1. Who we are?

NHS Swindon Clinical Commissioning Group (CCG) is responsible for securing, planning, designing and paying for your NHS services, including planned and emergency hospital care, mental health, rehabilitation, community and primary medical care (GP) services. This is known as commissioning. We need to use information about you to enable us to do this effectively, efficiently and safely. 

For further information please refer to the ‘About Us’ page on our website. 


2. What is a ‘Privacy Notice’ and what does it mean for me?

NHS Swindon Clinical Commissioning Group treats the confidentiality of the data we hold about people living in Swindon very seriously. This privacy notice provides an overview of the information we hold, why we hold it and how we store it securely. 

This privacy notice is part of our programme to make the data processing activities we carry out in order to meet our commissioning obligations transparent. 

This privacy notice tells you about information we collect and hold about you, what we do with it, how we will look after it and who we might share it with. 

It covers information we collect directly from you or receive from other individuals or organisations.  

You should be aware of the following documents:

NHS Constitution – The NHS pledge to service users that it will respect you, provide opportunities for informed consent and treat your personal data with confidentiality.  Furthermore you have the right of complaint should things go wrong.

NHS Care Record Guarantee – Emphasizes the rights you have to request copies of your personal data; the NHS duty to retain accurate records and how that data is protected under the Data Protection Act 1998.  It requires good practice by NHS staff to discuss with you and agree what information they will keep about you.  The Guarantee provides 12 commitments about the use of your personal data in line with NHS confidentiality requirements.

This privacy notice will be reviewed on a regular basis to ensure it is in line with national guidance and legislation. This privacy notice was reviewed in September 2016. 


3. How does Swindon Clinical Commissioning Group comply with data privacy and confidentiality issues? 

We are committed to protecting your privacy and will only process personal confidential data in accordance with the Data Protection Act 1998, the Common Law Duty of Confidentiality and the Human Rights Act 1998.

Personal confidential data describes personal information about identified or identifiable individuals, which should be kept private or secret and includes deceased as well as living people. 

Examples of identifiable data are: 

  • Name;
  • Address; 
  • Postcode; 
  • Date of Birth; 
  • NHS Number.

Personal data mean data which relates to a living individual who can be identified:

(a) from that data, or;

(b) from that data and other information which is in the possession of, or is likely to come into the possession of, the data controller, and includes any expression of opinion about the individual and any indication of the intentions of the data controller or any other person in respect of the individual.

Sensitive personal data is different from Personal Data. Sensitive personal data means personal data consisting of information as to:

(a) the racial or ethnic origin of the data subject;

(b) their political opinions;

(c) their religious beliefs or other beliefs of a similar nature; 

(d) whether a member of a trade union (within the meaning of the Trade Union and Labour Relations (Consolidation) Act 1992);

(e) their physical or mental health or condition;

(f) their sexual life;

(g) the commission or alleged commission of any offence, or;

(h) any proceedings for any offence committed or alleged to have been committed, the disposal of such proceedings or the sentence of any court in such proceedings.

NHS Swindon CCG is a Data Controller under the terms of the Data Protection Act 1998. This means a person who (either alone or jointly or in common with other persons) determines the purposes for which and the manner in which any personal data are, or are to be processed. 

We are legally responsible for ensuring that all personal information that we process i.e. hold, obtain, record, use or share about you, is done in compliance with the 8 Data Protection Principles.

All data controllers must notify the Information Commissioner’s Office (ICO) of all personal information processing activities. Our ICO Data Protection Register number is Z3623454 and our entry can be found in the Data Protection Register on the ICO website.  

Everyone working for the NHS has a legal duty to keep information about you confidential. The NHS Care Record Guarantee and NHS Constitution provide a commitment that all NHS organisations and those providing care on behalf of the NHS will use records about you in ways that respect your rights and promote your health and wellbeing. 

If you are receiving services from the NHS, the CCG share information that does not identify you , this is call anonymised data, with other NHS and social care partner agencies for the purpose of improving local services, research, audit and public health.  

Anonymisation is the process of turning data into a form which does not identify individuals and where identification is not likely to take place. This allows for a much wider use of the information. The Data Protection Act controls how organisations use ‘personal data’ – that is, information which allows individuals to be identified.

Organisations are increasingly reliant on anonymisation techniques to enable wider use of personal data. The code of practice explains the issues surrounding the anonymisation of personal data, and the disclosure of data once it has been anonymised. The code describes the steps an organisation can take to ensure that anonymisation is conducted effectively, while retaining useful data.

Pseudonymised data/information is anonymous to the people who hold or receive it (e.g. a research team), but contains information or codes that would allow others (e.g. those responsible for the individual's care) to identify an individual from it. (Also referred to as linked anonymised).

We would not share information that identifies you unless we have a fair and lawful basis such as: 

  • You have given us permission; 
  • To protect children and vulnerable adults;
  • When a forma court order has been served upon us;
  • When we are lawfully require to report certain information to appropriate authorities e.g. to prevent fraud or a serious crime;
  • Emergency planning reasons such as for protecting the health and safety of others; 
  • When permission is given by the Secretary of State or the Health Research Authority on the advice of the Confidentiality Advisory Group to process confidential information without the explicit consent of individuals. 

All information that we hold about you will be held securely and confidentially. We use administrative and technical controls to do this. We use strict controls to ensure that only authorised staff are able to see information that identifies you. Only a limited number of authorised staff have access to information that identifies you where it is appropriate to their role and is strictly on a ‘need –to –know’ basis. 

All our staff, contractors and committee members receive appropriate and ongoing training to ensure they are aware of their personal responsibilities and have contractual obligations to uphold confidentiality, enforceable through disciplinary procedures. 

We will only use the minimum amount of information necessary about, and will only retain information in accordance with the schedules set out in the Records Management Code of Practice for Health and Social Care 2016.  


4. What is a Caldicott Guardian?

A Caldicott Guardian is a senior person responsible for protecting the confidentiality of patient and service-user information and enabling appropriate information-sharing. 

Each NHS organisation is required to have a Caldicott Guardian; this was mandated for the NHS by Health Service Circular: HSC 1999/012. The mandate covers all organisations that have access to patient records, so it includes acute trusts, ambulance trusts, mental health trusts, primary care trusts, strategic health authorities, and special health authorities such as NHS Direct.

The Caldicott Guardian plays a key role in ensuring that NHS, Councils with Social Services responsibilities and partner organisations satisfy the highest practical standards for handling patient identifiable information.

Acting as the 'conscience' of an organisation, the Caldicott Guardian actively supports work to enable information sharing where it is appropriate to share, and advises on options for lawful and ethical processing of information.

The Caldicott Guardian also has a strategic role, which involves representing and championing Information Governance requirements and issues at Governing Body or executive management team level and, where appropriate, at a range of levels within the organisation's overall governance framework.

NHS and Social Care Caldicott Guardians are required to be registered on the publicly available National Register of Caldicott Guardians. Please visit: National Register of Caldicott Guardians (XLS, 185.5kB).

The contact details for our Caldicott Guardian, Gill May, are below in section 12 (Contact Us) of this notice. 


5. What personal information does NHS Swindon Clinical Commissioning Group collect and hold on me?

As a commissioner, we may need to hold some personal information about you, for example:

  • If you have made a complaint to us about healthcare that you have received and we need to investigate;
  • If you ask us to provide funding for Continuing Healthcare services;
  • If you ask us for our help or involvement with your healthcare, or where we are required to fund specific specialised treatment for a particular condition that is not already covered in our contracts with organisations that provide NHS care; 
  • If you ask us to keep you regularly informed and up to date about the work of the CCG, or if you are actively involved in our engagement and consultation activities or service user/Patient Participation Groups;
  • If you have used our repeat prescription service, run on behalf of GP practices in the Swindon area; 
  • If you use e-Referral Service facilities in the Swindon area, which is managed by our Referrals team. 

Our records may include relevant information that you have told us, or information provided on your behalf by relatives or those who care for you and know you well, or from health professionals and other staff directly involved in your care and treatment. 

Our records may be held on paper, or electronically within our computer systems. The types of information that we may collect and use include the following:

  • Personal Confidential information;
  • Pseudonymised information; 
  • Anonymised information. 

The CCG is required by law to protect the public funds it administers. It may share information provided to it with other bodies responsible for: auditing; or administering public funds; or where undertaking a public function, in order to prevent and detect fraud. 

The Cabinet Office is responsible for carrying out data matching exercises. 

Data matching involves comparing computer records held by one body against other computer records held by the same or another body to see how far they match. This is usually personal information. Computerised data matching allows potentially fraudulent claims and payments to be identified. Where a match is found it may indicate that there is an inconsistency which requires further investigation. No assumption can be made as to whether there is fraud, error or other explanation until an investigation is carried out. 

We participate in the Cabinet Office’s National Fraud Initiative: a data matching exercise to assist in the prevention and detection of fraud. We are required to provide particular sets of data to the Minister for the Cabinet Office for matching for each exercise, as detailed here. 

The use of data by the Cabinet Office in a data matching exercise is carried out with statutory authority under Part 6 of the Local Audit and Accountability Act 2014. It does not require the consent of the individuals concerned under the Data Protection Act 1998. 

Data matching by the Cabinet Office is subject to a Code of Practice. 

View further information on the Cabinet Office’s legal powers and the reasons why it matches particular information. 

For further information on data matching please contact the CCG by calling 01793 683700 or by email This email address is being protected from spambots. You need JavaScript enabled to view it.


6. Who else has access to my personal information?

NHS Swindon Clinical Commissioning Group share information with third party organisations to help with the provision of services within health and social care, these third party organisations are call ‘Data Processors’. 

‘Data Processor’, in relation to personal data, means any person (other than an employee of the data controller) who processes the data on behalf of the data controller. 

The Information Commissioner’s Office define ‘processing’ of data as, obtaining, recording or holding the information or data or carrying out any operation or set operations on the data , including:

  • Organisation, adaptation or alteration of the information or data;
  • Retrieval, consultation or use of the information or data;
  • Disclosure of the information or data by transmission, dissemination or otherwise making available, or alignment, combination, blocking, erasure or destruction of the information or data. 

Data sharing agreements (contracts) between NHS Swindon (data controller) and third party organisations (data processors) are in place, and reviewed on a yearly basis to ensure they are still compliant with national legislation. 

Below are key examples of the purposes and rationale for why we collect and process information: 

Purpose  Why? 

To process your personal information if it relates to a complaint where you have asked for our help or involvement. 

Legal Basis

We will need to rely on your explicit consent to undertake such activities. 

Complaint Processing Activities 

When we receive a complaint from a person we make up a file containing the details of the complaint. This normally contains the identity of the complainant and any other individuals involved in the complaint. 

We will only use the personal information we collect to process the complaint and to check on the level of service being provided. 

We usually have to disclose the complainant’s identity to whoever the complaint is about. This is inevitable where, for example, the accuracy of a person’s record is in dispute. 

If a complainant doesn’t want information identifying him or her to be disclosed, we will try to respect that. However, it may not be possible to handle a complaint on an anonymous basis. 

We will keep personal information contained in complaint files in line with NHS retention policy. It will be retained in a secure environment and access to it will be restricted according to the ‘need to know’ principle. 


We may use service user stories, following upheld complaints, but always anonymously. The service user stories will provide a summary of the concern, service improvements identified and how well the complaint procedures have been applied. Consent will always be sought from the service user and carer or both before we use the service user story. 

Funding treatment We will collect and process your personal information where we are required to fund specific treatment for you for a particular condition that is not already covered in our contracts. 

This may be called an “Individual Funding Request” (IFR)

Legal Basis 

The clinical professional who first identifies that you may need the treatment will explain to you the information that we need to collect and process in order for us to assess your needs and commission your care, and gain your explicit consent. 

Continuing Healthcare

We will collect and process your identifiable information where you have asked us to undertake assessments for Continuing Healthcare (a package of care for those with complex medical needs) and commission resulting care packages. 

Legal Basis


The clinical professional who first sees you to discuss your needs will explain to you the information that they need to collect and process in order for us to address your needs and commission your care and gain your explicit consent.


We will collect and process identifiable information where we need to assess and evaluate any safeguarding concerns. 

Legal Basis

Because of public interest issues, e.g. to protect the safety and welfare of vulnerable children and adults, we will rely on a statutory basis rather than consent to process information for this use. 

Risk Stratification

Risk stratification is a process for identifying and managing patients who are at high risk of emergency hospital admission. 

Legal Basis

We are committed to conducting risk stratification effective, in ways that are consistent with the laws that protect your confidentiality. 

The use of identifiable data by CCGs and GPs for risk stratification has been approved by the Secretary of State, through the Confidentiality Advisory Group of the Health Research Authority and this approval has been extended to April 2017.  This gives us a statutory legal basis under section 251 of the NHS Act 2006 to process data for risk stratification.  


Typically this is because patients have a long term condition such as Chronic Obstructive Pulmonary Disease. NHS England encourages CCGs and GPs to use risk stratification tools as part of their local strategies for supporting patients with long term conditions and to help and prevent avoidable admissions. 

Knowledge of the risk profile of our population will help the CCG to commission appropriate preventative services and to promote quality improvement in collaboration with our GP practices. 

Data Processing activities for Risk Stratification 

Risk stratification tools use various combinations of historic information about patients, for example, age, gender, diagnoses and patterns of hospital attendance and admission and primary care data collected in GP practice systems. 

The CCG will use pseudonymised information to understand the local population needs, whereas GPs will be able to identify which of their patients are at risk in order to offer a preventative service to them. 

The CCG has commissioned Northgate Public Services (UK) Limited to conduct risk stratification on behalf of itself and its GP practice. 

The service providers that are our data processors for Risk Stratification purposes are Northgate Public Services (UK) Limited. 

This processing for Risk Stratification takes place under contract with Northgate Public Services (UK) Limited, following these steps below:

  1. The CCG has asked NHS Digital to provide data identifiable by your NHS Number about your Acute Hospital attendances for risk stratification purposes and has signed an NHS Digital data sharing contract for the SUS (secondary care/hospital) data. 
  2. Your GP practice instructs its GP IT system supplier (EMIS) to provide primary care data identifiable by your NHS number for those patients that have not objected to Risk Stratification or there is no Type 1 objection made by the patient. The data, containing the same verified NHS numbers, are sent via secure transfer, directly into the landing stage of the Health Intelligence system. 
  3. Within the landing stage, the risk stratification system automatically links and pseudonymises the identifiable data from GPs and NHS Digital. No identifiable data of any patient is seen by NHS Swindon Clinical Commissioning Group staff.

Northgate Public Services (UK) Limited has set up a formula to analyse the data in pseudonymised form to produce a risk score for each patient. This information is available the analytics team within the CCG. 

The risk scores are only made available to authorised users within the GP practice where you are registered via a secure portal .

This portal allows only the GPs to view the risk scores for the individual patients registered in their practice in identifiable form. 

If you do not wish for information about you to be included in our risk stratification programme, please contact your GP practice to opt out. They can add a code to your records that will stop your information from being used for this purpose. 

Further information about risk stratification is available from: www.england.nhs.uk/ourwork/tsd/ig/risk-stratification/ 

Invoice Validation

The Invoice Validation process ensures that care providers who provide you with care and treatment can be paid for the services they provide.

Care providers submit their invoices to NHS Shared Business Services (NHS SBS) who process invoices on behalf of NHS Swindon CCG.  NHS SBS do not require and should not receive any patient confidential data to provide their services.

There are situations where patient identifiable data is required to ensure that the correct service provider is paid.

In such cases service providers are required to send patient identifiable data to a Controlled Environment for Finance (CEfF) which is a secure restricted area within the CCG who process this data on our behalf and indicate which invoices we can validate (authorise) for payment. NHS England has published guidance on how invoices must be processed and Commissioners have a duty to detect report and investigate any incidents of where a breach of confidentiality has been made.

For more information see:https://www.england.nhs.uk/ourwork/tsd/ig/in-val/invoice-validation-faqs/

Legal Basis

The legal basis for NHS Swindon CCG to receive personal identifiable data for the purposes of invoice validation is provided by section 251 of the NHS Act 2006.


The invoice validation process supports the delivery of patient care by ensuring that:

  • Service providers are paid for patients treatment
  • Enables services to be planned, commissioned, managed and subjected to financial control
  • Enables commissioners to confirm that they are paying appropriately for the treatment of patients for whom they are responsible for
  • Fulfilling commissioners duties of fiscal probity and scrutiny
  • Enables invoices to be challenged and disputed or discrepancies resolved. 


Patient and Public Involvement

If you have asked us to keep you regularly informed and up to date about the work of the CCG or if you are actively involved in our engagement and consultation activities or patient participation groups, we will collect and process personal confidential data which you share with us. 

Legal Basis

We will obtain your consent for this purpose, when you initially contact us to get involved in our engagement and consultation activities. 


Where you submit your details to us for involvement purposes, we will only use your information for this purpose. You can opt out at any time by contacting us using our contact details at the end of this document. 


To collect NHS data about service users that we are responsible for. 


Processing Activities

Hospitals and community organisations that provide NHS-funded care must submit certain information to NHS Digital about services provided to our service users. 

This information is generally known as commissioning datasets. NHS Swindon Clinical Commissioning Group obtains these datasets from NHS Digital and they relate to service users registered with GP practices that are members of the CCG. 

These datasets are then used in a format that does not directly identify you, for wider NHS purposes such as managing and funding the NHS, monitoring activity to understand and plan the health needs of the population, and to gain evidence that will improve health and care through research. 

The datasets include information about the service users who have received care and treatment from those services that we are responsible for funding. The CCG is unable to identify you from these datasets. They do not include your name, home address, NHS number, post code or date of birth. Information such as your age, ethnicity and gender, as well as coded information about any clinic or accident and emergency attendances, hospital admissions and treatment will be included. 

The specific terms and conditions and security controls that we are obliged to follow when using these commissioning datasets can also be found on the NHS Digital website.

More information about how this data is collected and used by NHS Digital is available on their website: www.digital.nhs.uk/patientconf

We also receive similar information from GP Practices within our CCG membership that does not identify you. We use these datasets for a number of purposes such as:

  • Performance managing contracts; 
  • Reviewing the care delivered by providers to ensure service users are receiving good quality and cost effective care; 
  • To prepare statistics on NHS performance to understand health needs and support service re-design, modernisation and improvement;
  • To help us plan future services to ensure they continue to meet our local population needs; 
  • To reconcile claims for payments for services received in your GP Practice; 
  • To audit NHS accounts and services. 

If you do not wish for your information to be included in these datasets, even though it does not directly identify you to us, please contact your GP practice and they can apply a code to your records (Opt Out) that will stop your information from being included. 

For other organisations to provide support services for NHS Swindon Clinical Commissioning Group

 NHS Swindon Clinical Commissioning Group will use the services of the additional data processors, who will provide additional expertise to support the work of the CCG. 

Legal Basis

We have entered into contracts with other NHS organisations to provide some services for us or on our behalf.  These organisations are known as “data processors”. 

 Below are details of our data processors:


 • NHS South, Central, and West Commissioning Support Unit

Omega House 



SO50 5PB

Telephone: 023 8062 7444

Email: This email address is being protected from spambots. You need JavaScript enabled to view it.

Website: www.scwcsu.nhs.uk/who-we-are


• Wiltshire Clinical Commissioning Group

Southgate House

Pans Lane


SN10 5EQ

Telephone: 01380 728899

Email: This email address is being protected from spambots. You need JavaScript enabled to view it.

Website:  www.wiltshireccg.nhs.uk/about-us


• West Hampshire Clinical Commissioning Group

Omega House

112 Southampton Road



SO50 5PB

Telephone: 023 8062 7444

Email: This email address is being protected from spambots. You need JavaScript enabled to view it.

Website:  www.westhampshireccg.nhs.uk/about-us


• Wiltshire Council

County Hall 

Bythesea Road 


BA14 8JN 

Telephone: 0300 456 0100

Website:  www.wiltshire.gov.uk/


• Swindon Borough Council

Civic Offices

Euclid St


SN1 2JH 

Telephone: 01793 445500

Email: This email address is being protected from spambots. You need JavaScript enabled to view it.

Website: www.swindon.gov.uk/site/index.php


• Royal United Hospital Bath NHS Trust

Combe Park



Telephone: 01225 428331

Email: This email address is being protected from spambots. You need JavaScript enabled to view it.

Website: www.ruh.nhs.uk/about/index.asp?menu_id=1


• Great Western Hospitals NHS Foundation Trust

Marlborough  Road 



Telephone: 01793 604020

Website: www.gwh.nhs.uk/about-us/


• Oxford Health NHS Foundation Trust 

Warneford Hospital

Warneford Land




Telephone: 01865 901000

Email: This email address is being protected from spambots. You need JavaScript enabled to view it.

Website: www.oxfordhealth.nhs.uk/about-us/


• NHS Share Business Services

Telephone: 0113 3071500

Online query form: www.sbs.nhs.uk/contact-us/contact-us/member-of-public-contacts


• Northgate Public Services

Peoplebuilding 2

Peoplebuilding Estate

Maylands Avenue

Hemel Hempstead



Telephone: 01442 768445

Email: This email address is being protected from spambots. You need JavaScript enabled to view it.

Website: www.northgateps.com/about-us/overview/


• Medvivo Group Limited

Fox Talbot House

Greenways Business Park 



SN15 1BN

Telephone: 0800 6444 200

Email: This email address is being protected from spambots. You need JavaScript enabled to view it.

Website: www.medvivo.com/about-us/ 



These organisations are subject to the same legal rules and conditions for keeping personal confidential data secure and are underpinned by a contract with us. 

Before awarding any contract, we ensure that organisations will look after your information to the same high standards that we do. Those organisations can only use your information for the service we have contracted them for and cannot use it for any other purpose. 

Data Flows 

The CCG maps each individual data flow in and out of the organisation, to understand what data it holds and processes.

National Registries

National Registries (such as the Learning Disabilities Register) have statutory permission under Section 251 of the NHS Act 2006, to collect and hold service user identifiable information without the need to seek informed consent from each individual service user. 


To support research orientated proposals and activities in our commissioning system. 

Legal Basis

Your consent will be obtained by the organisation holding your records before identifiable information about you is disclosed for any research. 

Sometimes research can be undertaken using information that does not identify you. The law does not require us to seek your consent in this case, but the organisation holding your information will make notices available on the premises and on the website about any research projects that are undertaken. 


Researchers can provide direct benefit to individuals who take part in medical trials and indirect benefit to the population as a whole. 

Service user records can also be used to identify people to invite them to take part in clinical trials, other interventional studies or studies purely using information from medical records. 

Processing Activities

Where identifiable data is needed for research, service users will be approached by the organisation where treatment was received, to see if they wish to participate in research studies. 

If you do not wish your information to be used for research, whether identifiable or non-identifiable, please let your GP Practice know (Opt out). They will add a code to your records that will stop your information from being used for research.  

Primary and Secondary Care

We commission a number of organisations to provide primary and secondary healthcare services to you. These organisations may be within the NHS or outside the NHS. 

Primary Care services cover GP Practices, Dental Practices, Community Pharmacies and high street Optometrists. 

Secondary Care services are usually (but not always) delivered in a hospital or clinic with the initial referral being received from Primary Care. 

These organisations may share identifiable, pseudonymised, anonymized, aggregated, personal confidential and sensitive personal data information with us for the following purposes:

  • To look after the health of the general public such as notifying central NHS groups of outbreaks of infectious diseases;
  • To undertake clinical audit of the quality of services provided;
  • To carry out risk profiling to identify patients who would benefit from proactive intervention;
  • To perform case management where the NHS offers intervention and integrated care programmes involving multiple health and social care providers
  • To report and investigate, complaints, claims and untoward incidents;
  • To prepare statistics on our performance for the Department of Health;
  • To review our care to make sure that it is of the highest standard.

Legal Basis

Your information is only accessed by authorized persons and not disclosed unless necessary.  We will never share your personal information unless a legal basis has been identified for the different purposes of sharing or we have obtained your explicit consent.


Through sharing information ethically and lawfully the NHS is able to improve its understanding of the most important health needs and the quality of the treatment and care provided.

Recording of Telephone Calls

All telephone calls to and from NHS Swindon CCG, including those to and from the Referral Team and Prescription Team, are recorded. 


This is to help us ensure that we provide the best possible service to patients. This helps us to deliver care and identify ways that we can provide you with a better service. 

CCTV Cameras

We have installed CCTV cameras in our offices in areas that are used by members of the public and staff.

Legal Basis

This is for the purposes of public safety and crime prevention / detection.  In all locations, signs are displayed notifying of the fact the CCTV is in operation and providing details of whom to contact for further information about the scheme. 



Individuals are being provided with free access to Wi-Fi to gain internet access in all GP practices. Practice staff will also have the ability to access their corporate network from mobile devices e.g. laptops and tablets 

Processing Activities

The connection and disconnection times, allocated IP addresses, Mac address, online resources and services accessed, name and email address used to log on to the GP WI-FI network will be shared with system administrators at Swindon CCG to allow traceability as per the Data Retention Regulations of 2009. Anonymised usage statistics will also be submitted to NHS Digital, so that NHS Digital can monitor NHS Wi-Fi uptake.

Legal Basis

We will need to rely on your explicit consent to undertake such activities. 

Users must accept terms and conditions before they can gain access to the service and submit their details.

Data Retention Regulations of 2009.

User accounts can be deleted upon request.


NHS Wi-Fi is being rolled out to all general practices in England and patients will be able to access the internet free of charge in their GP’s waiting room, via their smart phone or tablet. Internet access will be granted through an NHS.UK landing page which will host national healthcare information alongside locally generated content from the general practice or CCG, such as information about local clinics and health services. Patients can use the service to access and download health apps, browse the internet and look up health and care information.  

Funded by NHS England and delivered by NHS Digital and Clinical Commissioning Groups, NHS Wi-Fi is a response to patient feedback asking for free Wi-Fi services to be introduced in NHS locations. It provides an efficient, reliable and secure platform that enables GPs to offer and utilise the latest digital health and care services.

Prescription Ordering Direct (POD)

NHS Swindon CCG is supporting GP practices to provide an alternative route for patients to order their repeat prescriptions. 

The POD will be staffed by dedicated, experienced and fully trained prescribing clerks and clinical members of the Medicines Optimisation team at the NHS Swindon Clinical Commissioning Group. They will be able to access all repeat prescription records and have immediate access to your GP practice should the need arise. 

If your GP practice has joined the POD service, and if you choose to contact the POD service to arrange for a repeat prescription, you will be asked for your consent to access your medical record, which will be done via your GP's record system (either “TPP SystmOne” or “EMIS web”). The POD team will log into the relevant GP practice system, access your patient record and ask you some questions to confirm your identity.

The POD member of staff will have access to part of your patient record needed to complete your request for a repeat prescription.

Legal Basis

Consent – your patient record will only be accessed if you chose to make use of this repeat prescription service, and give your consent.

Referral Support Centre (RSC)

The Referral Support Centre (RSC) is a local service available for all Swindon GP practices provided by Swindon Clinical Commissioning Group. The aim of the RSC is to support patients and practices through the referral process using the National Booking System, known as eReferrals.

The RSC have a team of local clinicians who review the referrals we are sent. Based on their advice, the RSC will offer appropriate services to patients and, where possible, offer them a choice of appointment dates, times and locations. By offering alternatives to the traditional hospital based consultant appointments we are aiming to help more patients to be treated in the most appropriate setting based on their clinical condition.

The RSC is staffed by experienced call handlers aware of local booking/commissioning instructions to help ensure patients are seen in the right place first time. In order to do this efficiently they will have access to details such as your name, DOB, address, telephone number, NHS number and your patient referral information. The RSC are also able to provide patients with additional information, such as directions or local transport links, which is not available from the national telephone appointment line.

Legal Basis

Your information is only accessed when necessary by authorized persons. We will never share your personal information unless a legal basis has been identified for the different purposes of sharing or we have obtained your explicit consent.


7. Is my data transferred overseas or sold for profit to other organisations? 

Your information will not be sent outside of the United Kingdom where the laws do not protect your privacy to the same extent as the law in the UK. 

The CCG will never sell any information about you to other organisations for profit. 


8. What are my rights?

You have certain legal rights, including a right to have your information processed fairly and lawfully and the right to access any personal confidential data we hold about you.  You can do this through a Subject Access Request (detailed below) or through the Freedom of Information Act.

You have the right to privacy and to expect the NHS to keep your information confidential and secure. 

You also have a right to request that your confidential information is not used beyond your own care and treatment and to have your objections considered. 

These are commitments set out in the NHS Constitution, for further information please visit: www.gov.uk/government/publications/the-nhs-constitution-for-england

You have the right to withdraw consent to us sharing your personal confidential data if you do not wish us to, how you do this is detailed below in section 9 of this notice. 

If you do not agree to certain information being processed or shared with us, or by us, or have any concerns, then please let us know by contacting the PALS and Complaints team.  Contact details are in section 12 of this notice.  


9. Can I opt out of my data being shared?

The NHS Constitution states “you have the right to request that your confidential information is not used beyond your own care and treatment and to have your objections considered”. 

There are several forms of opt outs available to you, these include:

• Information directly collected by the CCG

Your choices can be exercised by withdrawing your consent for the sharing of information that identifies you, unless there is no overriding legal obligation i.e. safeguarding. 

• Information not directly collected by the CCG, but collected  by organisations that provide NHS/Social Care services

Type 1 opt out 

If you do not want your personal confidential data that identifies you (Name, Address, Postcode, Date of Birth, NHS Number) to be shared outside your GP practice, for purposes beyond your direct care, you can register a Type 1 opt out with your GP practice.  This prevents your personal confidential data from being used other than in particular circumstances required by law, such as a public health emergency i.e. breakout of a pandemic disease. 

Records for patients who have registered a Type 1 opt out will be identified using a particular code that will be applied to your medical records, this will stop your records from being shared outside of your GP practice.

Type 2 opt out 

NHS Digital collects information from a range of places where people receive care, such as hospitals and community services i.e. Social Services. 

To support those NHS constitutional rights, patients within England are able to opt out of their personal confidential data being shared by NHS Digital for purposes other than their own direct care, this is known as Type 2 opt out. 

If you do not want your personal confidential data to be shared outside of NHS Digital, for purposes other than for your direct care, you can register a Type 2 opt out with your GP practices. 

For further information and support relating to Type 2 opt outs please contact NHS Digital contact centre (This email address is being protected from spambots. You need JavaScript enabled to view it.) referencing ‘Type 2 opt outs – Data request’ in the subject line.   Alternatively please call on 0300 303 5678 or visit their website

PLEASE NOTE patients are only able to register Type 1 and 2 opt outs at their GP practice, not with the CCG or NHS Digital. 

There may be occasions when it is not possible to exercise your right to “Opt Out”, this will be in situations such as when we have an obligation by law or for the purposes of safeguarding. 

It is also important to note that by exercising your right to “Opt Out”, there could be consequences.  These situations will be discussed with you by your GP or by HCSIC depending on whether you choose Type 1 or Type 2 Opt Out.  


10. Can I request a copy of all information held about me?

This right, commonly referred to as subject access, is created by section 7 of the Data Protection Act. It is most often used by individuals who want to see a copy of the information an organisation holds about them. However, the right of access goes further than this, and an individual who makes a written request and pays a fee is entitled to be:

  • Told whether any personal data is being processed;
  • Given a description of the personal data, the reasons it is being processed, and whether it will be given to any other organisations or people; 
  • Given a copy of the information comprising the data, and given details of the source of the data (where this is available). 

In most cases the CCG must respond to a subject access request promptly and in any event within 40 calendar days of receiving it. However, some types of personal data are exempt from the right of subject access and so cannot be obtained by making a subject access request. For further details on Subject Access Request (SAR’s) and exemptions please visit the Information Commissioner Office website.

If you would like to make a Subject Access Request to obtain a copy of the personal confidential data held by the NHS on yourself, please contact:

F.A.O Subject Access Request Team  

NHS Swindon Clinical Commissioning Group

The Pierre Simonet Building 

North Swindon Gateway 

North Latham Road 



SN25 4DL

Telephone: 01793 683700

Email: This email address is being protected from spambots. You need JavaScript enabled to view it.

Website:  www.swindonccg.nhs.uk/index.php/contact-us/freedom-of-information-requests

Your request will be automatically forwarded to NHS South, Central and West Commissioning Support Unit, an NHS support organisation operating under the authority of the NHS Commissioning Board, whose staff manage requests on NHS Swindon Clinical Commissioning Groups behalf. 

PLEASE NOTE that the CCG reserves the right to charge for Subject Access Requests. 


11. Who should I contact if I have a complaint or question on how my data is being held and processed?

We are committed to providing the best possible service at all times.  We welcome your suggestions and feedback about our services and want to resolve any problems you may experience to help make local healthcare services more effective.

Although we oversee all comments, concerns, compliments and complaints that are received, we have delegated management of the process to the South, Central and West Commissioning Support Unit (SCWCSU). To achieve this will involve the CSU accessing patient records and disclosing relevant information to us.

Patient Advice and Complaints Team (PACT)

You can ask for advice, information or talk to PACT about a concern.  PACT is impartial and will work with you to try to resolve a difficulty or problem and can act on your behalf if you wish.  They will discuss with you the best ways to resolve your concerns or problems and will agree with you what action to take for your individual circumstances.  They can also signpost to other sources of help if needed.  Your personal details remain confidential although information from PACT is used anonymously to help improve services. If you have received particularly good service from any health service provider or you have any comments / suggestions to make, please let them know.  This information will help us to keep improving our services.

You can provide feedback directly to PACT in writing, by email, by telephone or in person (by appointment only):

Patient Advice and Complaints Team

Priory Road Medical Centre

Priory Road

Park South



Telephone: 0300 200 8844

Email: This email address is being protected from spambots. You need JavaScript enabled to view it.

Website: http://www.swindonccg.nhs.uk/index.php/contact-us/patient-advice-and-complaints-team


How to make a formal complaint about a health service

Many complaints can be resolved quickly by discussing them directly with the person providing the service or the manager concerned. However, if you do want to make a formal complaint, let us know as soon as possible, as there is a time limit of 12 months, although this can be waived depending on the circumstances.

Who can complain?

Anyone who is receiving, or has received, NHS treatment or services can complain, as can anyone affected by the outcome of actions. If you are unable to make a complaint yourself, then someone can act on your behalf with your written consent.

Young persons (age 16 and over) are entitled to complain independently.  The NHS cannot consider a complaint made on behalf of a young person unless they are sure that the young person is unable to complain themselves. If a complaint is made on behalf of a child who is under the age of 16, unless there is clear medical evidence that they have been assessed as being Gillick competent, (a standard which is based upon UK case law) then no authority from the child will be needed to respond to a complaint made by those with parental responsibility. If however there is clear evidence that the child is Gillick competent, then their express authority should be obtained before responding to the complaint as it will involve disclosing confidential patient information.

What information will be needed to make my complaint?

  • Your name, address and contact telephone number and those of the person that you may be complaining for; including their date of birth and their NHS number.
  • A summary of what has happened, giving dates where possible.
  • Which organisation provided the care or service
  • A list of things that you are complaining about
  • What you would like to happen as a result of your complaint.

What can I expect?

A member of the complaints team will contact you and agree the best way forward for investigating your complaint, taking into account your desired outcome.  The issues will be fully investigated and you should then receive your response (which can be a written response or a meeting with relevant staff) within the agreed timescales.  Please do not worry about the service you receive in future being adversely affected because you have made a complaint. We take all comments seriously and only use the information to review our services and make improvements, where needed.


Independent Primary Care Contractors

If you have a comment or a complaint about a GP, dentist, pharmacy or optician that cannot be resolved by the Practice Manager, you can contact NHS England.

Email: This email address is being protected from spambots. You need JavaScript enabled to view it.

Telephone: 0300 311 2233

Address: NHS England, PO Box 16738, Redditch, B97 9PT


Health Service Ombudsman

We do our best to resolve your complaint however, if you feel that not all of the issues have been addressed, please let us know so that we can agree a way forward.  After this, if we agree that local resolution has not been achieved and you remain unhappy with the outcome, it can be referred to the Parliamentary and Health Services Ombudsman (PHSO).

The Ombudsman is totally independent and will review your complaint. The Parliamentary and Health Service Ombudsman may investigate complaints on your behalf, but only if your complaint has already been investigated and all attempts at a local resolution have been exhausted. There is no charge for this service.

Telephone: 0345 015 4033

Website:  www.ombudsman.org.uk/making-complaint 

Address: The Parliamentary and Health Service Ombudsman, Millbank Tower, Millbank, London, SW1P 4QP


Independent Complaints Advocacy Service (ICAS)

If you would like to receive independent advice from someone about the NHS complaints process, please contact Healthwatch Swindon, who will offer help and support to those wishing to make a formal complaint about the NHS and can help you to write your letter of complaint and accompany you to any meetings.

Healthwatch Swindon

Swindon Advice and Support Centre

Sanford House

Sanford Street

Swindon SN1 1QH

Email: This email address is being protected from spambots. You need JavaScript enabled to view it.

Telephone: 01793 497777


12. How can I contact Swindon Clinical Commissioning Group?

If you have any questions regarding how we use your information, please contact us at:

NHS Swindon Clinical Commissioning Group

The Pierre Simonet Building

North Swindon Gateway

North Latham Road 



SN25 4DL 

Telephone: 01793 683700

Email: This email address is being protected from spambots. You need JavaScript enabled to view it.

Website: www.swindonccg.nhs.uk


If you have concerns about how your personal confidential data is being handled, or wish to make a complaint, please contact: 

Patient Advice and Complaints Team (PACT)

Priory Road Medical Centre 

Priory Road

Park South 




Telephone: 0300 200 8844

Email:This email address is being protected from spambots. You need JavaScript enabled to view it.

Website: http://www.swindonccg.nhs.uk/index.php/contact-us/patient-advice-and-complaints-team


If you would like to make a Subject Access Request to obtain a copy of the personal confidential data held by the NHS on yourself, please contact:

F.A.O Subject Access Request Team

NHS Swindon Clinical Commissioning Group

The Pierre Simonet Building 

North Swindon Gateway 

North Latham Road 



SN25 4DL

Telephone: 01793 683700

Email: This email address is being protected from spambots. You need JavaScript enabled to view it.

Website:  www.swindonccg.nhs.uk/index.php/contact-us/freedom-of-information-requests 

Your request will be automatically forwarded to NHS South, Central and West Commissioning Support Unit, an NHS support organisation operating under the authority of the NHS Commissioning Board, whose staff manage requests on NHS Swindon Clinical Commissioning Groups behalf. 


If you would like to contact NHS Swindon Clinical Commissioning Group’s Caldicott Guardian, please contact:

F.A.O Gill May 

Executive Nurse / Caldicott Guardian

NHS Swindon Clinical Commissioning Group

The Pierre Simonet Building

North Swindon Gateway 

North Latham Road 



SN25 4DL 

Telephone: 01793 683700

Email: This email address is being protected from spambots. You need JavaScript enabled to view it.


13. Other useful links

The Information Commissioner’s Office is the regulator for that Data Protection Act 1998 and offer independent advice and guidance on the law and personal data, including your rights and how to access your personal information.  For independent advice about data protection, privacy, and data sharing issues, please contact:

Information Commissioner’s Office 

Wycliffe House

Water Lane




Telephone: 0303 123 1113 (local rate) or 01625 545745 if you prefer to use a national rate number.

Email: This email address is being protected from spambots. You need JavaScript enabled to view it.

Website: www.ico.gov.uk 


NHS Digital is the national provider of information, data and IT systems for commissioners, analysts and clinicians in health and social care. For further information about their  responsibilities and work, please contact:

1 Travelyan Square

Boar Lane 


West Yorkshire 


Telephone: 0300 303 5678

Email: This email address is being protected from spambots. You need JavaScript enabled to view it.

Website: www.digital.nhs.uk 


For information about NHS Digital’s responsibilities for collecting data from across the health and social care system, please visit their website: www.digital.nhs.uk/collectingdata


The NHS Digital guide to confidentiality gives more information on the rules around information sharing, please visit: www.digital.nhs.uk/article/4979/Assuring-information


The NHS Constitution sets out the principle and values that guide how the NHS should act and make decisions. It also explains the rights and responsibilities of staff, patients and the public, and the NHS pledges to them. 


All NHS organisations and other bodies supplying NHS services must have regards to the NHS Constitution, and the Constitution itself must be renewed by the government every 10 years. 


For more information on what the NHS Constitution is, please visit: www.shsc.nhs.uk/wp-content/uploads/2014/05/NHS_Constitution_staff_guide.pdf


The NHS Care Record Guarantee for England sets out the rules that govern how patient information is used in the NHS and what control the patient can have over this.  It covers people’s access to their own records, controls on others access, how access will be monitored and policed, options people have to further limit access, access in an emergency, and what happens when someone cannot make decisions for themselves. 

Everyone who works for the NHS, or for organisations delivering services under contract to the NHS, has to comply with this guarantee.  To view the NHS Care Record Guarantee, please visit: http://webarchive.nationalarchives.gov.uk/20130513181011/http://www.nigb.nhs.uk/guarantee


For further information on clinical datasets and how they support commissioning within the NHS, please visit: www.england.nhs.uk/wp-content/uploads/2012/12/clinical-datasets.pdf


An independent review of information about service users across the health and social care system, led by Dame Fiona Caldicott was conducted in 2012. The report “Information: To share or not to share? The Information Governance Review”, can be found at: www.gov.uk/government/publications/the-information-governance-review