​How we use your information

Your information, what you need to know

We are responsible for buying health services to serve you and others in Croydon. This is known as commissioning. It includes services such as hospitals, community and mental health services as well as non-standard services such as those offered by charities.

All GP practices in Croydon are members of our Clinical Commissioning Group (CCG). Our role is to make sure that appropriate care is in place for you and others, both today and in the coming years.

How we use personal information can also be found in our registration with the Information Commissioners Office under the reference number ZA001304.

How we keep your information confidential and safe

Everyone working for the NHS is subject to the Common Law Duty of Confidentiality. This means that any information that you provide in confidence cannot normally be disclosed without your consent. However there are circumstances which may override this duty of confidence, for example where a disclosure is ordered by the courts.

The NHS Confidentiality Code of Practice requires all our staff to protect your information, tell you how it will be used, and allow you to decide if, and how, it can be shared.

We are also required to comply with other legislation relating to the use of personal information such as the Data Protection Act 2018.

Why we collect information about you

We may need to use information about you to help us respond to your queries or secure specialist services for you where we have a statutory duty to uphold. For these reasons we may keep your information in written form and/or in digital form. Our records may include basic details about you, such as your name and address. They may also contain more sensitive information about your health, or information such as the outcomes of needs assessments.

What we use your information for

We may use your information for the following purposes. You can find further details about each use below:

Information that is anonymous to us may be used for:

  • Analysis and Risk Stratification
  • Paying for and Managing Local Healthcare Services
  • Invoice Validation
  • Supporting Medicines Management
  • Commissioning functions

Information that is identifiable to us may be used for:

  • Continuing Healthcare Applications
  • Individual Funding Requests
  • Safeguarding
  • Post Infection Reviews
  • Incident Management
  • Other healthcare purposes (sharing with other NHS or non-NHS organisations)

Analysis and Risk Stratification

Your GP uses your data to provide the best care they can for you.  As part of this process, your GP will use your personal and health data to undertake risk stratification.

Risk stratification involves using computer based algorithms or calculations to identify who most is at risk from certain medical conditions. This informs your GP of who will benefit from clinical care to help prevent or better treat their condition.

To identify those at risk manually out of everyone registered with your GP would be a lengthy and time-consuming process. This approach could result in identifying those at risk later on, and reducing the time to provide care. This is why a computerised process is used.

Your GP Surgery uses the services of a health partner, NHS South East CSU to undertake this process. We arrange this contract.

We will not have access to your personal or confidential data at any time and neither will South East CSU. They act on behalf of your GP to organise this service with appropriate contractual and security measures only.

S​outh East CSU will automatically process your personal and confidential data without any staff being able to view the data. Typically this will process your data using indicators such as your age, gender, NHS number and codes for your medical health to identify those who will benefit from clinical intervention. This processing takes place automatically and without human or manual handling, nobody sees this information. Data is extracted from your GP computer system, automatically processed, and the results are matched against those on your GPs system. Only your GP is able to view the outcome.

We have implemented strict security controls to protect your confidentiality and recommend this as a secure and beneficial service to you. At all times in this process your GP remains accountable for how your data is processed. However, if you wish, you can ask your GP for your data not to be processed for this purpose and your GP will mark your record as not to be extracted so it is not sent to South East CSU for risk stratification purposes.

We have identified key areas to concentrate on with regards to the health of Croydon residents. You can read about these on our news page .

Paying for and Managing Local Healthcare Services

We use the local Accredited Safe Haven which processes personal data securely on our behalf to allow it to be used without anyone being identified. This Safe Haven is located within NHS South East Commissioning Support Unit (CSU), which has been accredited by the Health and Social Care Information Centre.

The information used by South East CSU within the Safe Haven will include details such as your NHS number, GP practice, and information about your treatment at hospital or within the community. It may also include other elements of your health record. This allows South East CSU to link information from each area of healthcare to give us a fuller picture of health within Croydon. It helps us understand which services are required to support you and others to stay healthy. As part of this process, any information that might allow us to identify you is removed before it is sent to us at the CCG.

Where we are responsible for care that has been provided, we will need to make a payment to the provider of that care. In most cases limited data is required to make these payments. However, in some instances we will need information to confirm that you are registered at one of our member GPs to make these payments. This is done in line with the Who Pays Invoice Validation Guidance issued by NHS England and is explained further below.

Invoice Validation

We do not have a legal right to access your personal confidential data to validate invoices. Neither do other CCGs, NHS England, or Commissioning Support Units. However, in November 2013, the Secretary of State for Health approved an application from NHS England to legally allow personal data to be used to validate invoices without the consent of the patient. This application is known as a Section 251 and you can read more about it here. It occurs within a secure controlled environment. The invoice validation process supports the delivery of patient care across the NHS by ensuring that:

  • Service providers are paid for the patient's treatment
  • Services can be planned, commissioned, managed, and subjected to financial control
  • Commissioners can confirm that they are appropriately paying  for the treatment of their patients
  • The commissioners' duties of fiscal probity and scrutiny are fulfilled
  • Invoices can be challenged and disputes or discrepancies resolved

Continuing Healthcare (CHC) Applications

If you make an application for Continuing Healthcare (CHC) funding, we will need to use information about you. This includes information that you provide us with. We may also need to request further information from care providers in order to identify your eligibility for funding.

If funding is agreed, arrangements will be put in place to arrange and pay for the agreed funding packages with appointed care providers. This process is defined nationally and we follow a standard process and use standard information collection tools to decide whether someone is eligible.

Individual Funding Requests (IFR) Applications

If you make an Individual Funding Request (IFR) for specialist drugs or rare treatments we will need to use information about you. This includes information that you provide us with. We may also need to request further information from care providers in order to identify your eligibility for funding.

If funding is agreed, arrangements will be put in place to arrange and pay for the agreed funding packages with appointed care providers.

We will always seek your consent to use your information for this purpose.

Medicines Management

We support local GP practices with prescribing queries. This generally does not require identifiable information.

Where specialist support is required the medicines management team will order this on behalf of a GP to support your care, for example to order a drug that normally comes in solid form in a gas or liquid form instead.


Advice and guidance is given to care providers to ensure that adult and child safeguarding matters are managed appropriately.

Access to identifiable information will be shared in some limited circumstances where it is legally required for the safety of the individuals concerned.

Post Infection Reviews

We collaborate closely with organisations involved in providing patient care, to jointly identify and agree the possible causes of, or factors that contributed to a patient's infection.

We will lead the Post Infection Reviews within Croydon in the circumstances set out in the Post Infection Review Guidance issued by NHS England. They will be able to use the results of the Post Infection Review to inform the mandatory healthcare associated infections reporting system.

Incident Management

We are accountable for effective governance and learning following all Serious Incidents (SIs) and we work closely with all provider organisations as well as commissioning staff to ensure they are reported and managed appropriately.

The Francis Report (February 2013) emphasised that commissioners should have a primary responsibility for ensuring quality of care, as well as providers.

Commissioning Functions

In order for us to perform our commissioning functions various organisations share information with us including: GPs, acute and mental health hospitals, other CCGs, community services, walk-in centres, nursing homes, directly from service users and many others.

This information is not personal information and you cannot be identified by it.

Other Healthcare Purposes (Information Sharing With Other NHS Agencies and Non-NHS Organisations)

For other health purposes and for your benefit, we may share your information with other organisations such as Health Authorities, NHS Trusts, and General Practitioners. We may also need to share information with our partner organisations or with other non-NHS organisations if you are receiving care from them, such as the Local Authority or Croydon Community Health Services.

Where information sharing is required with other organisations, we will always have a relevant Data Sharing Agreement or Data Processing Deed in place and will not disclose any health information without your explicit consent.

There may be exceptional circumstances where we are required to share you information without your consent such as; when your health or the health or safety of others is at risk; where the law requires it; or where it is required in order to carry out a statutory function.

Our guiding principle is that we are holding your records in strictest confidence. We follow both the Data Protection Principles and the Caldicott Principles as a guide for handling and sharing information.

What we do not use your information for

We do not sell personal data about you to individuals or organisation.

We also have robust technical solutions in place to protect against malicious attempts to access information.

How your records are used to help the NHS 

Your information may be used to help assess the needs of the general population and make informed decisions about the provision of future services. Information can also be used to conduct health research and development as well as monitor NHS performance.

Where information is used for statistical, research and auditing purposes, strict measures are taken to ensure that you and others cannot be identified. Anonymous statistical information may also be passed to organisations with a legitimate interest, including universities, community safety units and research institutions.

If it is for an essential NHS purpose and it is not sufficient to use anonymised information, identifiable information may be used. This will only be done with your consent unless the law requires information to be passed on to improve public health.

To ensure that your information is appropriately and effectively anonymised we follow HSCIC anonymisation standards.

Decommissioning of services

We will retain legal responsibility for the information held about you until it is formally dissolved or the responsibility is appropriately transferred.

Employee information

We collect information about individuals who work for us for the following purposes:

  • the administration of prospective, current and past employees including self-employed, contract personnel, temporary staff or voluntary workers
  • the recruitment and selection process
  • administration of non-CCG staff contracted to provide services on our behalf
  • planning and management of our workload or business activity
  • occupational health service
  • administration of agents or other intermediaries
  • pensions administration
  • payment administration
  • disciplinary matters, staff disputes, employment tribunals
  • staff training and development
  • ensuring staff are appropriately supported in their roles
  • vetting checks
  • assessing our performance against equality objectives as set out by the Equality Act 2010

Any patient or member of staff can apply for a copy of the records we hold about them by following the same process below.

Your right to withdraw consent for us to share your personal information (Opt-Out)

You have the right to consent, refuse, or withdraw consent to information sharing at any moment in time. There may be consequences, in some cases it could mean that your clinician would not have a full set of information when treating you, but these will be fully explained to you to help you make your decision.

You can opt out at any time by contacting:

The Information Governance Lead
NHS Croydon CCG
Bernard Wetherill House
8 Mint Walk
Croydon CR0 1EA
Tel 020 8663 1300

Please note that to opt out of participation in national programmes such as the Summary Care Record or Care.Data, you must contact your General Practice.

CCG oversight

We have assigned a Caldicott Guardian and Senior Information Risk Owner who have oversight of the handling of information within our CCG as well as support organisations that we may buy services from. The Caldicott Guardian has the role of overseeing and making decisions on information sharing. The Senior Information Risk Owner is accountable for information risk. Both roles are supported by the Information Governance Steering Group (IGSG) which meets regularly to discuss issues related to information governance. The group is formed of senior representatives from each team within our CCG and is chaired by the Senior Information Risk Owner.

South East CSU provides administrative support for a number of CCG functions for several local CCGs. You can visit their website for further information here: http://www.southeastcsu.nhs.uk/

National initiatives

If you would like to find out about national initiatives that may affect you, please visit:

Accessing your information

Under the Data Protection Act 1998, you have the right to see or be given a copy of personal data held about you. To gain access to your information you will need to make a Subject Access Request. Please be aware that we can only provide information held by us at the CCG and not information held by any other NHS organisation e.g. your GP.

We may charge a fee for the administration of the request, as prescribed within the Data Protection Act 1998 and in line with ICO guidelines:

  • If the information is only held electronically we may charge up to £10
  • If the information is only held wholly or partly in paper format we may charge up to £50

If you wish to make a Subject Access Request or have any other concerns or questions please contact the Information Governance Team at:

NHS Croydon CCG
Bernard Wetherill House
8 Mint Walk
Croydon CR0 1EA
Tel 020 8663 1300
Email: secsu.informationgovernance@nhs.net 

Please note that in order to respond to a Subject Access Request we will need to share information about you with South East CSU.

If you are not happy with our response to your subject access request please refer to our complaints process. If you have exhausted this process and wish to take your complaint to an independent body, you can contact the Information Commissioner's Office in writing at the following address:

Wycliffe House 
Water Lane 
Cheshire SK9 5AF

You can also telephone their helpline on 0303 123 1113 (local rate) or 01625 545 745 if you prefer to use a national rate number.

They are also contactable via email: casework@ico.org.uk 


If you have a comment, compliment or complaint about health services in Croydon then please contact the complaints team.

The South East CSU complaints team is responsible for managing the complaints process on our behalf.  The team can also give you general advice about the complaints procedure.

Tel:           0800 4561517
Email:       SLCSU.Complaints@nhs.net  
Fax:          0203 049 4173
Write to:    SECSU Complaints Team, 1 Lower Marsh, London SE1 7NT