[Skip to content]


Fair processing notice


NHS Thanet CCG is the data controller for information. We use personal and confidential information for a number of purposes.This Privacy Notice provides a summary of how we use your information.To ensure that we process your personal data fairly and lawfully we are required to inform you:

  • Why we need your data.
  • How it will be used.
  • Who it will be shared with.

The law determines how organisations can use personal information.The key legislation is: the Data Protection Act1998 (DPA), the Human Rights Act1998 (HRA),relevant health service legislation, and the common law duty of confidentiality.

This document describes instances where NHS Thanet CCG is the “Data Controller”, for the purposes of the DataProtection Act 1998, and where we direct or commission the processing of patient data to help deliver better healthcare, or to assist the management of healthcare services.

NHS Thanet CCG recognises the importance of protecting personal and confidential information in all that we do, all we direct or commission, and takes care to meet its legal duties. 

What information do we collect about you?

We only collect and use your information for the lawful purposes of administering the business of NHS Thanet CCG.These purposes include:

  • Accounting and Auditing.
  • Accounts and records.
  • Advertising, marketing & public relations.
  • Consultancy and Advisory services.
  • Crime prevention and prosecution of offenders.
  • Education.
  • Health administration and services.
  • Information and databank administration.
  • Research.
  • Sharing and matching of personal information for national fraud initiative.
  • Staff administration.


Please be aware that NHS Thanet CCG does NOT have access to patient medical records. A request for information for a health record has to be made with the appropriate data controller This will be your GP or relevant hospital trust where you were treated. If you would like guidance on how to access your medical records please follow the link below:


Your information

This part of the Privacy Notice outlines what personal information we do hold, why we use it and how we protect it.

What types of personal data do we handle?

We process personal information to enable us to support the provision of healthcare services to patients, maintain our own accounts and records, promote our services, and to support and manage our employees. We also process personal
information about healthcare professionals that deliver services throughout the NHS.

We also use information to support and monitor the health services commissioned in England to enable the delivery of high quality healthcare.This type of information will usually be provided to NHS Thanet CCG in an anonymised form,so that we cannot identify an individual. 

The types of personal information we use include:

  • Personal details such as names,addresses, telephone numbers.
  • Family details for example next of kin details.
  • Education, training, mostly frequently of clinicians such as GPs and our staff.
  • Employment details,for example for those that work for us either directly or are commissioned by us to provide a service.
  • Financial details, where we provide payment for services or access to funds for individual patients.
  • Services, for example details of the services accessed or offered by providers.
  • Lifestyle and social circumstances.
  • Visual images, personal appearance and behaviour, for example if CCTV images are used as part of building security.
  • Details held in the patient’s record,where we hold or manage the patient’s record.
  • Responses to surveys,where individuals have responded to surveys about healthcare issues.


We also process sensitive classes of information that may include:

  • Racial and ethnic origin.
  • Offences (including alleged offences), criminal proceedings, outcomes and sentences.
  • Trade union membership.
  • Religious or similar beliefs.
  • Employment tribunal applications, complaints, accidents,and incident details.


This information will generally relate to our staff, covered by the Privacy Notice for Staff, or for those health care professionals we manage.

In terms of patient information, information may include:

  • Physical or mental health details.
  • Sexual life.

Information for job applicants

NHS Thanet CCG will process information provided by applicants for the management of their application and the subsequent selection process.This involves providing details to the short-listing and selection panels. Other details are kept to help fulfil our obligations to monitor equality and diversity within the organisation and in the application process.You can find more information about the use of personal data throughout the application process.

Information will be retained on interview performance and the application in line with the retention periods of NHS England.

For more information about your application and personal data you should contact  NHS Thanet CCG’s HR department.

Applicants to roles with hosted bodies, such as Commissioning Support Units, should contact that organisation directly.

How will we use information about you?

Your information is used to run and improve the NHS in England. It may be used to:

  • Check and report on the effectiveness of NHS Thanet CCG and the services it commissions
  • Ensure that money is used properly to pay for the services it provides
  • Investigate complaints,legal claims or important incidents
  • Make sure that NHS Thanet CCG gives value for money
  • Make sure services are planned to meet patients’ needs in the future
  • Review the care given to make sure it is of the highest possible standard
  • To manage specialised services that NHS Thanet CCG commissions


We may keep your information in written form or on a computer.Whenever possible all information that identifies you will be removed.

Sharing your information

There area number of reasons why we share information. This can be due to:

  • Our obligations to comply with current legislation
  • Our duty to comply with a Court Order
  • You have consented to disclosure


NHS Thanet CCG is responsible for protecting the public funds it manages. To do this we may use the information we hold about you to detect and prevent crime or fraud. We may also share this information with other bodies that inspect and manage public funds.

Security of your information 

We have appointed a Senior Information Risk Owner (SIRO) who is accountable for the management of all information assets and any associated risks and incidents, and a ‘Caldicott Guardian’ who is responsible for the management of patient information and patient confidentiality. Deputy SIROs have also been appointed in regional teams and local Caldicott Guardians have been appointed in regional and area teams. 

All staff are required to undertake annual information governance training and are provided with access to the information governance policy that they are required to read, understand and agree to adhere to. The handbook ensures that staff are aware of their information governance responsibilities and follow best practice guidelines ensuring the necessary safeguards and appropriate use of person-identifiable and confidential information.

Under the NHS Confidentiality Code of Conduct, all our staff are also required to protect your information, and inform you of how your information will be used. This includes, in most circumstances, allowing you to decide if and how your information can be shared.

Everyone working for the NHS is subject to the common law duty of confidentiality. Information provided in confidence will only be used for the purposes advised and consented to by the service user, unless it is required or permitted by the law.

Retaining information

We will only retain information for as long as necessary. Records are maintained inline with theNHS England retention schedule which determines the length of time records should be kept.

How can you get access your personal information? 

The Data Protection Act 1998 gives you the right to see the information that NHS Thanet CCG holds about you and why. Requests must be made in writing and you will need to provide:

  • Adequate information [for example full name, address, date of birth, NHS number, etc.] so that your identity can be verified and your information located.
  • An indication of what information you are requesting to enable us to locate this in an efficient manner.

A request for information from a health record has to be made with the appropriate data controller.This will be your GP or relevant hospital trust where you were treated.

NHS England is the data controller ofGP health records where an individual is currently not registered with aGP or is deceased. For access to GP health records in these circumstances please use the list below to direct the request to the appropriate service (the list is by the geographical area of the GP):


Patient right to object to processing/opt-out

For all other personal information requests held by NHS Thanet CCG you should send your request to thanet.ccg@nhs.net

Where a fee is applicable under the terms of the Data Protection Act and subsequent legislation, we will inform you in writing. In due course our disbursement scheme (which outlines these fees) will be available.

We aim to comply with requests for access to personal data as quickly as possible. We will ensure that we deal with requests within 40 days of receipt unless there is a reason for delay that is justifiable under the DataProtection Act.

We want to make sure that your personal information is accurate and up to date. If you think any information is inaccurate or incorrect then please contact the CCG at thanet.ccg@nhs.net

There are choices you can make about how your information is used, and you can choose to opt out of your information being shared or used for any purpose beyond providing your care. Please note that not choosing to share your information may have an impact on your care and, by sharing your information, will improve NHS services and the experience of treatment and care for our patients.

If you wish to do so, please inform your GP practice and they will mark your choice in your medical record.

There are two types of opt-out. You can withdraw either opt-out at any time by informing your GP practice.

Type 1 opt-outs

If you do not want information that identifies you to be shared outside your GP practice, for purposes beyond your direct care, you can register a type 1 opt-out with your GP practice. This prevents your personal confidential information from being used other than in particular circumstances required by law, such as a public health emergency like an outbreak of a pandemic disease.

Type 2 opt-outs

The NHS Digital (HSCIC) collects information from a range of places where people receive care, such as hospitals
and community services. If you do not want your personal confidential information to be shared outside of NHS Digital
(HSCIC), for purposes other than for your direct care, you can register a type 2 opt-out with your GP practice.

A direction from the Secretary of State for Health sets out the Department of Health policy as to how type 2 opt-outs must be applied and instructs NHS Digital (HSCIC) to apply type 2 opt-outs from 29 April 2016.

When NHS Digital (HSCIS) has collected information about your type 2 opt-out from your GP practice they use that to create
a record of all current type 2 opt-outs. Then  NHS Digital use that record to check against any set of data that is to be
made available by NHS Digital (HSCIC) to another organisation and remove all of your personal confidential information
, before that data is made available.

The direction sets out the scope of when your type 2 opt-out does not apply, such as when there is a legal requirement
 to release information, or where you have given your consent to a specific release of your information.

There are also some limited circumstances which are set out in the direction, when we don't apply your type 2 opt-out
 to information made available. These are cases where:

  • The Secretary of State for health has identified the information flow is very important.
  • There are complex technical barriers that make it very difficult to apply opt-outs.


For more information on how we collect and use opt-out information see Applying Type 2 Opt Outs

For more information about care records and how to access them see NHS Choices. For details about how public bodies must make information available, see the model publication scheme published by the Information Commissioner's Office. 

NHS Commissioning Support Units

TheNHS CommissioningSupport Units provide commissioning and support services to Clinical Commissioning Groups, Area Teams and other clients. 

Further information regarding each Commissioning Support Unit’s processing of personal data can be found on their individual websites and Privacy Notices

A list of Commissioning Support Units is available at: