Welcome to our website


Your Information, What You Need to Know

NHS Ipswich and East Suffolk CCG (I&ESCCG) is responsible for buying (also known as ‘commissioning’) health services from healthcare providers such as hospitals, GP practices, dentists and pharmacists, and suppliers who offer non-standard services for the people of Ipswich and East Suffolk

All GP practices in Ipswich and East Suffolk are members of the CCG. Our role is to make sure that appropriate care is in place for the people of Ipswich and East Suffolk today and in the coming years.

To help us to model and plan services to best meet your future healthcare needs, I&ESCCG needs to understand the health, social and general wellbeing issues that people are facing today. The only way that we can achieve this is by using the information that your GP, your clinician or your social worker enter into your care record. This information may exist on paper or in electronic format and each is kept safe in an appropriate way.

Types of information

I&ESCCG may collect and hold various types of information.

Identifiable- containing details that identify individuals
Pseudonymised- about individuals but with identifying details (such as name or NHS number) replaced with a unique code
Anonymised- about individuals but with identifying details removed
Aggregated- anonymised information grouped together so that it doesn't identify individuals

For full definitions and details about types of information see:

• The Data Protection Act: Click Here
• The Information Commissioner's Office publication Anonymisation: managing data protection risk code of practice. Click Here

There are strict rules around who can see that information and what it can be used for. The CCG uses the local safe haven within the North of England Commissioning Support Unit (NECSU) which has been accredited by the Health and Social Care Information Centre.

We will only ever request pseudonymised data and ask for the unique code to be provided by NECSU.

Primary and Secondary Use of personal data.

The legal framework governing the use of personal confidential data in health care is complex. It includes the NHS Act 2006, the Health and Social Care Act 2012, the Data Protection Act, and the Human Rights Act.

The law allows personal data to be shared between those offering care directly to patients (primary use) but it protects patients’ confidentiality when data about them are used for other purposes. These “secondary uses” of data are essential if we are to run a safe, efficient, and equitable health service. They include:

• Reviewing and improving the quality of care provided
• Researching what treatments work best
• Commissioning clinical services
• Planning public health services

How We Keep Your Information Confidential and Safe

Everyone working for the NHS is subject to the Common Law Duty of Confidence. Information provided in confidence will only be used for the purposes advised with consent given by the patient, unless there are other circumstances covered by the law.

Under the NHS Confidentiality Code of Conduct, all our staff are also required to protect your information, tell you of how your information will be used, and allow you to decide if and how your information can be shared.

Why We Collect Information About You

In carrying out some of these roles we may collect information about you which helps us respond to your queries or secure specialist services. We may keep your information in written form and/or in digital form. The records may include basic details about you, such as your name and address. They may also contain more sensitive information about your health and also information such as outcomes of needs assessments.

How We Use the Information that We Collect

I&ESCCG has in place safeguards to prevent staff from identifying individuals from the data that we receive.
Information from your health records is received by us and any information that might allow others to identify you is removed. This means that no one can know:

• Your name
• Your date of birth (is replaced with age)
• Your postcode (this is replaced with standard area called Lower Super Output area – the name reflects a national standard that is based on the total population and number of houses in an area)
• Information that may contain more sensitive information about your health and also information such as outcomes of needs assessments.

We use your pseudonymised unique number, GP practice and treatment details so that your information from each service can be linked together. This gives us a fuller picture of the health of people in Ipswich and East Suffolk and the services required to support them to stay healthy.

We use this information to provide and improve health services. This data also enables us to target patients who may benefit from additional preventive care.

These uses are in line with the purposes outlined in our registration with the Information Commissioners Office and the reference number is Z3612955.

Legal basis for the Processing of Personal Data

As mentioned above organisations may process your personal data for your direct treatment. The CCG does not actually treat patients and so cannot rely on this basis to process personal information.

Where we require access to your medical records, such as in continuing care or individual funding, we will seek your explicit consent.

We may rely on a S251 agreement to process some of your information. For example when carrying out invoice validation or risk stratification A S251 approval, (under S251 of the NHS Act 2006)  is granted where no other legal basis for the processing of data exists and is granted, after a lengthy approval process by the Confidentiality Advisory Group (CAG) (click here for more information)

What We Use Your Information For

Analysis – Risk Stratification

Your GP uses your data to provide the best care they can for you. As part of this process, your GP will use your personal and health data to undertake risk stratification, also known as case finding.

Risk stratification entails applying computer based algorithms, or calculations to identify those patients registered with the GP surgery who are most at risk from certain medical conditions and who will benefit from clinical care to help prevent or better treat their condition.

We combine records from secondary care (via the secondary user service (SUS) with primary care records from your GP to obtain the most clinically effect results for you the patient.

To identify those patients individually from the patient community registered with your GP would be a lengthy and time-consuming process which would by its nature potentially not identify individuals quickly and increase the time to improve care.

Your GP surgery uses the services of a health partner, (NECSU) to identify those most in need of preventative or improved care. This contract is arranged by I&ESCCG.

I&ESCCG  will not at any time have access to your personal or confidential data. (Except where we have obtained your consent. For example in considering continuing health care provisions or individual funding requests.) They act on behalf of your GP to organise this service with appropriate contractual and security measures only.

NECSU will process your personal and confidential data. Typically this will process your data using indicators such as your age, gender, NHS number and codes for your medical health to identify those who will benefit from clinical intervention. Processing takes place automatically and without human or manual handling. Data is extracted from your GP computer system, automatically processed and only your GP is able to view the outcome, matching results against patients on their system.

The CCG is able to view aggregated risk stratification data but is not able to identify an individual patient record.

We have implemented strict security controls to protect your confidentiality and recommend this as secure and beneficial service to you. At all times, your GP remains accountable for how your data is processed. However, if you wish, you can ask your GP for your data not to be processed for this purpose and your GP will mark your record as not to be extracted so it is not sent to NECSU for risk stratification purposes.

Opting out 

Type 1 opt-outs

If you do not want information that identifies you to be shared outside your GP practice, for purposes beyond your direct care you can register a type 1 opt-out with your GP practice. This prevents your personal confidential information from being used other than in particular circumstances required by law, such as a public health emergency like an outbreak of a pandemic disease.

Type 2 opt-outs

NHS Digital collects information from a range of places where people receive care, such as hospitals and community services. If you do not want your personal confidential information to be shared outside of NHS Digital, for purposes other than for your direct care you can register a type 2 opt-out with your GP practice.

A ”direction” from Secretary of State sets out the Department of Health policy as to how type 2 opt-outs must be applied and instructs NHS Digital to apply type 2 opt-outs from 29 April 2016.

When we have collected information about your type 2 opt out from your GP practice we use that to create a record of all current type 2 opt outs. We then use that record to check against any set of data that is to be made available by NHS Digital to another organisation and remove all of your personal confidential information if it is in that data set, before that data are made available.

The direction sets out the scope of when your type 2 opt out does not apply such as when there is a legal requirement to release information, or where you have given your consent to a specific release of your information.

There are also some limited circumstances, which are set out in the direction, when we don't apply your type 2 opt out to information made available. These are cases where:

• The Secretary of State for health has identified the information flow is very important.
• There are complex technical barriers that make it very difficult to apply opt outs.

Paying for Services

Where care is provided and the CCG is responsible for it, we will need to provide payment to the care provider. In most cases limited data is used to make such payments. In some instances information to confirm that you are registered at a GP within the CCG is needed to make such payments. This is done in line with the Who Pays Invoice Validation Guidance issued by NHS England.

Invoice Validation

CCGs and NHS England, which includes Commissioning Support Units, do not have a legal right to access personal confidential data (PCD) for the purpose of validating invoices.

The Secretary of State for Health approved applications from NHS England for section 251 support for PCD to be used to validate invoices lawfully, without the need to obtain explicit consent from the individual patient at a local level. This approval has been renewed and continues to be valid.

The invoice validation process supports the delivery of patient care across the NHS by:

• Ensuring that service providers are paid for the patient’s treatment
• Enabling services to be planned, commissioned, managed, and subjected to financial control enabling commissioners to confirm that they are paying appropriately for the treatment of patients for whom they are responsible
• Fulfilling commissioners’ duties of fiscal probity and scrutiny
• Enabling invoices to be challenged and disputes or discrepancies to be resolved

We will use limited information (NHS number) about individual patients when validating invoices received for your healthcare, to ensure that the invoice is accurate and genuine. This will be performed in a secure environment and will be carried out by a limited number of authorised staff. These activities and all identifiable information will remain with the Controlled Environment for Finance (CEfF) approved by NHS England. 

Handling Continuing Healthcare (CHC) Applications

If you make an application for Continuing Healthcare (CHC) funding, I&ESCCG will use the information you provide and where needed request further information from care providers to identify eligibility for funding. If agreed, arrangements will be put in place to arrange and pay for the agreed funding packages with appointed care providers. 

This process is nationally defined and we follow a standard process. I&ESCCG - use standard information collection tools to decide whether someone is eligible.

Handling Individual Funding Requests (IFR) Applications

If you make an Individual Funding Request (IFR) to fund specialist drugs or rare treatments, I&ESCCG will use the information you provide and where needed will, with your consent, request further information from care providers to identify eligibility for funding. 

If agreed, arrangements will be put in place to arrange and pay for the agreed funding packages with appointed care providers.

Supporting Medicines Management

CCGs support local GP practices with prescribing queries which generally don’t require identifiable information.
Where specialist support is required, e.g., to order a drug that comes in solid form in gas or liquid the medicines management team will order this on behalf of a GP to support your care.


Advice and guidance is provided to care providers to ensure that adult and children’s safeguarding matters are managed appropriately. 

Access to identifiable information will be shared in some limited circumstances where it’s legally required for the safety of the individuals concerned.

Quality Alerts

A Quality Alert is a systemic issue, generally affecting a service, or the ability to deliver a high quality service. I&ESCCG’s Governance and Quality Team triage quality alerts (QA’s) reverse quality alerts and incidents reported by GPs/Provider organisations. The CCG has a statutory duty to support NHSE with the continuous quality improvement of primary medical services as set out in the HSCA 2012 and the Primary Medical Services assurance framework.

Post Infection Reviews

Clinical Commissioning Groups collaborate closely with the organisations involved in providing patient care, to jointly identify and agree the possible causes of, or factors that contributed to a patient’s infection.

CCGs will lead the Post Infection Review in the circumstances set out in the Post Infection Review Guidance, issued by NHS England. The CCG monitors completion of action plans developed to address any learning from the Post Infection Review.

Serious Incident Management

I&ESCCG is accountable for effective governance and learning following all Serious Incidents (SIs) and work closely with all provider organisations as well as commissioning staff members to ensure all SIs are reported and managed appropriately. The Francis Report (February 2013) emphasised that commissioners, as well as providers had a responsibility for ensuring the quality of health services provided.

Sharing Information

In order for I&ESCCG to perform its commissioning functions, information (mostly anonymised) is shared from various organisations which include: General practices, acute and mental health hospitals, other CCGs, community services, walk-in centres, nursing homes, directly from service users and many others.

Information Sharing With Other NHS Agencies and Non-NHS Organisations

We may share your information for health purposes and for your benefit with other organisations such as Health Authorities, NHS Trusts, General Practitioners, etc. We may also need to share information with our partner organisations.

Information may also need to be shared with other non-NHS organisations, from which you are receiving care, such as Suffolk County Council, and other providers from which we commission services. 

Where information sharing is required with these third parties, we will always have a relevant Data Sharing Agreement/Data Processing Deed in place and will not disclose any health information without your explicit consent unless there are exceptional circumstances such as when the health or safety of others is at risk or where the law requires it or to carry out a statutory function. 

We are required by law to report certain information to the appropriate authorities without your consent. This is only provided after formal permission has been given by a qualified health professional for example in the case of identifying a notifiable disease such as Legionnaires disease or rabies.

The CCG may also be required to share information if a safeguarding concern (adult or child) is raised.

Your Right to Withdraw Consent for Us to Share Your Personal Information

You have the right to consent / refuse / withdraw consent to information sharing at any moment in time. There are possible consequences to not sharing but these will be fully explained to you to help you with making your decision.

Under new rules as a result of the National Data Guardians review, you only have to withdraw consent for processing once. This may be done by opting out at any time by contacting your GP.

You may also contact the CCG at the addresses contained in the “contact us section” of this website and ask for your request to be passed on to the Caldicott Guardian.

How Your Records Are Used to Help the NHS

Your information may be used to help assess the needs of the general population and make informed decisions about the provision of future services. Information can also be used to conduct health research and development and monitor NHS performance.

Where information is used for statistical purposes, stringent measures are taken to ensure individual patients cannot be identified. Anonymous statistical information may also be passed to organisations with a legitimate interest, including universities, community safety units and research institutions.

Where it is not sufficient to use anonymised information, person-identifiable information may be used, but only for essential NHS purposes. This may include research and auditing services. This will only be done with your consent, unless the law requires information to be passed on to improve public health.

CCG Oversight

I&ESCCG has in place a Caldicott Guardian and Senior Information Risk Owner (SIRO) who have oversight of the handling of information within the CCG or by any support organisations we may buy services from. They are supported by the Information Governance Steering Group), which meets regularly to discuss issues related to IG.

A Caldicott Guardian is a senior person responsible for protecting the confidentiality of patient and service-user information and enabling appropriate information-sharing. Each NHS organisation is required to have a Caldicott Guardian.

The I&ESCCG Caldicott Guardian is:

Barbara McLean 
Email: Barbara.mclean@suffolk.nhs.uk

A SIRO is a member of the CCG Governing Body, who is responsible to ensure organisational information risk is properly identified and managed and that appropriate assurance mechanisms exist.” 

Amanda Lyes
Email: Amanda.lyes@suffolk.nhs.uk

You may further contact the CCG via the “Contact us” section of this website.

Accessing Your Information Held by Ipswich and East Suffolk CCG

Under the Data Protection Act 1998 you have the right to see or be given a copy of personal data held about you. To gain access to your information held by I&ESCCG you will need to make a Subject Access Request (SAR) to NHS I&ESCCG. Information how to do this is on our website.

We may charge a reasonable fee for the administration of the request, set down in law as follows:

• If the information is only held electronically we may charge up to £10 for complying
• If the information is only held wholly or partly in paper format we may charge up to £50 for complying.

Note: In order to deal with a SAR, I&ESCCG will need to share information with NECSU

Freedom of Information Requests (FOI)

The Freedom of Information Act (2000) gives every Individual the right to request information held by Government Agencies. Private Companies are not subject to this act.

Please note that a Freedom of Information Request is not a Subject Access Request.

For postal requests, please send to the Freedom of Information lead at:
Freedom of Information Manager
Ipswich and East Suffolk CCG
c/o Rushbrook House
Paper Mill Lane

You can also email your request to foi@suffolk.nhs.uk

Your request for information must be made in writing and you are entitled to a response within 20 working days.

Retention of Information

The CCG will retain personal information in accordance with the Data Protection Act and guidance issued by NHS England. The time frame will be dependent on the type of information held and varies for each service we provide.

If you need more information please contact the CCG via our website.

Information that we identify as being required will be destroyed under confidential conditions as required by the Data Protection Act 1998.

Decommissioning of Services

The CCG will retain legal responsibility for the information held about you until it is formally dissolved or until agreements are put in place to transfer responsibility.


If you have a complaint about I&ESCCG or a service we commission, we will use your information to communicate with you and investigate any complaint if it’s the responsibility of the CCG.

Information about how to complain can be found on our website at this link.

If you are not happy with our responses and have exhausted all the avenues in the CCG Complaints Process and wish to take your complaint to an independent body, you can do this by contacting the Information Commissioner's Office in writing to the following address:

Wycliffe House
Water Lane

You can also telephone their helpline on 0303 123 1113 (local rate) or 01625 545745 if you prefer to use a national rate number. Or email:  casework@ico.org.uk

Useful Links

NHS Care Record Guarantee

NHS Constitution

NHS Digital Guide to Confidentiality

Information Commissioners Office

Health Research Agency

DH Records Management Code of Practice

Further Information

Further information can also be obtained from the following links:
Data Protection Act 1998 
Care Record Guarantee; and
NHS Confidentiality Code of Practice
Fair Processing Notice – National Fraud Initiative.

Select font size
Site colour