Fair Processing Notice & GDPR

The Fair Processing Notice (Privacy Notice) is available by clicking here.  This document reminds you of your rights under the Data Protection Act and tells you how NHS West Norfolk Clinical Commissioning Group (WNCCG) processes information about you in accordance with the Act.

Links to information on locally commissioned providers' fair processing notices or details of what information is provided to patients regarding what happens with their information can be found here.

The Fair Processing Notice for the Norfolk Continuing Care Partnership in relation to continuing healthcare provision can be found here.

 Previous Fair Processing Notices
 October 2018
 September 2018
 April 2018
 May 2018
 December 2016
 October 2016
 September 2016
 December 2015
 September 2014
 December 2013

Who are we?

NHS West Norfolk Clinical Commissioning Group (WNCCG) is a local membership organisation led by family doctors that is responsible for planning and paying for healthcare services. We do not provide healthcare like a GP Practice or hospital. Our role is to make sure the appropriate NHS care is in place for the people of West Norfolk, within the budget we have.

Why we collect information about you

In carrying out some of these roles we may collect information about you which helps us respond to your queries or secure specialist services.  We may keep your information in written form and/or on a computer. 

The records may include basic details about you, such as your name and address.  They may also contain more sensitive information about your health and also information such as outcomes of needs assessments.

How your records are used to help the NHS

Your information may be used to help assess the needs of the general population and make informed decisions about the provision of future services. 

Information can also be used to conduct health research and development, monitor NHS performance, to help the NHS plan for the future and to investigate complaints in respect of the services we commission.

Where information is used for statistical purposes, stringent measures are taken to ensure individual patients cannot be identified. 

We will not publish any information that identifies you or routinely disclose any information about you without your express permission.  At any time you have the right to refuse/ withdraw consent to information sharing.  The possible consequences will be fully explained to you, such as potential delays in receiving care and negative impacts on the services and responses we can offer you.

There may be circumstances where we are bound to share information about you owing to a legal obligation, such as for the benefit of public health in the event of a pandemic.

Anyone who receives information from us is also under a legal duty to keep this information confidential.

Security of information 

Everyone working for the NHS is subject to the Common Law Duty of Confidence. The information we do hold about you, whether in paper or electronic form, is therefore protected from unauthorised access.  Under the NHS Confidentiality Code of Conduct, all our staff are also required to protect your information, inform you of how your information will be used, and allow you to decide if and how your information can be shared.

Financial validation

 We will use limited information about individual patients when validating invoices received for healthcare provided, to ensure the invoice is accurate and genuine. This will be performed in a secure environment and will be carried out by a limited number of authorised staff, these activities and all identifiable information will remain within a CEfF (Controlled Environment for Finance) approved by NHS England.

National Fraud Initiative

We are required by law to protect the public funds we administer. We may share information provided to us with other bodies responsible for auditing or administering public funds, in order to prevent and detect fraud.

The Audit Commission appoints the auditor to audit the accounts of this authority.  It is also responsible for carrying out data matching exercises.

For further details please view the relevant section in the Fair Processing Notice.

Access to your information

Under the Data Protection Act 1998 you have the general right to see or be given a copy of personal data held about you.  This right can be exercised via submission of a Subject Access Request (SAR) to NHS WNCCG.

Any requests made will be jointly managed by both the CCG and NHS Arden & GEM Commissioning Support Unit staff unless you specifically state in your request that you do not wish this to happen. You do not need to give a reason.

If you want to access your records/ information you should make a written request to:

NHS Arden and GEM Commissioning Support Unit
Lakeside 400
Old Chapel Way
Broadland Business Park
Thorpe St Andrew

We are able to charge a reasonable fee for the administration of the request, however these fees are set down in law as follows:

We may charge up to £10 for complying with a SAR relating to health records if the information is only held electronically.

We may charge up to £50 for complying with a SAR relating to health records if those records are held either wholly or partly in non-electronic form.

Further information on Subject Access Requests can be found via the Information Commissioners Office (ICO): https://ico.org.uk/for-the-public/personal-information/


In the event that you believe we have not complied with the Data Protection Act, either in responding to a Subject Access Request or in the way we have processed your personal information, you have the right to make a complaint and for further information please go to: http://www.westnorfolkccg.nhs.uk/contact-us/complaints

Further information

If you would like to know more about how we use your information please use the Contact Us section of our website.

Further information can also be obtained from the following links:

Data Protection Act 1998
Care Record Guarantee; and
NHS Confidentiality Code of Practice

Organisations that share information with us

In order for WNCCG to perform its commissioning functions, information is shared from various organisations, which include: general practice, acute and mental health hospitals, others CCGs, community services, walk in centres, nursing homes, directly from service users and many others.

Information may also need to be shared for your benefit with other non-NHS organisations, from which you are also receiving care, such as social services and other providers from which we commission services.  Where information sharing is required with third parties, we will not disclose any health information without your explicit consent unless there are exceptional circumstances such as when the health and safety of others is at risk, where the law required it or to carry out a statutory function.



GDPR replaced the Data Protection Act (DPA) 1998 and applied in the UK from 25 May 2018 

What is the GDPR?

The General Data Protection Regulation (GDPR) is an EU Regulation, developed to update data protection law and to unify all EU Member States' (Countries) approach to data protection and ensure the law is applied identically in every EU country. 

Who must comply with the GDPR?

The GDPR applies to ‘controllers’ and ‘processors’. The definitions are broadly the same as under the DPA – ie the controller says how and why personal data is processed and the processor acts on the controller’s behalf.  GDPR applies to ‘controllers’ and ‘processors’ that process the data of EU citizens regardless of where in the world the actual ‘processing’ takes place. (See Articles 3, 28-31 and Recitals 22-25, 81-82) https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32016R0679

What information does the GDPR apply to?

Personal data

Like the DPA, the GDPR applies to ‘personal data’. However, the GDPR’s definition is more detailed and makes it clear that information such as an online identifier eg an IP address, genetic and biometric data e.g. finger prints, DNA etc can be personal data.

Sensitive personal data

The GDPR refers to sensitive personal data as 'special categories' of personal data. These categories are broadly the same as those in the DPA, and require additional conditions to process lawfully.  For example health data is classed as special category data- basically, it’s  anything that could cause harm to an individual or their reputation.  
(See Articles 2, 4, 9, 10 and Recitals 1, 2, 26, 51) https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32016R0679

Lawful processing

For processing to be lawful under the GDPR, you need to identify a lawful basis before you can process personal data.  This needs to be communicated to Data Subjects through a Privacy Notice in an effort to be transparent.

(See Articles 6-10 and Recitals 38, 40-50, 59) https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32016R0679


Consent under the GDPR must be a freely given, specific, informed and unambiguous indication of the individual’s wishes. There must be some form of clear affirmative action – or in other words, a positive opt-in – consent cannot be inferred from silence, pre-ticked boxes or inactivity.   (See Articles 4(11), 6(1)(a), 7, 8, 9(2)(a) and Recitals 32, 38, 40, 42, 43, 51, 59, 171) https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32016R0679

Children's Personal Data

The GDPR contains new provisions intended to enhance the protection of children’s personal data. The GDPR states that, if consent is your basis for processing the child’s personal data, a child under the age of 16 can’t give that consent themselves (unless they are deemed to have sufficient capacity to consent for themselves from the age of 13 years old in the UK) and instead consent is required from a person holding ‘parental responsibility’.   (See Article 8 and Recitals 38, 58, 71).  https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32016R0679

Individual's rights

The GDPR creates some new rights for individuals and strengthens some of the rights that currently exist under the DPA.

The GDPR provides the following rights for Individuals:

The right to be informed

The right to be informed encompasses the obligation to provide a Privacy Notice.  It emphasises the need for transparency over how personal data is used.   (See Articles 12(1), 12(5), 12(7), 13, 14 and Recitals 58-62) https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32016R0679

The right of access

The GDPR clarifies that the reason for allowing individuals to access their personal data is so that they are aware of and can verify the lawfulness of the processing. 

A copy of the information must be provided free of charge.

There will be less time in which to comply with a subject access request under the GDPR.  Information should be provided within one month of receipt of the request. (See Articles 12, 15 and Recital 63)   https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32016R0679  

The right to rectification

Individuals are entitled to have personal data rectified if it is inaccurate or incomplete.  Certain exemptions apply to health related data and when it may be rectified. 
(See Articles 12, 16 and 19) https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32016R0679

The right to erasure

The right to erasure is also known as ‘the right to be forgotten’. The broad principle underpinning this right is to enable an individual to request the deletion or removal of personal data where there is no compelling reason for its continued processing.   Again, certain exemptions apply. (See Articles 17, 19 and Recitals 65 and 66) https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32016R0679

The right to restrict processing

Under the DPA, individuals have a right to ‘block’ or suppress processing of personal data. The restriction of processing under the GDPR is similar.  When processing is restricted, the personal data may continue to be stored, but not further processed. https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32016R0679 
(See Articles 18, 19 and Recital 67)

The right to data portability

The right to data portability allows individuals to obtain and reuse their personal data for their own purposes across different services.  It allows them to move, copy or transfer personal data easily from one IT environment to another in a safe and secure way, without hindrance to usability.  (See Articles 12, 20 and Recital 68) https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32016R0679

The right to object

Individuals have the right to object to:

  • processing based on legitimate interests or the performance of a task in the public interest/exercise of official authority (including profiling);
  • direct marketing (including profiling); and
  • processing for purposes of scientific/historical research and statistics.

(See Articles 12, 21 and Recitals 69, 70) https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32016R0679

Rights related to automated decision making and including profiling

The GDPR provides safeguards for individuals against the risk that a potentially damaging decision is taken without human intervention. These rights work in a similar way to existing rights under the DPA.   (See Articles 4(4), 9, 222 and Recitals 71, 72)   https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32016R0679

Accountability and Governance

The GDPR includes provisions that promote accountability and governance. These complement the GDPR’s transparency requirements. While the principles of accountability and transparency have previously been implicit requirements of data protection law, the GDPR’s emphasis elevates their significance.  (See Article 30, Recital 82)https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32016R0679 

Data Protection by Design and by Default

Under the GDPR, technical and organisational measures must be taken to show that data protection rules have been considered and integrated into processing activities.  (See Article 25 and Recital 78) https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32016R0679

Data Protection Impact Assessments

Data protection impact assessments (DPIAs) (also known as privacy impact assessments or PIAs) are a tool which can help organisations identify the most effective way to comply with their data protection obligations and meet individuals’ expectations of privacy. An effective DPIA will allow organisations to identify risks associated with new projects, processes and systems and where possible fix problems and mitigate against risks at an early stage.  (See Articles 35, 36, 83 and Recitals 84, 89-96) https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32016R0679

Appointing a Data Protection Officer   

Under the GDPR, a Data Protection Officer must be appointed if the organisation:

  • is a public authority (except for courts acting in their judicial capacity);
  • carries out large scale systematic monitoring of individuals (for example, online behaviour tracking); or
  • carry out large scale processing of special categories of data or data relating to criminal convictions and offences.

Contact details for the Data Protection Officer can be found in the Privacy Notice.

(See Articles 37-39, 83 and Recital 97) https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32016R0679

Data Breach Notification

The GDPR will introduce a duty on all organisations to report certain types of data breach to the relevant supervisory authority, and in some cases to the individuals affected within 72 hours of becoming aware of the breach.  (See Articles 33, 34, 83 and Recitals 85, 87, 88) https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32016R0679

Transfers of Data to Third Countries or International Organisations   

The GDPR imposes restrictions on the transfer of personal data outside the European Union, to third countries or international organisations, in order to ensure that the level of protection of individuals afforded by the GDPR is not undermined.  (See Article 45 and Recitals 103-107, 169) https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32016R0679