Your health records

Handling Your Personal Information – Fair Processing Notice

This notice is to inform you of the type of information (including personal information) that we Bromley CCG, as your clinical commissioning group (CCG), holds, how that information is used, who we may share that information with, and how we keep it secure and confidential.

What we do

We Bromley CCG are responsible for planning, buying and monitoring (also known as commissioning) health services from healthcare providers, such as hospitals and GP practices, for our local population to ensure the highest quality of healthcare. We also have a performance monitoring role of these services, which includes responding to any concerns from our patients on services offered.

How we use your information

We hold some information about you and this document outlines how that information is used, who we may share that information with, how we keep it secure (confidential) and what your rights are in relation to this. Your records are used to direct and manage the care you receive to ensure that healthcare professionals have the information they need to be able to assess and improve the quality and type of care you receive, and so that your concerns can be properly investigated if a complaint is raised.

These uses are in line with the purposes outlined in our registration with the Information Commissioners Office and the reference number is Z3602379.

What kind of information do we use?

We use six types of information/data:

  1. Anonymised data, which is data about you but from which you cannot be personally identified;
  1. De-identified data with pseudonym identifier, which is data about you but we are able to track you through the patient pathway without using your personal information, and you cannot be personally identified;
  2. De-identified data with weakly pseudonym identifier such as the NHS number. We use this to link two or more types of datasets together using your NHS number. For example, using your NHS number to link and analyse datasets such as acute data with community data to see the full picture of your patient pathway. No other personal information is used during this process and you will not be personally identified. However, there may be times whereby you may be re-identified in the event of patient safety requirements, or re-identified for direct care purposes where we pass on information to your GP to treat you;
  3. Anonymised in Context (for commissioning purposes), which is de-identified data about you but from which you cannot be personally identified within a commissioning (CCG) environment. You may be personally identified if this data was available to a hospital or your GP.  Like the above, we replace the NHS number with a locally generated pseudonym like hospital number;
  4. Personal data from which you can be personally identified; and
  5. Sensitive information/data about you from which you can be identified. 

What do we use these types of data for?

We use the above types of data to plan health care services. Specifically, we use it to:

  • check the quality and efficiency of the health services we commission;
  • prepare performance reports on the services we commission;.
  • work out what illnesses people will have in the future, so we can plan and prioritise services and ensure these meet the needs of patients in the future; and
  • review the care being provided to make sure it is of the highest standard. 

Do you share my information with other organisations?

We commission a number of organisations (both within and outside the NHS) to provide healthcare services to you. A full list of services can be found on ‘our services’ page We may also share anonymised statistical information with them for the purpose of improving local services: for example, understanding how health conditions spread across our local area compared to other areas.

The law provides some NHS bodies, particularly the Health and Social Care Centre – HSCIC (NHS Digital), ways of collecting and using patient data that cannot identify a person to help commissioners design and procure the combination of services that best suit the population they serve.

Data may be linked and de-identified by these special bodies so that it can be used to improve health care and development, and monitor NHS performance. Where data is used for these statistical purposes, stringent measures are taken to ensure individual patients cannot be identified.

When analysing current health services and proposals for developing future services, it is sometimes necessary to link separate individual datasets to be able to produce a comprehensive evaluation. This may involve linking primary care GP data with secondary care secondary uses service (SUS) data (inpatient, outpatient and A&E).

In some cases there may also be a need to link local datasets, which could include a range of acute-based services such as radiology, physiotherapy and audiology, as well as mental health and community-based services such as IAPT, district nursing and podiatry. When carrying out this analysis, the linking of these datasets is always done using a pseudonym as the CCG does not have access to patient identifiable data.

The following are the types of organisations HSCIC (NHS Digital) receives data from, and then forwards on to our data processor in a de-identified format or a dataset with a weakly pseudonym identifier (NHS Number) format to link and analysis the data.

Types of organisations and types of information we receive:

  • Acute Trusts or Hospitals, for example Kings College Hospital NHS Foundation Trust and Guys and St Thomas’ NHS Foundation Trust. We receive pseudonymised acute data such as A&E attendances, waiting times, diagnosis, treatments, and follow ups, length of stay, discharge information and next steps.
  • Community trusts or community organisations, for example Oxleas NHS Foundation Trust and Bromley Healthcare CIC. We receive pseudonymised community data such as outpatient information, waiting times, diagnosis and treatments, referrals and next steps, domiciliary and district nursing (which includes home visits) and community rehabilitation units. 
  • Mental Health Trusts or Mental Health organisations, for example Oxleas NHS Foundation Trust. We receive pseudonymised mental health data such as rehabilitation and outpatient attendances, waiting times, diagnosis, treatment, length of stay, discharge, referrals and next steps.
  • Primary Care organisations, for example your local GP practice. We receive pseudonymised primary care data such as attendances, diagnosis, treatment, GP or GP practice visits, referrals, medication/prescriptions information, follow-ups and next steps.

It is also important to note that if you receive treatment in another part of the country, for example if you are on holiday, HSCIC (NHS Digital) will receive information about your treatment. We will receive this information in a de-identified dataset in accordance with point 2 and 3 above within the ‘what kind of information do we use’, as it’s important to link and analyse your patient pathway.

We may also contract with other organisations to process data. We ensure external data processors that support us are legally and contractually bound to operate this process. They must be able to prove security arrangements are in place where data that could or does identify a person is processed.

Currently, the external data processors we work with include (amongst others):

  • NEL Commissioning Support Unit

 How you can access your records

The Data Protection Act 1998 gives you a right to access the information we hold about you on our records. Requests must be made in writing to:

Information Governance Manager

NEL Commissioning Support Unit

3rd Floor, 1 Lower Marsh,



You can email: 

We will reply to your request within 40 days from receipt and in order to provide the correct information we will need:

  • Your personal details including your full name, address, date of birth, and NHS number so that your identity can be verified and your records located
  • A cheque for an initial £10 (rising to a maximum of £50 for health records) made payable to NHS Bromley Clinical Commissioning Group
  • An indication of what information you are requesting to enable the CCG to locate this in an efficient manner

For independent advice about data protection, privacy and data-sharing issues, you can contact:

The Information Commissioner

Wycliffe House​

Water Lane


CheshireSK9 5AF

Phone: 08456 30 60 60 or 01625 54 57 45


 To read more about how we use your information please see document below to access our extended fair processing Notice

NHS Bromley CCG, Beckenham Beacon, 379 Croydon Road, Beckenham, BR3 3QL

© 2019 Bromley CCG | IP: