How we handle your personal data in respect of:

  • feedback forms
  • complaints/compliments
  • requests for information   
  • recruitment.

NHS South, Central and West Commissioning Support Unit (CSU) is hosted by NHS England and provides a range of commissioning support services to clinical commissioning groups (CCGs).  The range of services may include:

  • the management and investigation of complaints
  • handling of Freedom of Information requests
  • communications and engagement services
  • advice and guidance on access to personal records
  • recruitment of staff.

This may involve the disclosure of relevant personal information to us and may be used for informing commissioning decisions and providing information to the CCGs.

Invoice validation

We will use limited information about individual patients when validating invoices received for your healthcare, to ensure that the invoice is accurate and genuine.  This will be performed in a secure environment and will be carried out by a limited number of authorised CSU staff.  These activities and all identifiable information will remain with the Controlled Environment for Finance (CEfF) approved by NHS England.

Risk stratification (pro-active care management)

Pro-active care management, known as risk stratification, is a process that helps your family doctor (GP) to help you manage your health.

By using selected information from your health records, a secure NHS computer system will look at any recent treatments you have had in hospital or in the surgery and any existing health conditions that you have. This will alert your doctor to the likelihood of a possible deterioration in your health. The clinical team at the surgery will use the information to help you get early care and treatment where it is needed.

Our Data Services for Commissioners Regional Offices (DSCRO) supports GP practices with this work. NHS security systems will protect your health information and patient confidentiality at all times.


Right to opt out (fair processing)

Patients have a right to opt out of their information being used for risk stratification profiling. It follows that the practice must make patients aware that their information is being used for these purposes and that they have a right to opt-out. This information is required for compliance with Principle 1 of the Data Protection Act. NHS England guidance is that GP practices should provide information to patients explaining how their data will be used and what to do if they have any concerns or objections.

Wherever possible the information provided will not identify you and will be used in an anonymous format (no personal information included).  Where personal information is used we will seek your consent to do this, however there may be certain circumstances in which we are legally required to share your personal information without your consent for example:

  • by a court order
  • Safeguarding
  • Prevent disorder or crime
  • Notifiable diseases.

Access to personal information held about you

You are entitled to receive copies of all personal information held about you.  Any requests made will be jointly managed by both CCG and CSU staff unless you specifically state in your request that you do not wish this to happen.

If you do not wish to consent to your personal information being shared with us or have any concerns or questions about the use of your personal information please contact the CSU Information Governance Team This email address is being protected from spambots. You need JavaScript enabled to view it..  However, we would point out that withholding permission to share your personal information may seriously impact on the services and responses we can offer you.

How we keep your personal information confidential

Under the NHS Confidentiality Code of Conduct, all of our staff are also required to protect your information, inform you of how your information will be used, and allow you to decide if and how your information can be shared. This will be recorded in your records.

Visitors to our website

When someone visits the CSU website we collect standard internet log information and details of behaviour patterns.  We do this to find out things such as the number of visitors to the various parts of the site.  We collect this information in a way which does not identify anyone.  We collect identifiable information from visitors to our website who register in order to comment on forum threads or to receive further information on specific topics.  This information is held securely and only used for the purposes provided.

We do not make any other attempt to find out the identities of those visiting our website.  We will not associate any data gathered from this site with any personally identifying information from any source.  If we do want to collect personally identifiable information through our website, we will make it clear when we collect the personal information and will explain what we intend to do with it. 

YouTube Cookies

We embed videos from official NHS YouTube channels using YouTube’s privacy-enhanced mode.

Links to other websites

This privacy notice does not cover the links within this site linking to other websites.  We encourage you to read the privacy statements on the other websites you visit.

Job applicants, current and former employees

When individuals apply to work at the CSU, we will use the information they supply to us to process their application and to monitor recruitment statistics.  Where we want to disclose information to a third party, for example where we want to take up a reference or obtain a ‘disclosure’ from the Disclosure Barring Service (DBS), we will not do so without informing them beforehand unless the disclosure is required by law.

Personal information about unsuccessful candidates will be held for 12 months after the recruitment exercise has been completed, it will then be destroyed or deleted.  We retain de-personalised statistical information about applicants to help inform our recruitment activities, but no individuals are identifiable from that data.

Once a person has taken up employment with us, we will compile a file relating to their employment.   The information contained in this will be kept secure and will only be used for purposes directly relevant to that person’s employment.  Once their employment with the CSU has ended, we will retain the file in accordance with the requirements of our retention schedule and then delete it.

Links to other patient information

The NHS Care Record Guarantee

The NHS Care Record Guarantee for England sets out the rules that govern how patient information is used in the NHS and what control the patient can have over this. It covers people's access to their own records; controls on others' access; how access will be monitored and policed; options people have to further limit access; access in an emergency; and what happens when someone cannot make decisions for themselves.

Everyone who works for the NHS or for organisations delivering services under contract to the NHS has to comply with this guarantee which was first published in 2005 and is regularly reviewed by the National Information Governance Board to ensure it remains clear and continues to reflect the law and best practice. It was last reviewed in January 2011.

Please read the NHS Care Record Guarantee version 5 (2011) for more information.

NHS Constitution

The NHS is founded on a common set of principles and values that bind together the communities and people it serves – patients and public – and the staff who work for it. 

The NHS Constitution establishes the principles and values of the NHS in England. It sets out rights to which patients, public and staff are entitled, and pledges which the NHS is committed to achieve, together with responsibilities, which the public, patients and staff owe to one another to ensure that the NHS operates fairly and effectively.

Changes to this privacy notice

We keep our privacy notice under regular review.  This privacy notice was last updated on 01 April 2015.