Our Uses of Information

Although this is not an exhaustive detailed listing, the following lists key examples of the purposes and rationale for why we collect and process information:



To process your personal information if it relates to a complaint where you have asked for our help or involvement.

Legal Basis

We will need to rely on your explicit consent to undertake such activities.

Complaint Processing Activities

When we receive a complaint from a person we make up a file containing the details of the complaint. This normally contains the identity of the complainant and any other individuals involved in the complaint.

We will only use the personal information we collect to process the complaint and to check on the level of service being provided.

We usually have to disclose the complainant’s identity to whoever the complaint is about. This is inevitable where, for example, the accuracy of a person’s record may be in dispute.

If a complainant doesn’t want information identifying him or her to be disclosed, we will try to respect that. However, it may not be possible to handle a complaint on an anonymous basis.

We will keep personal information contained in complaint files in line with NHS retention policy. It will be retained in a secure environment and access to it will be restricted according to the ‘need to know’ principle.

We may use service user stories, following upheld complaints, but always anonymously, via our Quality Committee. The service user stories will provide a summary of the concern, service improvements identified and how well the complaints procedure has been applied. Consent will always be sought from the service user and carer or both before we use the service user story.

For further information, click on this link – Patient Services Team

Top of page

 Funding Treatments


We will collect and process your personal information where we are required to fund specific treatment for you for a particular condition that is not already covered in our contracts.

This may be called an “Individual Funding Request” (IFR).

Legal Basis

The clinical professional who first identifies that you may need the treatment will explain to you the information that we need to collect and process in order for us to assess your needs and commission your care, and gain your explicit consent.

To know more on funding treatments, see – Will the NHS pay for my treatment?

Top of page 

Continuing Healthcare


Oxfordshire CCG has commissioned Oxford Health Continuing Health Care Team (OHCHT) to process your Continuing Health care Requests. They will collect and process your identifiable information where you have asked us to undertake assessments for Continuing Healthcare (a package of care for those with complex clinical needs) and commission resulting care packages.

Legal Basis

The clinical professional who first sees you to discuss your needs will explain to you the information that they need to collect and process in order for us to assess your needs and commission your care and gain your explicit consent.

Click here to know more – Continuing Healthcare

Top of page



We will collect and process identifiable information where we need to assess and evaluate any safeguarding concerns.

Legal Basis

Because of public Interest issues, e.g. to protect the safety and welfare of vulnerable children and adults, we will rely on a statutory basis rather than consent to process information for this use.

Top of page

Risk Stratification


Risk stratification is a process for identifying and managing patients who are at high risk of emergency hospital admission.

Data Processing activities for Risk Stratification

Risk stratification tools use various combinations of historic information about patients, for example, age, gender, diagnoses and patterns of hospital attendance, admission and primary care data collected in GP practice systems.

The CCG will use pseudonymised versions of this information to understand the local population needs, whereas GPs will be able to identify (by NHS number) which of their patients are at risk in order to offer a preventative service to them.

The CCG has commissioned South Central and West Commissioning Support Units (SCWCSU) in house tool known as Integrated Population Analytics, or IPA to conduct risk stratification on behalf of itself and its GP practices.

NHS South, Central and West Commissioning Support Unit (SCW) – DSCRO work with Graphnet Health Limited to extract Primary Care data and the SCWCSU process this data on behalf of the CCG for Risk Stratification purposes.

This processing takes place under contract following the below steps:

  • NHS Digital provides data identifiable by your NHS Number about your acute hospital attendances for risk stratification purposes and has signed a Data Sharing Contract for the Secondary Use Services data.
  • The SCWCSU contract Graphnet Health Limited to extract primary care data identifiable by your NHS Number for those patients that have not objected to Risk Stratification or where no Type 1 objection has been made by an individual. The data containing the same verified NHS numbers are then stored within a secure sever owned and managed by SCWCSU which is then processed through the risk stratification algorithms and the output made available in the IPA user interface.
  • Within the landing stage, the risk stratification system automatically links and pseudonymises the identifiable data from GP’s and NHS Digital. No identifiable data of any patient is seen by the CCG.

SCWCSU has set up a formula to analyse the data in pseudonymised form to produce a risk score for each patient. This information is available to SCWSCU DSCRO.

The risk scores are only made available to authorized users within the GP Practice where you are registered via a secure portal managed by SCWCSU.

This portal allows only the GPs to view the risk scores for the individual patients registered in their practice in identifiable form. The outputs can be made available if Practices are working as a locality, federation or super practice and this access is agreed by the Caldicott Guardian for each Practice.

If you do not wish information about you to be included in our risk stratification programme, please contact your GP Practice. They can add a code to your records that will stop your information from being used for this purpose.

Further information about risk stratification is available from: https//www.england.nhs.uk/ourwork/tsd/ig/risk-stratification/

Further information about Integrated Population Analytics is available from: https://www.scwcsu.nhs.uk/ipa

Legal Basis

NHS England has gained approval from the Secretary of State, through the Confidentiality Advisory Group, for its application for the disclosure of commissioning data sets and GP data for risk stratification purposes to data processors working on behalf of GPs which provides a statutory legal basis under Section 251 of the NHS Act 2006 to process data for risk stratification purposes. We are committed to conducting risk stratification effectively, in ways that are consistent with the laws that protect your confidentiality. 


CCGs and GPs use risk stratification tools as part of their local strategies for supporting patients with long-term conditions and to help and prevent avoidable admissions. Typically this is because patients have a long term condition such as Chronic Obstructive Pulmonary Disease.  NHS England encourages CCGs and GPs to use risk stratification tools as part of their local strategies for supporting patients with long-term conditions and to help and prevent avoidable admissions.

 Knowledge of the risk profile of our population will help the CCG to commission appropriate preventative services and to promote quality improvement in collaboration with our GP practices.

Top of page

 Primary and Secondary Care Data


We commission a number of organisations to provide primary and secondary healthcare services to you. These organisations may be within the NHS or outside the NHS.

Primary Care services cover GP Practices, Dental Practices, Community Pharmacies and high street Optometrists.

Secondary Care services are usually (but not always) delivered in a hospital or clinic with the initial referral being received from Primary Care.

These organisations may share identifiable, pseudonymised, anonymized, aggregated, personal confidential and sensitive personal data information with us for the following purposes:

  • To look after the health of the general public such as notifying central NHS groups of outbreaks of infectious diseases
  • To undertake clinical audit of the quality of services provided
  • To carry out risk profiling to identify patients who would benefit from proactive intervention
  • To perform case management where the NHS offers intervention and integrated care programmes involving multiple health and social care providers
  • To report and investigate, complaints, claims and untoward incidents
  • To prepare statistics on our performance for the Department of Health
  • To review out care to make sure that it is of the highest standard


Through sharing information ethically and lawfully the NHS is able to improve its understanding of the most important health needs and the quality of the treatment and care provided.

Legal Basis

Your information is only accessed by authorized persons and not disclosed unless necessary.  We will never share your personal information unless a legal basis has been identified for the different purposes of sharing or we have obtained your explicit consent.

Top of page

 Patient and Public Involvement


If you have asked us to keep you regularly informed and up to date about the work of the CCG or if you are actively involved in our engagement and consultation activities or patient participation groups, we will collect and process personal confidential data which you share with us.

Legal Basis

We will rely on your consent for this purpose.


Where you submit your details to us for involvement purposes, we will only use your information for this purpose. You can opt out at any time by contacting us using our contact details at the end of this document.

Top of page



To collect NHS data about service users that we are responsible for.

Legal Basis

Our legal basis for collecting and processing information for this purpose is statutory.

Processing Activities

Hospitals and community organisations that provide NHS-funded care must submit certain information to NHS Digital about services provided to our service users.

This information is generally known as commissioning datasets. The CCG obtains these datasets from NHS Digital and they relate to service users registered with GP Practices that are members of the CCG.

These datasets are then used in a format that does not directly identify you, for wider NHS purposes such as managing and funding the NHS, monitoring activity to understand and plan the health needs of the population, and to gain evidence that will improve health and care through research.

The datasets include information about the service users who have received care and treatment from those services that we are responsible for funding. The CCG is unable to identify you from these datasets. They do not include your name, home address, NHS number, post code or date of birth.  Information such as your age, ethnicity and gender, as well as coded information about any clinic or accident and emergency attendances, hospital admissions and treatment will be included.

The specific terms and conditions and security controls that we are obliged to follow when using these commissioning datasets can also be found on the NHS Digital website.

More information about how this data is collected and used by NHS Digital is available on their website http://content.digital.nhs.uk/patientconf 

We also receive similar information from GP Practices within our CCG membership that does not identify you. We use this datasets for a number of purposes such as:

  • Performance managing contracts;
  • Reviewing the care delivered by providers to ensure service users are receiving quality and cost effective care;
  • To prepare statistics on NHS performance to understand health needs and support service re-design, modernisation and improvement;
  • To help us plan future services to ensure they continue to meet our local population needs;
  • To reconcile claims for payments for services received in your GP Practice;
  • To audit NHS accounts and services.

If you do not wish your information to be included in these datasets, even though it does not directly identify you to us, please contact your GP Practice and they can apply a code to your records that will stop your information from being included.

Top of page

 Sharing Information Provided to us with other Bodies


The CCG is required by law to protect the public funds it administers. It may share information provided to it with other bodies responsible for; auditing, or administering public funds, or where undertaking a public function, in order to prevent and detect fraud.

The Cabinet Office is responsible for carrying out data matching exercises.

Data matching involves comparing computer records held by one body against other computer records held by the same or another body to see how far they match. This is usually personal information. Computerised data matching allows potentially fraudulent claims and payments to be identified. Where a match is found it may indicate that there is an inconsistency which requires further investigation. No assumption can be made as to whether there is fraud, error or other explanation until an investigation is carried out.

We participate in the Cabinet Office’s National Fraud Initiative: a data matching exercise to assist in the prevention and detection of fraud. We are required to provide particular sets of data to the Minister for the Cabinet Office for matching for each exercise, as detailed here.

The use of data by the Cabinet Office in a data matching exercise is carried out with statutory authority under Part 6 of the Local Audit and Accountability Act 2014. It does not require the consent of the individuals concerned under the Data Protection Act 1998.

Data matching by the Cabinet Office is subject to a Code of Practice.

View further information on the Cabinet Office’s legal powers and the reasons why it matches particular information.

For further information on data matching at this authority contact e-mail oxon.gpc@nhs.net  or by post to:

Oxfordshire Clinical Commissioning Group
Jubilee House, John Smith Drive
Oxford Business Park South

By Telephone: 01865 336800

Top of page

 For other Organisations to Provide Support Services for us


The CCG will use the services of the additional data processors, who will provide additional expertise to support the work of the CCG:

Legal Basis

We have entered into contracts with other NHS organisations to provide some services for us or on our behalf.

These organisations are known as “data processors”.

Below  are  details of our  data processors  and the  function    that they carry out on our behalf:

  • NHS South, Central and West Commissioning Support Unit: Risk Stratification, Commissioning Intelligence analysis, Complaints processing, and Communications and Engagement.
  • Oxford Health NHS Foundation Trust.
  • Oxford University Hospital NHS Foundation Trust.
  • Oxford Health Continuous Healthcare Team: Process Continual Healthcare request for OCCG.
  • Oxford Academic Health Sciences Network (OHSN) (hosted by Oxford University Hospital  NHS Foundation Trust): Commissioning Intelligence analysis (add value to the analyses of data that does not directly identify individuals)
  • NHS Litigation Authority – Claims Management (we rely on your consent)
  • NHS Shared Business Service and NHS South Central and West CSU –Invoice Validation (see page 10)
  • NHS England (NHSE) – we share data with NHSE as part of commissioning activities but in a fully non-identifiable form
  • Optum Health Solutions (UK) Ltd

Data Flows

The CCG maps the each individual data flow in and out of the organisation, to understand what data it holds and processes. These data flow maps are currently being reviewed as part of an annual process, and will be published in December 2016. 2015-16 Data Flow maps are available on request to the CCG, contact details are:

Oxfordshire Clinical Commissioning Group
Jubilee House, John Smith Drive
Oxford Business Park South
Oxford OX4 2LH

Tel: 01865 336800

Email:  oxon.gpc@nhs.net


These organisations are subject to the same legal rules and conditions for keeping personal confidential data and secure and are underpinned by a contract with us.

Before awarding any contract, we ensure that organisations will look after your information to the same high standards that we do. Those organisations can only use your information for the service we have contracted them for and cannot use it for any other purposes.

Top of page

National Registries


National Registries (such as the Learning Disabilities Register) have statutory permission under Section 251 of the NHS Act 2006, to collect and hold service user identifiable information without the need to seek informed consent from each individual service user.

Top of page



To support research oriented proposals and activities in our commissioning system

Legal Basis

Your consent will be obtained by the organisation holding your records before identifiable information about you is disclosed for any research.

Sometimes research can be undertaken using information that does not identify you. The law does not require us to seek your consent in this case, but the organisation holding your information will make notices available on the premises and on the website about any research projects that are undertaken.


Researchers can provide direct benefit to individuals who take part in medical trials and indirect benefit to the population as a whole.

Service user records can also be used to identify people to invite them to take part in clinical trials, other interventional studies or studies purely using information from medical records.

Processing Activities

Where identifiable data is needed for research, service users will be approached by the organisation where treatment was received, to see if they wish to participate in research studies.

If you do not wish your information to be used for research, whether identifiable or non-identifiable, please let your GP Practice know. They will add a code to your records that will stop your information from being used for research.

Data Linkage

Data may be de-identified and linked by organisations so that it can be used to improve healthcare and development and monitor NHS performance. Where data is used for these statistical purposes, stringent measures are taken to ensure individual patients cannot be identified. When analysing current health services and proposals for developing future services it is sometimes necessary to link separate individual data sets to be able to produce a comprehensive evaluation. This may involve linking primary care GP data with other data such as secondary uses service (SUS) data (inpatient, outpatient, and A&E). In some cases there may also be a need to link local data sets which could include a range of acute-based services such as radiology, physiotherapy, and audiology. When carrying out this analysis; the linkage of these data sets is always done using a unique identifier that does note reveal a person’s identity as the CCG does not have any access to patient identifiable data.