Liverpool CCG Logo

NHS Liverpool CCG – Patient Privacy Notice


How your information will be used?


NHS Liverpool Clinical Commissioning Group (CCG) fully appreciates the importance of protecting and managing your data and maintaining your privacy. This Privacy Notice describes how we collect and use personal information about you.

The CCG is a "Data Controller". This means that we are responsible for deciding how we hold and use personal information about you.

The CCG will comply with all legislation including the relevant Data Protection legislation, guidelines and the Care Quality Commission (CQC) guidance on patient’s personal information.

To ensure that we comply with these requirements all our data management and clinical processes fully recognise the data protection law in force in the UK which is the General Data Protection Regulation (GDPR), together with the UK Data Protection Act 2018 which covers additional information to the UK GDPR.

This notice is designed to inform you of the type of personal data (including sensitive personal data) that the CCG holds about you, how that information is used, who we may share that information with, how we keep it secure and confidential, and what your rights are in relation to the information which we hold.

Please read the following information carefully to understand how we process your personal data.

Who are we?

The CCG is responsible for the planning, purchasing and monitoring (commissioning) of health services from healthcare providers such as hospitals and GP practices to ensure the highest quality of healthcare for people registered with a GP in Liverpool. We do not provide direct healthcare like a GP practice or a hospital. Our role is to make sure the appropriate NHS care is in place for the people of Liverpool, within the budget we have.

Notification to the ICO

For the purpose of the UK GDPR, the ‘Data Controller’ is NHS Liverpool Clinical Commissioning Group, whose address is The Department, Lewis’s Building, Renshaw Street, Liverpool L1 2SA.

The Data Protection Act 2018 requires organisations that control data to register with the Information Commissioners Office (ICO) 

The CCG are registered with the Information Commissioners Office (ICO) as a Data Controller, and our Data Protection Registration number: is ZA008971

You can view the ICO Register at:

or request a copy from Liverpool CCG at:

NHS Liverpool Clinical Commissioning Group

The Department, Lewis’s Building, Renshaw Street, Liverpool L1 2SA

1. What is the purpose of collecting information about you?

In carrying out our role as a commissioner of health services we may collect and process personal, sensitive and/or anonymised data about you, for the following ten purposes: -

  • Seeking views or comments on the services we provide
  • To keep you informed and obtain your views of our activities
  • For clinical audit purposes
  • To process and respond to requests, enquiries and complaints received from you
  • For statutory and regulatory compliance
  • For invoice validation to make the correct payments to service providers
  • For risk stratification of the population, to identify those who may benefit from targeted services, or care the most
  • For the purpose of making decisions about what services we buy (commission)
  • For the purposes of Safeguarding
  • Identifying NHS fraud (The National Fraud Initiative)

2. What Categories of information do we collect?

Personal data is information that can identify an individual e.g. name, address, date of birth, NHS number. 

Sensitive personal data (special category data) is information such as the health, racial or ethnic origin, and religious beliefs.

Where there is a legal basis to do so we may keep both personal and sensitive personal data about you for the purposes listed in section 1. We may keep your information in written form and/or on a computer.

"Special categories" of particularly personal information require higher levels of data protection e.g. information about your physical and/or mental health. We need to have further justification for collecting, storing and using this type of personal information.

We may process special categories of sensitive personal information in the following circumstances:

  • Where it is needed to assess the care and support services for you.
  • Where we need to carry out our legal obligations.

We do not need your consent if we use special categories of your sensitive personal information to carry out our legal obligations.

We also collect and hold anonymised information about you. This is information with any identifiers removed, such as names, addresses, date of birth, full post code and, NHS Number. Anonymised data is useful in the process of us assessing where best to place health services; what services populations may need; the effectiveness of services; and the improvement of outcomes for patients (a process also known as ‘commissioning’).

3. Data Protection Law

We collect personal information from you when you communicate with us as a patient. 

We may also collect personal data which relates to you from third parties for the purposes listed in section 1. We ensure that prior to processing your personal data for any purpose, that the law allows us to do this.

We process your personal data in accordance with the UK General Data Protection Regulation (GDPR), Data Protection Act 2018 (DPA), or for other lawful reasons.

Data Protection law says that the personal information we hold about you must be:

  1. Used lawfully, fairly and in a transparent way.
  2. Collected only for valid purposes that we have clearly explained to you and not used in any way that is incompatible with those purposes.
  3. Relevant to the purposes we have told you about and limited only to those purposes.
  4. Accurate and kept up to date.
  5. Kept only as long as necessary for the purposes we have told you about.
  6. Kept securely.

4. Consent

In the limited circumstances where you may have provided your consent to hold and use your personal data for a specific purpose beyond your care, you have the right to withdraw your consent for that specific processing at any time e.g. sharing your clinical experience in our committee papers.

To withdraw your consent, please contact us by emailing or writing to the CCG.

Once we have received notification that you have withdrawn your consent, we will no longer process your information for that specific purpose.

5. The Legal Basis for processing

We will take all possible care to protect your privacy and will only use information collected where the law allows, including: -

  • UK General Data Protection Regulation (GDPR)
  • Data Protection Act 2018
  • Common Law Duty of Confidentiality
  • Human Rights Act 1998
  • NHS Act 2006
  • Health and Social Care Act 2012
  • Codes of Practice for Confidentiality, Information Security and Records Management

The legal basis for processing your data relies on certain conditions set out in UK GDPR Articles. Processing your data for health and care rely on:

Processing Personal Data - Article 6

6(1)(e) Necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.

Processing Sensitive Personal Data – Article 9

9(2)(h) Necessary for the reasons of preventative or occupational medicine, for assessing the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or management of health or social care systems and services on the basis of Union or Member State law or a contract with a health professional.

6. Maintaining Confidentiality of your records

In addition to satisfying General Data Protection Regulations, we are required to adhere to the Common Law Duty of Confidentiality. All our staff are trained and briefed in data protection principles and understand they have a legal obligation to keep information about you confidential. They also understand that information about you will only be shared with other parties if there is an agreed lawful need to do so or another legal requirement. We will only share your data without your permission where there is a legal basis to do so, which is in accordance with the seven Caldicott Principles, and in particular Principle 7 which is:

The duty to share information can be as important as the duty to protect patient confidentiality.

Health and social care professionals should have the confidence to share information in the best interests of their patients within the framework set out by these principles. They should be supported by the policies of their employers, regulators and professional bodies.

All personal information that we manage is stored within the UK within a secure environment and we always use suitably protected methods and systems to transfer your personal information.

7. Data Processors

There is a list of organisations who work with us or on our behalf to process the data we use, ensuring it is accurate, securely transferred and appropriately managed. These organisations are referred to as Data Processors. They collect information from a range of Health and Care organisations where people receive care (e.g. hospitals and community services) and send it to us securely. These Data Processors used include:

  • NHS England
  • NHS Digital
  • Midlands and Lancashire Commissioning Support Unit (CSU)
  • Arden and GEM Commissioning Support Unit (CSU)
  • Hartree Centre (specialist data provider)
  • Liverpool University (research body)
  • Nottingham University (research body)

Information that is received is in the most part anonymised for the purposes previously listed.

Information received contains identifiable fields of NHS number for the following purposes only: -

  1. For invoice validation to make the correct payments to services
  2. For risk stratification of the population, to identify those who may benefit from targeted services, or care the most

Data processed for the purpose of Invoice Validation, Risk Stratification and Commissioning is supplied by NHS Digital.

We use a database called ‘MyNHS’ to help us send out updates to people who are interested in our work, such as news about public consultations and engagement activities. This database is supplied by a company called Civica (the data processor). We have an agreement in place that sets out how data contained within the MyNHS database is processed, which makes clear that this can only be done on our authority.

7.1      Financial validation

We will use limited information about individual patients when validating invoices received for your healthcare, to ensure that the invoice is accurate and genuine. The limited information includes name, DOB, GP Practice and service code and is normally only used for patients who have visited a secondary care organisation outside the area we serve, such as a hospital in another city. This will be performed in a secure environment and will be carried out by a limited number of authorised staff. These activities and all identifiable information will remain within the Controlled Environment for Finance (CEfF), approved by NHS England.

7.2      Risk Stratification of the population

To help us identify those at risk of certain outcomes our data processors obtain data from the health and social care services you use and ‘link’ this data together. This is a very important process without which we have very limited understanding of how health and social care is connected. The data is then ‘pseudonymised’, which means any identifying details (such as hospital or NHS number) is replaced with a unique code. No other patient identifiable data such as name or address is received for data linkage. This data is always stored securely and only shared with those who are part of the risk stratification process.

We receive data from hospitals (via a portal called the Secondary Uses System - SUS) and GP records (EMIS) to enable this analysis to take place and to ensure that individual people cannot be identified.

A Data Sharing Agreement is signed between NHS Digital and ourselves to ensure that agreement over how we use the data is maintained.

8. Further data sharing

It may be possible that we will share your personal information with other organisations listed below:

  • NHS Trusts
  • Local Authorities e.g. Liverpool City Council
  • Specialist Health Panels
  • Other Clinical Commissioning Groups
  • NHS England

This would only be for the following other purposes not listed in section 1: -

  • For clinical audit purposes
  • To process and respond to requests, enquiries and complaints received from you
  • For statutory and regulatory compliance
  • For the purposes of Safeguarding
  • For the purpose of making decisions about what services we buy (commissioning)
  • Identifying NHS fraud (The National Fraud Initiative)

All information is shared only if there is a legal basis to do so with a comprehensive sharing agreement and strict security features in place in line with national policy over data transfer and storage.

In some cases, you will be requested to provide explicit consent if we intend to share your personal information with other organisations where there is no other legal basis to do so.

9. The National Fraud Initiative

The CCG is required by law to protect the public funds it administers. It may share information provided to it with other bodies responsible for auditing, or administering public funds, or where undertaking a public function, in order to prevent and detect NHS fraud.

The Cabinet Office requires NHS organisations to participate in data matching exercises to assist in the prevention and detection of fraud. Data matching involves comparing computer records held by one NHS organisation against computer records held by the same or another organisation to see how they match. This is usually personal information. Computerised data matching can help us to identify and investigate potentially fraudulent claims, payments and errors.

Where a match is found it may indicate that there is an inconsistency which requires further investigation. No assumption can be made as to whether there is fraud, error or other explanation until an investigation is carried out.

Information on the type of data we are required to share is set out in the Cabinet Office’s guidance which can be found or click here. Data matching is subject to a Code of Data Matching Practice for the National Fraud Initiative and is detailed at or click here.

           or request a copy from Liverpool CCG at:

NHS Liverpool Clinical Commissioning Group

The Department, Lewis’s Building, Renshaw Street, Liverpool L12SA

The use of data by the Cabinet Office in data matching exercises is carried out with statutory authority under its power in Part 6 of the Local Audit and Accountability Act 2014. It does not require the consent of the individuals concerned under the Data Protection Act 2018. For further information on the Cabinet Office's legal powers and the reasons why it matches particular information please see:  or click here.

Further information on data matching at NHS Liverpool CCG please contact:

Stephen Hendry 0151 296 7655

Head of Corporate Services and Governance

NHS Liverpool Clinical Commissioning Group

The Department

Lewis’s Building

2 Renshaw Street


L1 2SA

10. Transferring information outside the United Kingdom (UK)

We will not transfer the personal information we collect about you outside the UK.

There are some exceptions to this e.g. if you ask us to provide information about you to an organisation outside of the United Kingdom.

11. Keeping your data physically secure

We will make every endeavour to ensure the security of your information.

The CCG will ensure data is kept securely using:

  • Secure computer systems. Any records held electronically will be protected by appropriate security arrangements that prevent unauthorised access.
  • Locked filing cabinets kept in secure office accommodation.

To prevent unauthorised access and to maintain data accuracy, the CCG uses reasonable physical, electronic and managerial procedures to safeguard and secure the information it collects. The CCG recognise the importance of safeguarding personal information in our possession from theft, inappropriate use or improper distribution. It should, however, be recognised that no organisation can absolutely protect personal information at all times.

We have put in place procedures to deal with any suspected or actual data security breach and will notify you where we are legally required to do so.

12. Retention of your data

Your data will be retained for no longer than is absolutely necessary and in accordance with our Documentation Management Lifecycle Policy and the associated Schedule of Retention.

We will only retain your personal information for as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements.

To determine the appropriate retention period for personal data, we follow the Records Management Code of Practice 2021 – A guide to the management of health and care records, which is a guide to use in managing records, based on current legal requirements and professional best practice.

You can see this at or click here

or request a copy from Liverpool CCG at:

NHS Liverpool Clinical Commissioning Group

The Department,

Lewis’s Building,

Renshaw Street,


L1 2SA


We may continue to process your personal data for a short period if you leave the Liverpool CCG area, e.g. for financial reasons.

In some circumstances we may anonymise your personal information so that it can no longer be associated with you, in which case we may use such information without further notice to you.

13. Your Rights

Under certain circumstances, by law you have the right:

  1. to be informed

This enables you to be informed how we process your data, by way of this Privacy Notice.

  1. of access

This enables you to receive a copy of the personal information we hold about you and to check that we are lawfully processing it.

  1. to rectification

This enables you to have any incomplete or inaccurate information we hold about you corrected.

  1. to erasure

This enables you to ask us to delete or remove personal information where there is no good reason for us continuing to process it. Please note that under certain circumstances we are legal obliged to maintain a copy of your data for contractual and or statutory reasons.

  1. to restrict processing

This enables you to ask us to suspend the processing of personal information about you, for example if you want us to establish its accuracy or the reason for processing it.

  1. to data portability

This enables you to transfer your electronic personal information to another party, where we can provide a copy of your data in an easily transportable format.

  1. to object

This enables you to object where we are processing your personal information for direct marketing purposes.

  1. in relation to automated decision making & profiling

This enables you to be told if we process your data using automated software. Please note that the CCG do not, at present, carry out automatic processing of your data

14. Access to your personal information

You have a right under the UK GDPR, to request access to view or to obtain a copy of what information the organisation holds about you and to have it modified should it be inaccurate. The process to access your records is known as a Subject Assess Request (SAR) and is outlined below: -

  • Your SARs request should be made to the organisation’s Corporate Services and Governance Team at NHS Liverpool Clinical Commissioning Group, The Department, Lewis’s Building, Renshaw Street, Liverpool L1 2SA.
  • The request will be reviewed and if possible completed within one month (subject to the possibility of a request for further clarification from you).
  • You will be asked by the Corporate Services and Governance Team to provide adequate proof of your identity before we will release the requested details, i.e. two forms of identification, one being photographic, which show your full name, address, date of birth.
  • You will not have to pay a fee to access your personal information. However, we may charge a reasonable fee if you request further copies.
  • In general, we will provide access to everything we hold about you. Any information relating to another patient or individual will usually be withheld. Certain exemptions may apply, which means we have to withhold information that may cause you or anyone else physical and/or mental harm.

Please give as much information as possible to help us respond to your request, including:

  • Your full name, address, data of birth and contact telephone number
  • Details of the specific information you require and any relevant dates

Please note NHS Liverpool CCG cannot access your GP or Hospital Records you would need to contact the organisation directly.

15. Confidentiality

Your information is kept confidential at all times and is only shared with people who need the information to support you effectively.  All CCG staff are bound by strict professional and contractual clauses of confidentiality and by UK law.

16. Equality and Diversity

For the CCG diversity is about respecting the differences of our individual patients, partners and staff, ensuring that all people that come into contact with us have access to the appropriate high standards of behaviour and service.

We will communicate with patients in the way that suits them wherever possible.  We will provide information that is easy to understand and we will communicate in an appropriate way.

17. How the NHS and Care Services use your Information

Whenever you use a health or care service, such as attending Accident & Emergency or using Community Care services, important information about you is collected to help ensure you get the best possible care and treatment.

The information collected about you when you use these services can also be provided to other approved organisations, where there is a legal basis, to help with planning services, improving care provided, research into developing new treatments and preventing illness. All of these help to provide better health and care for you, your family and future generations. Confidential personal information about your health and care is only used in this way where allowed by law and would never be used for insurance or marketing purposes without your explicit consent.

You have a choice about whether you want your confidential patient information to be used in this way.

To find out more about the wider use of confidential personal information and to register your choice to opt out if you do not want your data to be used in this way, visit If you do choose to opt out you can still consent to your data being used for specific purposes, such as taking part in clinical pilots, trials and research.

If you are happy with this use of information you do not need to do anything. You can change your choice at any time.

18. Changes to this Privacy Notice

We will review our Privacy Notices regularly in order to continuously improve our services and performance.

The CCG may, in its sole discretion, amend this Privacy Notice at any time without direct notice to you.  We suggest that to protect your interests you visit our website and check the Privacy Notice on a periodic basis.

19. Complaints

Should you have any concerns about how your information is managed by the CCG please contact us at: -

NHS Liverpool Clinical Commissioning Group

The Department, Lewis’s Building, Renshaw Street, Liverpool L12SA

If you are still not happy with how the CCG processes your data, you have the right to make a complaint at any time to the Information Commissioner's Office (ICO), the UK supervisory authority for data protection issues.

The ICO contact details are:

Information Commissioner's Office

Wycliffe House

Water Lane





ICO Helpline: 0303 123 1113

(local rate - calls to this number cost the same as calls to 01 or 02 numbers).

ICO Live chat: allows you to have an online conversation with someone at the ICO.

The ICO helpline and live chat services are usually available between 9am and 4:30pm, Monday to Friday (excluding bank holidays).

ICO Email: To ask the ICO something by email, just fill in the form at:

20. Further information

If you have a question about your information you can discuss this with the person providing your care.

If you are happy for your data to be extracted and used for the purposes described in this Privacy Notice, then you do not need to do anything. If you have any concerns about how your data is shared, then please contact us.

If you would like to know more about how the CCG uses your information, please contact us:

NHS Liverpool Clinical Commissioning Group Headquarters
The Department
Lewis's Building
Renshaw Street
L1 2SA


0151 296 7000

Further details are available on our website at: contact details here

For more information on how data is collected and used across the NHS, please or click here

Find out more about our data sharing campaign "We Share Because We Care" click here

or request a copy from Liverpool CCG at:

NHS Liverpool Clinical Commissioning Group Headquarters

The Department

Lewis’s Building

Renshaw Street


L1 2SA


The CCG Data Protection Officer can be contacted at: or by writing to Liverpool CCG directly.

Further information can also be obtained from the following links:

Data Protection Act 2018

ICO Guide to the UK General Data Protection Regulation (GDPR)

NHS Digital – Codes of practice for handling information in health and care

Please note, when we refer to ‘we’, ‘us’ and ‘our’, we mean NHS Liverpool Clinical Commissioning Group.



This website makes use of cookies to optimise user experience. By using our website, you consent to all cookies in accordance with our Cookie Policy.