Toggle site contrast Toggle Contract

Data Protection

Information that has been held previously by Bedfordshire, Luton and Milton Keynes Clinical Commissioning Groups transferred to the new NHS Bedfordshire, Luton and Milton Keynes Clinical Commissioning Group on 1 April 2021.

The new Clinical Commissioning Group will become the new Data Controller.  Questions or objections about the use of data (including patient data) by the new organisation should be directed to BLMK CCG [email protected]

For further information about how BLMK CCG process information, please view our Fair Processing Notice below.

Data Protection (Information Governance)

We are committed to ensuring the personal information we hold is processed in line with data protection regulations, legislations and national guidance including, but not limited to, the General Data Protection Regulations (GDPR) and the Data Protection Act 2018.

We measure our compliance using the NHS Digital Data Security and Protection Toolkit. A self-assessment on line tool for which we provide evidence of our compliance. All staff are required to complete mandatory data protection and security training.

We have policies and procedures in place which our staff (including, agency, temporary and volunteers) have a legal obligation to comply with. All staff are also required to complete annual mandatory Data Protection & Security training.


To view our policies please see below (they are being updated and amalgamated to reflect the new one BLMK CCG).

Beds Policies

Luton Policies

MK Policies 

BLMK CCG Policies

Backup Policy

N365 Local Policy & Guidelines

Data Protection Impact Assessments

As required by GDPR we conduct DPIAs, which help us to identify any risks which may occur from the implementation of new IT systems and processing of personal information. To view a list of DPIAs recently undertaken, please click here.

Information Sharing

All organisations that have access to NHS patient data and systems must use the Data Security and Protection Toolkit to provide assurance that they are practising good data security and that personal information is handled correctly.

As a partner of the BLMK Integrated Care System (BLMK ICS

We are signed up to the overarching Information Sharing Agreement (ISA) to support the sharing of patient & service user information for the purpose of direct care.

Later this year this agreement will be replaced with the My Care Record agreement. For information about My Care Record, how it will benefit you and your options/rights, please visit

Subject Access & Access to Health Records Requests

GDPR gives you (or your authorised representative e.g. somebody who has Power of Attorney to deal with your affairs) the right to request and be provided with a copy of the information we hold about you. This is known as ‘the right of access’, also more commonly known as a Subject Access Request (SAR).

Some individuals may also have the right (under the Access to Health Records (Deceased) Act), to request and be provided with information we hold about a deceased individual. However, strict exemptions do apply.

To submit a request please print and complete the form below and send it to us as instructed in the form. Following receipt of your form we will do all we can to provide you with the requested information within 30 calendar days.

Subject Access & Access to Health Records Request form

If you are unable to print the form, please email our IG Department who will be happy to assist you [email protected]

Fair Processing Notice

Our Fair Processing Notice (sometimes referred to as a Privacy Notice) provides details about the information we collect and hold, what we do with it, how we look after it, who we might share it with and your rights.

It covers information we collect directly from you or receive from other individuals or organisations and which organisations process it on our behalf.

To view our Fair Processing Notice, please see below:

BLMK CCG Fair Processing Notice October 2021