Privacy Notice

Home 5 Privacy Notice

NHS North of England Commissioning Support Unit (NECS) is hosted by NHS England and provides a range of commissioning support services to the Integrated Care Board (ICB) and other organisations. The registered address for NECS is John Snow House, Durham DH1 3YG. The purpose of this notice is to inform you of the type of information (including personal information) that the CSU processes on behalf of the ICB and other organisations we support, how that information is used, with whom we may share that information and how we keep it secure and confidential. NECS acts as a Processor for our customers, who are also legally required to publish their own Privacy Notices. Where NECS is the Processor for organisations that are also a Controller, you will see us named in their Privacy Notice for the services we provide.

We keep a Register of all our information processing activities, including those involving the use personal information. This records lots of metadata including where we get the information from, with whom we share it, the legal basis allowing us to process personal data and the security arrangements in place.

How we use information

We use anonymous information for statistical purposes to allow us to help the ICB plan the commissioning of healthcare services. Examples of this include:

  • Evaluation and review of services such as checking their quality and efficiency.
    Checking NHS accounts and services.
  • Working out what illnesses people will have in the future so that the ICB can work with the local primary care services, community services and hospital services to make sure that patient needs are met.
  • Preparing statistics on NHS performance.
  • Reviewing the care the ICB commission to make sure it is of the highest standard.
  • We also carry out business to business marketing with potential customers but only where customers have agreed to receive this information.

Personal and Confidential Information

For the purposes listed above, we will only use anonymised data which means that individuals can not be identified. We can only use any information that may identify individuals (known as personal information) in accordance with Data Protection legislation and other laws such as the Health and Social Care Act 2012: and

We also have a Common Law Duty of Confidentiality to protect your information. This means that where a legal basis for using your personal or confidential information does not exist, we will not do so.

Therefore, as a commissioning support organisation we do not routinely hold medical records or confidential patient data. There are some specific areas, however, because of our responsibilities, where we do hold and use personal information. In order to process that information we will have met a legal requirement and will use only the minimum data required for the purposes of that processing. The law allows processing of personal information under the following circumstances:

  • We have received consent from individuals to be able to use their information for one or more specific purposes.
  • For the performance of a contract involving an individual
  • There is a legal requirement that will allow us to use or provide information
  • For protecting the vital interests of a person or persons
  • There is substantial public interest in using the information e.g. in order to safeguard an individual, or to prevent a serious crime.
  • It is necessary for the legitimate interests of the organisation or a third party however this does not extend to public authorities
  • If the personal information has been purposefully made public by the individual to which it relates
  • For employment and social security purposes
  • For the provision of health and social care or treatment
  • It is necessary for the establishment, exercise or defence of legal claims
  • For reasons of public interest regarding public health and safety of others, for example to report an infectious disease such as meningitis or measles.
  • We have special permission called a ‘section 251 agreement’ (Section 60 of the Health and Social Care Act 2001 as re-enacted by Section 251 of the NHS Act 2006) which allows the Secretary of State for Health to make regulations to set aside the common law duty of confidentiality for defined medical purposes. A section 251 agreement supports the use of patient identifiable information without consent.

The areas where we use personal information are:

  • Individual Funding Requests – a process where patients and their GPs or Consultants can request treatments not routinely funded by the NHS. The legal basis allowing us to process such requests on behalf of a commissioner is explicit consent.
  • Assessments for continuing healthcare assessments (a package of care for those with complex medical needs). The legal basis allowing us to process such requests on behalf of a commissioner GDPR Article 6.1 e – processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller and GDPR Article 9.2 h – the provision of health or social care or treatment or the management of health or social care systems and services on the basis of union or Member State law or pursuant to a contract with a health professional.
  • Responding to your queries, concerns or complaints. The legal basis allowing us to process such requests on behalf of a commissioner is explicit consent.
  • Validation of invoices to ensure that providers are reimbursed correctly for the care and treatment they have delivered to patients. This is allowed under a section 251 agreement.
  • To identify specific patient groups and enable clinicians with the duty of care for the patient to offer appropriate care and treatment; this is known as risk stratification. This is allowed under a section 251 agreement.

Our Communications & Engagement service collects contact details of members of the public and will contact patients regarding NHS services but only where the individual has explicitly consented to this.

Sharing Information

We process and share anonymised statistical information with the ICB for the purpose of improving local services, for example understanding how conditions spread across our local area compared against other areas.

We process personal data as described above and have been granted a legal basis for processing data in this way which operates under strict controls to ensure your information is handled lawfully. We are an established Accredited Safe Haven which allows us to use limited personal data lawfully for specific purposes and operate a Controlled Environment for the processing of invoices.

Keeping information secure and confidential

All staff have contractual obligations of confidentiality, enforceable through disciplinary procedures. All staff receive annual training on confidentiality and security of information.

We take relevant organisational and technical measures to make sure that the information we hold is secure – such as holding information in secure locations, restricting access to information to authorised personnel, secure email systems and ensuring that mobile equipment such as laptops are encrypted.

Each NHS organisation has a senior person responsible for protecting the confidentiality of patient information and enabling appropriate information sharing. This person is called the Caldicott Guardian. The Caldicott Guardian for the CSU is Dr James Gossow. We also have a Senior Information Risk Owner (SIRO) who has allocated lead responsibility to ensure organisational information risk is properly identified, managed and that appropriate assurance mechanisms exist. The SIRO for the CSU is Ian Davison, Business Information Services Director.

Retention of information

We retain personal information in accordance with data protection legislation and in line with the NHS Records Management Code of Practice 2021:

Retention periods are recorded in our Information Asset Register.

International transfers

We record any instances where we transfer personal information to a third country or international organisation. This is very limited and we check and record the safeguards in place to protect the information to be transferred.

The National Fraud Initiative

NHS England is required to protect the public funds it administers. It may share information provided to it with other bodies responsible for; auditing, or administering public funds, or where undertaking a public function, in order to prevent and detect fraud.

We participate in the Cabinet Office’s National Fraud Initiative: a data matching exercise to assist in the prevention and detection of fraud. We are required to provide particular sets of data to the Minister for the Cabinet Office for matching for each exercise.

The use of data by the Cabinet Office in a data matching exercise is carried out with statutory authority under Part 6 of the Local Audit and Accountability Act 2014.
For more information on this please visit the following page:

How the NHS and care services use your information – opting out

Whenever you use a health or care service, such as attending Accident & Emergency or using Community Care services, important information about you is collected in a patient record for that service. Collecting this information helps to ensure you get the best possible care and treatment.

The information collected about you when you use these services can also be used and provided to other organisations for purposes beyond your individual care, for instance to help with:

  • improving the quality and standards of care provided
  • research into the development of new treatments
  • preventing illness and diseases
  • monitoring safety
  • planning services

This may only take place when there is a clear legal basis to use this information. All these uses help to provide better health and care for you, your family and future generations. Confidential patient information about your health and care is only used like this where allowed by law.

Most of the time, anonymised data is used for research and planning so that you cannot be identified in which case your confidential patient information isn’t needed.

You have a choice about whether you want your confidential patient information to be used in this way. If you are happy with this use of information you do not need to do anything. If you do choose to opt out your confidential patient information will still be used to support your individual care.

To find out more or to register your choice to opt out, please visit On this web page you will:

  • See what is meant by confidential patient information
  • Find examples of when confidential patient information is used for individual care and examples of when it is used for purposes beyond individual care
  • Find out more about the benefits of sharing data
  • Understand more about who uses the data
  • Find out how your data is protected
  • Be able to access the system to view, set or change your opt-out setting
  • Find the contact telephone number if you want to know any more or to set/change your opt-out by phone
  • See the situations where the opt-out will not apply

You can also find out more about how patient information is used at:  which covers health and care research); and  which covers how and why patient information is used, the safeguards and how decisions are made)

You can change your mind about your choice at any time.

Data being used or shared for purposes beyond individual care does not include your data being shared with insurance companies or used for marketing purposes and data would only be used in this way with your specific agreement.

Health and care organisations have to put systems and processes in place so they can be compliant with the national data opt-out and apply your choice to any confidential patient information they use or share for purposes beyond your individual care. Our organisation is currently compliant with the national data opt-out policy.

Your Rights

Right of access to your personal information

We will tell you if we use your personal information, what that information is and why we use it. We will also tell you where we obtained the information from and with whom we share your information. Under this right we also have to tell you how long we intend to keep your information.

You are entitled to obtain a copy of the personal information held about you by the CSU. Any request to access or obtain a copy of this information will be considered in line with the data protection legislation. This is generally free of charge unless your request is very complicated and/or unreasonably excessive; if you require further copies of information already provided to you we may charge a reasonable administrative fee.

If the information we hold is as a ‘data processor’ on behalf of a ‘data controller’, such as an ICB, for example Continuing Health Care records, you will need to apply to the ICB. The ICB have details as to how to apply on their web sites.

To make a request for personal information which NECS holds about you as a data controller, for example personnel/employee records email or write to:

Information Governance Team
John Snow House
University Science Park

Right to rectification

This right allows you to ask for any information you believe to be inaccurate or incomplete to be corrected and completed. We are allowed one month (30 days) from the date of your request in which to perform any such corrections or add supplementary statements.

We will communicate any rectification of information to anyone to whom it has been disclosed unless this is not possible or involves disproportionate effort. We will tell you who those recipients are if you ask us.

Right to erasure

This right is also commonly referred to as the ‘right to be forgotten’. You can request that your information be erased, subject to certain exemptions, if it is no longer needed by us for the original purpose we said we would use it for or if you decide to withdraw your consent or if you object to the use of your information. If it transpires that the information was unlawfully used or is found to infringe the law you can ask for it to be erased. We will erase your information if we have a legal obligation to do so. We will communicate any erasure of information to anyone to whom it has been disclosed unless this is not possible or involves disproportionate effort. We will tell you who those recipients are if you ask us.

Right to restrictions of processing

Restriction means marking information with the aim of limiting its processing in the future. Under this right you can request we restrict information processing for a period of time if you think the information is inaccurate, while we check its accuracy. If the information is found to have been used unlawfully you can ask for it to be restricted instead of being erased. If we no longer need to keep the information but you need us to keep it in connection with a legal claim you are involved with you can ask us to restrict it. You can also ask us to restrict processing if you have previously objected to us processing it whilst we check whether our legitimate reasons for processing it outweigh your right.

Once processing has been restricted we can start to use the information again only if you have consented to this or where it is in connection with a legal claim or if it is to protect the rights of another person or there is a strong public interest. We will tell you before any restriction we have put in place is lifted.

We will communicate any restriction of processing to anyone to whom it has been disclosed unless this is not possible or involves disproportionate effort. We will tell you who those recipients are if you ask us.

Right to data portability

The purpose of this new right is to give a person more control over their personal information. Data Portability means you have the right to receive a copy of personal information which you have given us in a structured, commonly-used, machine-readable format and to have it transferred directly to another ‘controller’ where technically possible. This right only applies to information which is processed by automated means and where you have given consent to the processing or where processing is necessary for the performance of a contract. It does not apply if the processing is needed to comply with a legal obligation, our official duties or is for a task carried out in the public interest. It is therefore unlikely to apply to any of the processing carried out by NECS.

Right to object

You can object to the processing of your personal information if the processing activity is necessary for the performance of a task carried out in connection with our lawful, official duties or those of a third party, or a task carried out in the public interest.

We could refuse to comply with a request only where we could show that there was an overriding legal reason or if we need to process the information in relation to a legal claim.

You also have a separate right to object to processing if it is for direct marketing purposes. We do not use your information in this way but if we did we would tell you about it.

This right also includes a specific right to object to research uses except where this is done in the public interest.

Automated decision-making, including profiling

Profiling means any form of automated processing (i.e. processed by a computer and not a human being) of personal information used to analyse, evaluate or predict things about someone; this can include things like someone’s health, personal preferences, interests, economic situation, reliability, performance at work behaviour, location or movements.

Under this right you can ask not to be subject to a decision made solely by automated means, including any profiling, which affects you in a legal way or has a similar significant effect. Automated decision-making and profiling is not allowed if it involves certain types of information; these ‘special categories’ of information are deemed to carry more sensitivity therefore we cannot use your health information for automated decision-making or profiling unless we have your explicit consent or there is substantial public interest allowing us to do so.

We currently do not carry out any automated decision-making, including profiling.


Where processing is based on consent you have the right to withdraw consent to process your personal data.

Right to complain to the Information Commissioner’s Office

You have the right to complain to the Information Commissioner if you think any processing of your personal data infringes data protection legislation.
Information Commissioner’s Office
Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF
Telephone: 0303 123 1113 (local rate) or 01625 545 745

Visit the ICO website.

Data Protection Officer (DPO)

NECS is a hosted organisation therefore we fulfil our requirement for a Data Protection Officer (DPO) through NHS England’s DPO. NHS England has appointed deputy DPOs within their Commissioning Support Units who have delegated responsibility for some of the NHS England DPO’s functions. The delegated DPO tasks are as follows:

(a) to inform and advise the controller or the processor and the employees who carry out processing of their obligations under data protection
(b) to monitor compliance with GDPR
(c) to provide advice regarding data protection impact assessments
(d) to cooperate with the Information Commissioner’s Office (ICO) in relation to any serious incident (level 2) resulting in the unlawful loss or disclosure of personal data by the Commissioning Support Unit
(e) to act as the contact point for the ICO on issues relating to processing, including prior consultation and to consult, where appropriate, with regard to any other matter

The DPO for NECS is Liane Cotterill, who can be contacted at

This policy was last updated in June 2023