Privacy Policy

Data Protection Policy and Fair Processing Notification for PHBChoices e-Marketplace

The site “PHBChoices” is an e-Marketplace which has been provided as a vehicle for you to spend your personal health budget (PHB) funds allocated for your care. This document relates to your personal data processed within this site.


Your Clinical Commissioning Groups (“CCG”, "We") and are committed to protecting and respecting your privacy and maintaining the confidentiality, integrity and security of the information we hold about you.

The types of personal data that we may be required to handle include information about current, previous and prospective suppliers and customers and others that we communicate with. The personal data, which may be held on paper or on a computer or other media, is subject to certain legal safeguards specified in Data Protection legislation and other regulations.

As part of our compliance with legislation, this policy and any other documents referred to in it, sets out the basis on which any personal data we collect from you, or that you provide to us, will be processed by us.  Please read the following carefully to understand our views and practices regarding your personal data and how we will manage it.  By visiting you are accepting and consenting to the practices described in this policy.

For the purpose of legislation, the data controller is your clinical commissioning group. NHS Shared Business Services Limited are acting as a data processor on our behalf.

Information we may collect from you

We may collect and process the following data about you:

  • Information that you provide by registering on our site -  This information may include any or all of the following:
    • Name
    • Contact information including email and postal address
    • Age, disability status and  gender
    • PHB value
    • Goods and services purchased via the PHB Choices e-Marketplace
    • Service enquiries between you and service providers
  • Details of your visits to our site including, but not limited to, traffic data, location data, weblogs and other communication data.
  • We may also keep a record of any correspondence should you contact us via the site or any other method.


The information detailed above is collected for a number of reasons as outlined below:

  • To create your user log on to the PHBChoices e-Marketplace.
  • To assign your PHB to you.
  • To enable purchase of goods and services.
  • To assist in complaints and dispute handling.
  • To help us generate spend analytics to understand the range and value of goods and services purchased by patient groups.
  • To carry out statutory functions.
  • To help improve our services.
  • To allow us to send information to you which we think you may find of interest.
  • To comply with legal and regulatory obligations.


Our site uses cookies to distinguish you from other users of our site. This helps us to provide you with a good experience when you browse our site and also allows us to improve our site. For detailed information on the cookies we use and the purposes for which we use them, see our Cookie policy.


We will take all steps reasonably necessary to ensure that your data is treated securely and in accordance with our Data Protection Policy.

All information you provide to us is stored securely in accordance with the Data legislation and ISO 27001. Where we have given you (or where you have chosen) a password which enables you to access certain parts of our site, you are responsible for keeping this password confidential. We ask you not to share a password with anyone.

Unfortunately, the transmission of information via the internet is not completely secure. Although we will use all fair and reasonable endeavours to protect your personal data, we cannot guarantee the security of your data transmitted to our site; any transmission is at your own risk. Once we have received your information, we will use strict procedures and security features to try to prevent unauthorised access.


We will use information held about you in the following ways:

  • To ensure that content from our site is presented in the most effective manner for you and for your computer.
  • To carry out our obligations arising from any contracts entered into between you and us.
  • To allow you to participate in interactive features of our service, when you choose to do so.
  • To notify you about changes to our service.
  • To record expenditure in the accounting system of your local CCG, based on information relating to budget amounts and goods and services purchased.
  • To undertake spend analytics

We will only contact you by electronic means (e-mail) on matters related to your personal health budget and purchases made within the site.

Some of the information held about you will also be used by:

  • Suppliers - Suppliers will have access to your name and address details to allow them to provide services or deliver goods to you. Suppliers will not be given access to your medical information when you are set up in the system but you should be aware that if you disclose any information to a supplier when agreeing a service schedule or requesting more information on a product this will be held in the PHBChoices e-Marketplace and could also be retained in the supplier’s system. The suppliers may use the information you provide to advise on the most appropriate care or products for you.

Your allocated personal health budget will not be visible to the suppliers. However, if you choose to register a credit or debit card on the system to make purchases from a supplier outside your personal health budget for your own personal use the supplier will have access to partial card details.

  • The CCGs - Your personal health budget information and PHB Choices e-Marketplace purchase details are kept so that your budget can confirm the budget is allocated and used appropriately. This information gives the CCG a fuller picture of the health of people in the local area and, and is used to provide and improve health services. It also allows the CCG to see what purchases have been made from PHB funds and enables them to undertake audits to ensure funds are spent in accordance with the care plan you agreed. This data also enables the CCG to target patients who may benefit from additional preventive care.
  • NHS Shared Business Services Limited (NHS SBS) and Cloudbuy plc– we will share your personal data with NHS SBS and Cloudbuy since they are processing the data on our behalf.


Information provided will be shared as appropriate by us, NHS SBS, cloudBuy and suppliers within the PHBChoices e-Marketplace for the following purposes:

  • Your name and address will be shared with suppliers when you make a purchase or enquiry to enable them to fulfil the order.
  • Partial credit card details will be shared with suppliers if you make a purchase from personal funds to allow them to collect payment.
  • The goods or services requested will be shared with suppliers to enable them to fulfil the order.
  • Any enquiries will be shared with suppliers to enable them to respond.
  • Your product ratings including comments will be shared with us, the suppliers and the CCG to allow them to monitor the level of service suppliers provide and react accordingly to adverse comments. (You do have the option to send comments anonymously)
  • Your product ratings excluding comments will be shared with other personal health budget holders to inform their buying choices.
  • Your spend data will be shared with us and the CCG to allow them to account for the expenditure, undertake an audit of spend and undertake spend analytics.
  • The data may include the finance codes and descriptions used to account for the payment. At a high level this may reference the age bracket and condition of the patient. If you are the personal health budget holder but not the patient, please note it is your name which may be linked to this data.
  • All data is shared with cloudBuy to enable them to host the PHBChoices e-Marketplace.


We may share your expenditure via the PHBChoices e-Marketplace for health care purposes and for your benefit with other organisations such as NHS Trusts, General Practitioners, etc. We may also need to share information with other non-NHS organisations, from which you are receiving care, such as your local authority (council) and other providers from which they commission services. No health information will be disclosed without your explicit consent unless there are exceptional circumstances such as when the health or safety of others is at risk or where the law requires it or to carry out a statutory function.

We may be asked to share basic information about you, such as your name and address but which does not include sensitive information. This would normally be to assist us to carry out their statutory duties. In these circumstances, where it is not practical to obtain your explicit consent, this Fair Processing Notice provides notification that this may happen.

Data Sharing Agreement - This more detailed document which spells out how the organisations involved will operate the approach to data sharing. Agreements will be produced where organisations specifically identify a purpose to share data across organisational boundaries. The agreement should state whether partners are obliged to, or are merely enabled to, share data.

We may also disclose your personal information to any member of our group, which means our subsidiaries, our ultimate holding company and its subsidiaries, as defined in section 1159 of the UK Companies Act 2006.

We may disclose your personal information to third parties:

  • If we or substantially all of our assets are acquired by a third party, in which case personal data held by it about its customers will be one of the transferred assets.
  • If we are under a duty to disclose or share your personal data in order to comply with any legal obligation and other agreements; or to protect our rights, property, or safety, our customers, or others. This includes exchanging information with other companies and organisations for the purposes of fraud protection and credit risk reduction.


You have the right to ask us not to process your personal data for marketing purposes. We will usually inform you (before collecting your data) if we intend to use your data for such purposes or if we intend to disclose your information to any third party for such purposes. You can exercise your right to prevent such processing by contacting us at [email protected].

Our site may, from time to time, contain links to and from the websites of our own or partner networks, advertisers and affiliates.  If you follow a link to any of these websites, please note that these websites have their own privacy policies and that we do not accept any responsibility or liability for these policies.  Please check these policies before you submit any personal data to these websites.


Data Protection legislation gives you the right to access information held about you. Your right of access can be exercised in accordance with the legislation. Any access request may be subject to timescales as listed in the legislation, and to which we shall abide in providing you with details of the information we hold about you.  Please see contact details below.


Any changes we may make to our fair process notification in the future will be posted on this page.


Questions, comments and requests regarding this privacy policy are welcomed and should be addressed to [email protected]