Fair Processing Notice
As an NHS organisation, Tower Hamlets CCG operates at a number of different levels in regards to the processing of personal data and information. We act as a Data Controller primarily for the management of data relating to our employees and those working on behalf of or with our organisation and also covering some NHS patient provider functions.
Tower Hamlets CCG may collect information about you which helps us to respond to your queries and help us to design services to improve the health needs and outcomes of local people.
Why we collect information about you
In carrying out our role and responsibilities as a commissioner of healthcare services for people living and working in Tower Hamlets, it is essential that the CCG has an understanding of the health and social care needs of its community. The only way that we can achieve this is by using information that your GP, your hospital or community care clinician or your social worker or health visitor has entered into your care record, as well as some information that is provided via external public sources such, as hospitals and the London Borough of Tower Hamlets. This information may exist on paper or in electronic format and Tower Hamlets CCG ensures that these are kept safe and secure in an appropriate way
We do not however, need to have access to and use all the information that is provided. Where this is identified, information is de-identified either in the Data Services for Commissioners Regional Offices (DSCRO) or Accredited Safe Haven (ASH) prior to being shared with the rest of the CCG for its use. (For further explanation, see section below on mechanisms for processing your data or information).
We may keep your information in written form and / or in digital form. The records may include basic details about you, such as your name and address or may also contain more sensitive information about your health and social care usage and also information such as outcomes of needs assessments.
CCG oversight and responsibility
NHS Tower Hamlets CCG’s Governing Body is supported by a number of key roles within the organisation, led by the Senior Information Risk Owner (SIRO), who is accountable to the Governing Body for information risk management within the CCG and the Caldicott Guardian who advises the Governing Body and the CCG on specific issues relating to the use of patient confidential data.
These roles have oversight of the handling of information within Tower Hamlets CCG or by any support organisations we may buy services from.
The Caldicott Guardian for the CCG is Dr Osman Bhatti, who is a lead GP at Chrisp Street Health Centre, Clinical Lead for Community Health Services and informatics. Their email address is: email@example.com
NEL Commissioning Support Unit (NELCSU) also provides administrative support for a number of CCG functions. You can visit their website for further information here.
Questions & Definitions
To help you in reading this information, the following definitions have been used in this notification and across NHS Tower Hamlets CCG.
What is personal confidential data?
Personal confidential data is a term used in the Caldicott Information Governance Review and describes personal information about identified or identifiable individuals, which should be kept private or confidential and includes deceased as well as living individuals.
The review interpreted 'personal' as including the Data Protection Act 1998 (DPA) definition of personal data, but included data relating to deceased as well as living people, and 'confidential' includes both information 'given in confidence' and 'that which is owed a duty of confidence' and is adapted to include 'sensitive' as defined in the Data Protection Act.
Examples of identifiable data are:
- date of birth
- NHS number
What is personal data?
As per the Data Protection Act, and defined by the Information Commissioner's Office. Personal data means data which relate to a living individual who can be identified:
(a) from those data, or
(b) from those data and other information which is in the possession of, or is likely to come into the possession of, the data controller, and includes any expression of opinion about the individual and any indication of the intentions of the data controller or any other person in respect of the individual.
What is sensitive personal data?
Sensitive personal data is different from personal data. Sensitive personal data means personal data consisting of information as to:
(a) the racial or ethnic origin of the data subject,
(b) their political opinions,
(c) their religious beliefs or other beliefs of a similar nature,
(d) whether a member of a trade union (within the meaning of the Trade Union and Labour Relations (Consolidation) Act 1992),
(e) their physical or mental health or condition,
(f) their sexual life,
(g) the commission or alleged commission of any offence,
(h) any proceedings for any offence committed or alleged to have been committed, the disposal of such proceedings or the sentence of any court in such proceedings
What is secondary care data?
Secondary care data is information we have obtained from local hospitals, other care providers, including independent hospitals and other external public sources.
What is primary care data?
Primary care data is information that is provided by your GP surgery, dental practice and other community service providers.
How is direct patient care defined?
The Caldicott Review defined direct patient care as a clinical, social or public health activity concerned with the prevention, investigation and treatment of illness or disease and the alleviation of suffering of individuals.
It includes supporting individuals' ability to function and improve their participation in life and society.
It includes the assurance of safe and high quality care and treatment through local audit, the management of untoward or adverse incidents, person satisfaction including measurement of outcomes undertaken by one or more registered and regulated health or social care professionals and their team with whom the individual has a legitimate relationship for their care.
How is indirect patient care defined?
Indirect patient care is defined by the Caldicott Review as activities that contribute to the overall provision of services to a population as a whole or a group of patients with a particular condition, but which fall outside the scope of direct care. It covers health services management, preventative medicine, and medical research. Examples of activities would be risk prediction and stratification, service evaluation, needs assessment, financial audit.
Who is a Data Controller?
A Data Controller is a person who (either alone or jointly or in common with other persons) determines the purposes for which and the manner in which any personal data are, or are to be, processed.
What is Data Services for Commissioners Regional Offices?
Data Services for Commissioners Regional Offices is a regional secure service provided by the Health and Social Care Information Centre (NHS Digital) to process information for NHS Organisations. For more information please visit the Data Services for Commissioners page of the NHS Digital website.
What is an Accredited Safe Haven?
An Accredited Safe Haven is a local secure service who have undergone and obtained accreditation and approval to receive personal confidential information from various sources for commissioning purposes. NHS Tower Hamlets CCG is not an accredited safe haven organisation.
How your records are used to help the wider NHS
Your information may be used to help assess the needs of the general population and make informed decisions about the provision of future services. Information can also be used to conduct health research and development and monitor NHS performance.
Where information is used for statistical purposes, stringent measures are taken to ensure individual patients cannot be identified. Anonymous statistical information may also be passed to organisations with a legitimate interest, including universities, community safety units and research institutions.
How your records are processed by NHS Tower Hamlets CCG
NHS Tower Hamlets CCG processes personal data for a number of reasons and in various ways. These are outlined below:
- For the purpose of internal operations, Tower Hamlets CCG will use both electronic and manual mechanisms to process personal confidential information relating to its employees and visitors to our sites and services. This is based on explicit consent provided by each employee at the time of joining and updated when any changes are made through internal communications.
- For the purpose of direct patient care, Tower Hamlets CCG will ensure that any information collected about you is initially provided by you and where any additional information is collected or used this will be with your explicit consent.
- For the provision of indirect care and to maintain rules for use of information, Tower Hamlets CCG uses a number of approved and secure services / systems to process information about you such as:
- Data Services for Commissioners Regional Offices – this is a regional secure service provided by the Health and Social Care Information Centre via the North and East London Commissioning Support Unit (NELCSU). Further information can be found on the Health and Social Care Information Centre (NHS Digital) website.
- Accredited Safe Haven – this is a local secure service within which NSH organisations receive personal confidential data from various sources and then able to share de-identified data for commissioning purposes. The process for accreditation is established and managed by the NHS Digital Service. NHS Tower Hamlet CCG has not applied to receive ASH accreditation.
- Controlled Environment for Finance (CEfF) – this is another established group provided by the North and East London Commissioning Support Unit (NELCSU) on behalf of NHS England to support invoice validation. This service was established under a Section 251 exemption of the Health and Social Care Act 2012 to allow commissioning organisations to validate invoices it received ensuring correct payments are identified and made on behalf of Tower Hamlets CCG.
How we keep your information confidential
It is everyone's legal right to expect that information held and used about their person is safe and secure and is only used for the agreed purpose(s).
Everyone working for the NHS is subject to the Common Law Duty of Confidentiality. The information we hold about you, whether in paper or electronic form, is protected from unauthorised access. Under the NHS Confidentiality Code of Conduct, all our staff are required to protect your information, inform you of how your information will be used and allow you to decide if and how your information can be shared. All NHS Tower Hamlets CCG staff receive annual training on how to do this. This is monitored by the CCG and can be enforced through disciplinary procedures.
Information provided in confidence will only be used for the purpose(s) advised with consent given by the patient, unless there are other specific circumstances covered by the current UK and European Union legislation.
NHS Tower Hamlets CCG takes this responsibility very seriously and has ensured that it has robust and effective processes and procedures in place to achieve this expectation for you and the information we hold and process about you.
NHS Tower Hamlets CCG, working with our network service provider, NELCommissioning Support Unit (NELCSU) ensures that information is held in secure locations with restricted access to authorised persons only. We protect all personal information that is held on our systems with encryption so that it cannot be accessed by those who do not have access rights.
How we use the patient information that we collect
NHS Tower Hamlets CCG has safeguards in place to prevent its staff from identifying individuals from the data that we receive either directly via our Accredited Safe Haven, using information from services we commission in Tower Hamlets or indirectly via the Data Services for Commissioners Regional Offices using national information from various NHS organisations as outlined in the previous section.
Information from your health and social care records will be received into either the Accredited Safe Haven or the Data Services for Commissioners Regional Offices and any information that might allow others to identify you is removed. This means that no one can know:
- your name
- your exact date of birth (this is replaced with just the year of birth)
- your postcode (this is replaced with a national standard area code that is based on the total population and number of houses in an area)
- The information from your health and social care records may also contain more sensitive information about your health and also information such as outcomes of needs assessments but these are mainly coded.
Your NHS number, GP practice and treatment details are kept so that your information from each service can be linked together within the Accredited Safe Haven / Data Services for Commissioners Regional Offices controlled environment. This gives us a fuller picture of the health of people in Tower Hamlets and the services required supporting them to stay healthy. We use this information to provide and improve health services. This data also enables us to identify patients or service users who may benefit from additional preventive care.
When analysing current health services and proposals for developing future services it is sometimes necessary to link separate individual datasets to be able to produce a comprehensive evaluation. This may involve linking primary care GP data with other data such as Secondary Uses Service (SUS) data (inpatient, outpatient and A&E). In some cases there may also be a need to link local datasets which could include a range of acute-based services such as radiology, physiotherapy, audiology etc…, as well as mental health and community-based services such as Improving Access to Psychological Therapies (IAPT), district nursing, and podiatry for example. When carrying out this analysis, the linkage of these datasets is always done using a unique identifier that does not reveal a person’s identity as Tower Hamlets CCG does not have any access to patient identifiable data.
These uses are in line with the purposes outlined in our registration with the Information Commissioner's Office, the reference number is ZA005654.
What we use your information for
Analysis – Risk stratification
Your information may be used to help assess the needs of the general population both on a local, regional and national level to help make informed decisions about the provision of future services. Information can also be used to conduct health research and development, monitor NHS performance in order to allow the NHS to plan for the future.
As part of our planning and continuous development, NHS Tower Hamlets CCG will identify areas to concentrate on concerning the health of Tower Hamlets’ residents. In these circumstances, the use of data will be reviewed to ensure that it is still within the same meaning of this publication and the reasons for collecting data.
Risk stratification tools use historic information about patients, such as age, gender, diagnoses and patterns of hospital attendance and admission collected by the Health and Social Care Information Centre (NHS Digital Your personal information choices) from NHS hospitals and community care services. This is linked to data collected in GP practices and analysed to produce a risk score.
There is currently Section 251 support in place to allow Tower Hamlets’ CCG risk stratification tool to receive and link identifiable (using NHS number) patient information from the Health and Social Care Information Centre (NHS Digital) and from local GP practices.
A section 251 is where The Secretary of State for Health and Social Care has approved NHS England’s application for support to establish a temporary lawful basis for ‘necessary’ personal confidential data to be used to validate invoices, allow an organisation to become an accredited safe haven and carry out risk stratification. The risk stratification tool then provides NHS Tower Hamlets CCG with anonymised or aggregated data which we use to understand the health needs of the local population in order to plan and commission the right services. This is called risk stratification for commissioning.
Paying for services
Where care is provided that NHS Tower Hamlets CCG is responsible for, it will need to provide payment to the care provider. See the rules for who pays. In most cases limited data is used to make such payments. In some instances information to confirm that you are registered at a GP within Tower Hamlets is needed to make such payments. This is done in line with the Who Pays Invoice Validation Guidance and within the Controlled Environment for Finance (CEfF).
NHS Tower Hamlets CCG and NHS England may use either your NHS Number or Post code to validate invoices it received, to ensure the CCG is paying for treatments relating to its patients only, under The Section 251 rules in the Health and Social Care Act 2015.
The validation of invoices is undertaken within a controlled environment for finance within the NEL Commissioning Support Unit (NELCSU). The dedicated NELCSU team receives patient level information direct from the hospital providers and undertakes a number of checks to ensure that the invoice is valid and that it should be paid for by NHS Tower Hamlets CCG.
It is important to note that NHS Tower Hamlets CCG does not receive or see any patient level information relating to these invoices.
The invoice validation process supports the delivery of patient care across the NHS by:
- ensuring that service providers are paid for the patient’s treatment;
- enabling services to be planned, commissioned, managed, and subjected to financial control enabling commissioners to confirm that they are paying appropriately for the treatment of patients for whom they are responsible;
- fulfilling commissioners’ duties of fiscal probity and scrutiny; and
- enabling invoices to be challenged and disputes or discrepancies to be resolved
Handling continuing healthcare applications
If you make an application for continuing healthcare funding, NHS Tower Hamlets CCG will use the information you provide and where needed request further information from care providers to identify eligibility for funding. If agreed, arrangements will be put in place to arrange and pay for the agreed funding packages with appointed care providers. This process is nationally defined and we follow a standard process and use standard information collection tools to decide whether someone is eligible.
From April 2014, anyone eligible for continuing healthcare will also be able to receive the money they need as a personal health budget in the form of a direct payment. This will give people greater choice and control over their care and support. You can read more about this on the continuing healthcare page of the NHS Choices website.
Personal health budgets
A personal health budget is an amount of money to support the identified healthcare and wellbeing needs of an individual, which is planned and agreed between the individual, or their representative and Tower Hamlets CCG. To support this process, Tower Hamlets CCG will process personal confidential data including sensitive data to evaluate, agree and monitor any personal health budgets.
Handling individual funding requests (IFR) applications
If you make an individual funding request (IFR) to fund specialist drugs or rare treatments, NHS Tower Hamlets CCG will use the information you provide and where needed request further information from care providers to identify eligibility for funding. If agreed, arrangements will be put in place to arrange and pay for the agreed funding packages with appointed care providers.
NHS Tower Hamlets CCG’s Medicines Management Team supports member GP practices with the latest guidance on the use of evidence based cost effective medicines. The CCG supports local GP practices with prescribing queries that generally do not require identifiable information. If a patient contacts Tower Hamlets CCG directly and would like a member of the Medicines Management team to speak to their GP practice, then access to identifiable information is provided only with consent from the patient and this information is not retained by the team.
Advice and guidance is provided to care providers to ensure that adult and children’s safeguarding matters are managed appropriately. Access to identifiable information will be shared in some limited circumstances where it is legally required for the safety of the individuals concerned. Please see the CCG website for safeguarding information.
In order for NHS Tower Hamlets CCG to perform its commissioning functions, information is shared from various organisations which include: General practices, acute and mental health hospitals, other CCGs, community services, walk-in centres, nursing homes, directly from service users, Tower Hamlets social care services and many others.
What kinds of information we use (for further explanation see definitions section above)
The information that we use in NHS Tower Hamlets CCG may be:
Identifiable information – containing details that identify individuals. We may use personal information about you such as your name and address or other times we use more sensitive information about your health.
Personal confidential data - This is personal Information that can be used to describe an individual, which is kept private and includes deceased as well as living patients.
Pseudonymised information – This is information about an individual that has been replaced with a unique code and can identify a person (such as NHS number or GP practice patient number). This information format allows data to be linked (without directly identifying individuals) to give the CCG a better understanding of healthcare needs in order to plan for the future.
Anonymised information – This is information about individuals but with identifying details removed and so cannot be tracked back to you. This information is used to plan health care services. Specifically, it is used to:
- check the quality and efficiency of the health services that NHS Tower Hamlets CCG commissions;
- prepare performance reports on the services commissioned;
- assess what illnesses people will have in the future, so the CCG can plan and prioritise services and ensure these meet the needs of patients in the future; and
- review the care being provided to make sure it is of the highest standard.
Aggregated information – anonymised information grouped together so that it cannot easily be put back together in order to identify individuals.
Information sharing with other NHS agencies and non-NHS organisations
We may share your information for health purposes and for your benefit with other organisations such as NHS England, NHS Trusts, and also general practitioners (GPs), etc… We may also need to share information with our partner organisations in health and social care.
Information may also need to be shared with other non-NHS organisations, from which you are receiving care, such as, London Borough of Tower Hamlets and Community Health Services and other providers from which we commission services.
Where information sharing is required with third parties, we will always have relevant contractual obligations and data sharing agreements in place and will not disclose any health information without your explicit consent unless there are exceptional circumstances, such as when the health or safety of others is at risk or where the law requires it or to carry out a statutory function.
In some exceptional circumstances we do not require your explicit consent to share information. This would be in cases, for example, notification of new births, a public interest issue, when the health and safety of others is at risk, fraud prevention and investigation, protecting children and vulnerable adults from harm or where the law requires it (a formal court order has been served requiring us to do so) or on the grounds of national safety and security, and for the prevention of serious crimes.
In these cases, permission to share must be given by our Caldicott Guardian, Dr Osman Bhatti, who is the senior person in NHS Tower Hamlets CCG with responsibility for ensuring the protection of confidential patient and service user information. We are obliged to tell you that we have shared your information unless doing so would put you or others at risk of harm.
The law provides some NHS bodies, particularly the Health and Social Care Information Centre (NHS Digital), with permission to collect and use patient data to help commissioners to design and procure the combination of services that best suit the population that they serve. The patient data that is supplied is not in a form that will identify you.
NHS Tower Hamlets CCG as a health care organisation is required to support the public sector, including police, in their work. This may include the provision of personal information about patients or staff. There are legal constraints to the information that may be shared depending on the circumstances further information is available on this link: Disclosure of personal information to the police.
Specialist advice on the handling of patient information is provided by the Information Governance team within the NEL Commissioning Support Unit to ensure all legal requirements are met when handling information.
National Fraud Initiative
NHS Tower Hamlets CCG is required by law to protect the public funds it administers. It may share information provided to it with other bodies responsible for auditing, or administering public funds or where undertaking a public function in order to prevent and detect fraud.
The Cabinet Office is responsible for carrying out data matching exercises. Data matching involves comparing computer records held by one body against other computer records held by the same or another body to see how far they match. This is usually personal information, such as key payroll data and contact details. Computerised data matching allows potentially fraudulent claims and payments to be identified. Where a match is found it may indicate that there is an inconsistency which requires further investigation. No assumption can be made as to whether there is fraud, error or other explanation until an investigation is carried out.
We participate in the Cabinet Office’s National Fraud Initiative: a data matching exercise to assist in the prevention and detection of fraud. We are required to provide particular sets of data to the Minister for the Cabinet Office for matching for each exercise, as detailed here.
The use of data by the Cabinet Office in a data matching exercise is carried out with statutory authority under Part 6 of the Local Audit and Accountability Act 2014. It does not require the consent of the individuals concerned under the Data Protection Act 1998. Data matching by the Cabinet Office is subject to a Code of Practice.
View further information on the Cabinet Office’s legal powers and the reasons why it matches particular information.
For further information on data matching at NHS Tower Hamlets CCG please contact Henry Black, Chief Finance Officer and our Corporate Affairs Team or Deputy Director of Corporate Affairs, Ellie Hobart or Gemma Higginson, Local Counter Fraud Specialist, via Gemma.Higginson@rsmuk.com or 07800 718680.
Further information about countering fraud in the NHS is available on NHS Protect website through this link https://www.reportnhsfraud.nhs.uk/
What are your rights?
Your right to withdraw consent for us to share your personal information (opt-out)
We may be asked to share basic information about you, such as your name and address which does not include sensitive information. This would normally be to assist planning of services or assisting other provider organisations to carry out their statutory duties under the Data Protection Act. Your explicit consent is required if information about you is to be shared for purposes not directly related to your direct care. You have a right to inform us if you do not want information about you to be shared or used for this purpose.
If you do not want NHS Tower Hamlets CCG to use information about you to plan future healthcare needs, please contact your GP practice. If at any point you change your mind to allow the use of your information, please contact your GP practice again.
Any of the data processing outlined in this notification is mainly based on consent for processing and is provided when you attend a health or social care setting, or based on specific requests as in many of the programs we have described above.
The process for opting out of any of the processing that have been mentioned in this notification are very similar, but the links provided will also provide specific details on how and what to do for each program.
You have the right to consent / refuse / withdraw consent to information sharing at any moment in time. There are possible consequences to not sharing but these will be fully explained to you to help you with making your decision.
Your right to opt-out of information sharing
NHS Tower Hamlets CCG will not publish any information that identifies you or routinely disclose any information about you without your express permission.
You have the right to consent / refuse / withdraw consent to information sharing at any moment in time. There are possible consequences to not sharing but these will be fully explained to you to help you with making your decision.
There are two types of opt-out that you can make. There are two choices available to you:
- You can object to information about you leaving your GP practice in an identifiable form for purposes other than your direct care, which means confidential information about you will not be shared with Tower Hamlets CCG, the Health and Social Care Information Centre (NHS Digital) or other organisation for any non-direct care purpose. This is referred to as a 'type 1' objection.
- You can object to information about you leaving the Health and Social Care Information Centre (NHS Digital) in identifiable form, which means confidential information about you will not be sent to anyone outside the NHS This is referred to as a 'type 2' objection.
Information from other places where you receive care, such as hospitals and community services is collected nationally by the Health and Social Care Information Centre (HSCIC), now called the NHS Digital- https://digital.nhs.uk/
If you do not want information that identifies you to be shared outside your GP practice and/or with the Health and Social Care Information Centre (NHS Digital), please speak to a member of staff at your GP practice to ask how to “opt- out”.
Your GP practice will add the appropriate code to your records to prevent your confidential information from being used for non-direct care purposes. Please note that these codes can be overridden in special circumstances required by law, such as a civil emergency or public health emergency.
In both cases, it is still necessary for the Health and Social Care Information Centre (NHS Digital) to hold information about you in order to ensure data is managed in accordance with your expressed wishes.
Please see Patient Objections Management on the Health and Social Care Information Centre (NHS Digital) website for further information.
If you have questions about this, please speak to staff at your GP practice or call the Health and Social Care Information Centre's (NHS Digital), dedicated patient information line on 0300 456 3531.
Your right to withdraw consent
At the time when you registered at your GP practice you were informed that your information may be shared with other health care professionals and care providers where it is deem necessary; to continue to improve your health, of which you may have provided consent to your GP to share information about you with other colleagues. If your GP has suggested further referral and you feel it is not necessary, you have a right to withdraw your consent at your GP practice with the GP at the point of referral.
Before you are provided with care or treatment the healthcare professional will ask for your consent to view your information. You have a right to withdraw your consent at this point. Note if you withdraw consent at this stage the healthcare professional will not be able to proceed with providing you with the care that is necessary.
We may be asked to share basic information about you, such as your name and address which does not include sensitive information. This would normally be to assist planning of services or assisting other provider healthcare organisations to carry out their statutory duties. Under the Data Protection Act your explicit consent is required if information about you is to be shared for purposes not directly related to your direct care. You have a right to inform us if you do not want information about you to be shared or used for this purpose.
If you have already given consent for your information to be shared, you have the right to change your mind and withdraw this consent at any time. The possible consequences will be fully explained to you, such as potential delays in receiving care where NHS Tower Hamlets CCG is required to make a funding decision.
If your wishes cannot be followed, you will be told the reasons (including the legal basis) for that decision.
There may be circumstances where we are required to share information about you owing to a legal obligation, such as for the benefit of public health in the event of a pandemic. Anyone who receives information from us is also under a legal duty to keep this information confidential.
Retention and destruction of records
All records held by NHS Tower Hamlets CCG will be kept and destroyed for the duration specified by national guidance from the Department of Health, NHS Records Management Code of Practice and in line with NHS Tower Hamlets’ CCG information governance policies.
The NHS Care Record Guarantee is a commitment that all NHS organisations (and other organisations which provide NHS-funded care) will use your records in ways that respect your rights and promote your health and wellbeing.
The NHS Constitution establishes the principles and values of the NHS in England. It provides a summary of your legal rights and contains pledges that the NHS is committed to achieve, including certain rights and pledges concerning your privacy and confidentiality.
Gaining access to your information held by NHS Tower Hamlets CCG
Subject access request
Under the Data Protection Act 1998 you have the right to see or be given a copy of personal data held about you. To gain access to your information you will need to make a subject access request to NHS Tower Hamlets CCG.
We may charge a reasonable fee for the administration of the request, set down in law as follows:
- If the information is only held electronically we may charge up to £10 for complying.
- If the information is only held wholly or partly in paper format we may charge up to £50 for complying.
If you wish to make a subject access request please contact the Information Governance team at:
NEL Commissioning Support Unit
75-77 Worship Street
You can also email: firstname.lastname@example.org
Note: In order to deal with a subject access request, NHS Tower Hamlets CCG will need to share information with the NEL Commissioning Support Unit (NELCSU).
Freedom of information requests (FOI) and environmental information regulations (EIR)
The Freedom of Information Act (2000) and the Environmental Information Regulations (2004) gives every individual the right to request information held by government agencies. Private companies are not subject to this act.
Please note that a freedom of information request and environmental information regulations requests are not a subject access request.
For postal requests, please send to the Freedom of Information team at:
NEL Commissioning Support Unit
75-77 Worship Street
London EC2A 2EJ
You can also email your request to: NELCSU.email@example.com
Note that your freedom of information request made to the CCG will be dealt with by NEL Commissioning Support Unit (NELCSU).
Your request for information must be made in writing and you are entitled to a response within 20 working days.
Can my request be refused?
Our commitment to publish information excludes any information which can legitimately be withheld under the exemptions set out in the NHS Openness Code or the Freedom of Information Act. Where individual classes of information are subject to exemptions, the main reasons are, for example, the protection of commercial interests and personal information under the Data Protection Act 1998. This applies to all classes within the publication scheme.
What information do we publish?
Under the Freedom of Information Act, NHS Tower Hamlets CCG is required to have a publication scheme which sets out the CCG’s commitment to make the following classes of information routinely available:
- who we are and what we do
- what we spend and how we spend it
- what are priorities are and how we are doing
- how we make decisions
- our policies and procedures
- lists and register
- the services we offer.
This will be updated shortly by the Information Commissioner’s Office but in the meantime information is either available on the CCG’s website or by contacting the Freedom of Information team
More details can be found on the Information Commissioner’s Office website.
Compliments and complaints
the event that you believe Tower Hamlets CCG has not complied with the Data Protection Act, either in responding to a subject access request or in the way we have processed your personal information, you have the right to make a complaint. If you have a complaint or concern about NHS Tower Hamlets CCG or a service we commission, we will use your information to communicate with you and investigate any complaint if it is the responsibility of Tower Hamlets CCG.
For more information, see our complaints webpage or write to:
The Patient Experience and Effectiveness Team
NEL Commissioning Support Unit
75-77 Worship Street
For independent advice about data protection, privacy, data sharing, your rights or if you are not happy with our responses and have exhausted all the avenues in the CCG complaints process and wish to take your complaint to an independent body, you can do this by contacting the Information Commissioner's Office in writing at the following address:
Access to more information
Below are links to more information about your rights and the ways that the NHS uses personal information:
- The Health and Social Care Information Centre (HSCIC) - Guide to confidentiality in health and social care
- The NHS England website for more information on personal information usage and why it is used.
- Health and Social Care Act 2015 Health and Social Care Act
- The Confidentiality Advisory Group, who approve Section 251 applications and provide independent expert advice to the HRA (for research applications) and the Secretary of State for Health (for non- research applications) on whether applications to access patient information without consent should or should not be approved.
- NHS England advice for CCGs and GPs on information governance and risk stratification
- Health and Social Care Information Centre - guidance on their data collections
- Health Research Authority website for advice on research