal basis to do so with a comprehensive sharing agreement and strict security features in place in line with national policy over data transfer and storage. 

The data collected about you may be used to influence whether you, or people with similar characteristics, are at risk of needing NHS care in the future. This analysis is described as risk stratification. The data is then made available to services which will identify and prioritize patients who are most at risk and would benefit the most from proactive intervention and care. Back to top

Linking data

To help us identify risks we obtain data from the health and social care services you use and ‘link’ this data. This is a very important process without which we have very limited understanding of how health and social care is connected. The data is then ‘pseudonymised’, which means any identifying details (such as name or NHS number) is replaced with a unique code. No other patient identifiable data such as name or address is received for data linkage. This data is always stored securely and only shared with those who are part of the risk stratification process.

We receive data from hospitals (via a portal called the Secondary Uses System) and GP records (EMIS) to enable this analysis to take place individual people cannot be identified.

A data sharing agreement is signed between NHS Digital and ourselves to ensure that agreement over how we use the data is maintained. Back to top

Financial Validation

We will use limited information about individual patients when validating invoices received for your healthcare, to ensure that the invoice is accurate and genuine. The limited information includes name, DOB, GP Practice and service code and is normally only used for patients who have visited a secondary care organisation outside the area we serve, such as a hospital in another city. This will be performed in a secure environment and will be carried out by a limited number of authorised staff. These activities and all identifiable information will remain within the Controlled Environment for Finance (CEfF), approved by NHS England. You have the right to refuse your information being disclosed for this purpose. This would not affect your care but would make it difficult for us to validate that costs of these services should be charged against our budget.

The National Fraud Initiative: Fair Processing Notice

NHS Liverpool CCG is required by law to protect the public funds it administers. It may share information provided to it with other bodies responsible for; auditing, or administering public funds, or where undertaking a public function, in order to prevent and detect fraud.

The Cabinet Office requires NHS organisations to participate in data matching exercises to assist in the prevention and detection of fraud. Data matching involves comparing computer records held by one NHS organisation against computer records held by the same or another organisation to see how they match. This is usually personal information. Computerised data matching can help us to identify and investigate potentially fraudulent claims, payments and errors.

Where a match is found it may indicate that there is an inconsistency which requires further investigation. No assumption can be made as to whether there is fraud, error or other explanation until an investigation is carried out.

Information on the type of data we are required to share is set out in the Cabinet Office’s guidance which can be found here. Data matching is subject to a Code of Practice and is detailed here.

The use of data by the Cabinet office in data matching exercises is carried out with statutory authority under its power in Part 6 of the Local Audit and Accountability Act 2014. It does not require the consent of the individuals concerned under the Data Protection Act 2018.  For further information on the Cabinet Office's legal powers and the reasons why it matches particular information click here.

Further information on data matching at NHS Liverpool CCG please contact:

Stephen Hendry 0151 296 7655

Senior Operations and Governance Manager

NHS Liverpool Clinical Commissioning Group

The Department

Lewis’s Building

2 Renshaw Street


L1 2SA

Access to Personal Information and Your Rights

You have a right under the Data Protection Act 2018, to request access to view or to obtain a copy of what information the organisation holds about you and to have it modified should it be inaccurate. The process to access your records is known as a Subject Assess Request (SAR) and the way it works is outlined below: -

  • Your SARs request must be made in writing to the organisation’s IG Lead at the address shown above
  • The latest regulations state that there is no charge to have a printed copy of your information provided
  • The request will be reviewed and if possible completed within one month (subject to our possible requests for further clarification for you)
  • You will need to provide adequate proof of your identity before we will release the requested details (e.g. full name, address, date of birth, NHS number and details of your request), you must also provide two forms of identification, 1 being photographic.

In addition to the right of access, under the Data Protection Act 2018, you will also have the following rights: -

  • Erasure, which is the right to request that your personal data is removed from our systems be they paper or electronic – please note that under certain circumstances we are legal obliged to maintain a copy of your data for contractual and or statutory reasons
  • Restriction of processing, this is the right for you to request that we only process certain parts of your data
  • Objection – you have the right to object to the way that we are processing your data
  • data portability – this concerns the right to request that we provide a copy of your data in an easily transportable format. 
  • Automatic processing – you have the right to object to the way we automatically process data – in the case of our organisation we do not, at present, carry out automatic processing of your data
  • If you have provided us with your consent to process your data for the purpose of providing our services, you have the right to withdraw this at any time.  In order to do this should contact us by emailing or writing to the organisation. Back to top

Retention of your data

Your data will be retained for no longer than is absolutely necessary and in accordance with our Documentation Management Lifecycle Policy and the associated Schedule of Retention. Back to top

Withdrawal of Consent

If you have provided us with consent to process your data for the purpose of providing our services, you have the right to withdraw this at any time.  In order to do this should contact us in writing.

Back to top


This website makes use of cookies to optimise user experience. By using our website, you consent to all cookies in accordance with our Cookie Policy.

Updating Personal Details

If any of your details e.g. your name, address or other personal data have changed or are incorrect you have a responsibility to inform the professional treating you who will arrange for the necessary updates to be made. This will help us to ensure that the data we hold about you is accurate and complete. Back to top


The Data Protection Act 2018 requires organisations that control data to register with the Information Commissioners Office (ICO) website 

The organisation is registered with the ICO as a Data Controller under the Data Protection Act 201 8. The registration number is ZA008971 and can be viewed online in the public register at

Back to top


Should you have any concerns about how your information is managed by the Organisation please contact us at: -

Liverpool Clinical Commissioning Group

The Department, Lewis’s Building, Renshaw Street, Liverpool L12SA

If you are still unhappy following a review by the Organisation you can then complain to the Information Commissioners Office (ICO) via their website

or in writing to: -

Information Commissioner's Office
Wycliffe House
Water Lane

If you are happy for your data to be extracted and used for the purposes described in this Privacy Notice, then you do not need to do anything. If you have any concerns about how your data is shared, then please contact us.

Back to top

Further information

If you would like to know more about how NHS Liverpool CCG uses your information you can find our contact details here.  For more information on how data is collected and used across the NHS, please click here. Find out more about our data sharing campaign "We Share Because We Care", here.

Liverpool CCG's Data Protection Officer can be contacted at: or by writing to Liverpool CCG Directly.

Further information can also be obtained from the following links:

Data Protection Act 2018

ICO Guide to the General Data Protection Regulation (GDPR)

NHS Digital – Codes of practice for handling information in health and care


NHS Choices logo

Be better informed about your right to choice in the NHS

Enter your postcode below to find nearby services