This website is no longer being updated.

NHS Sheffield Clinical Commissioning Group has been legally dissolved and from 1 July 2022 has been replaced by a new organisation: NHS South Yorkshire Integrated Care Board (SY ICB). NHS South Yorkshire ICB is now responsible for commissioning and funding of health and care services locally. Please go to our new website for information about the work of NHS South Yorkshire ICB and details about how to contact us.

Thank you.

We want you to have more care closer to your home...

Details of information used for specific purposes: Invoice Validation

Details of information used for specific purposes: Invoice Validation

Data Controller(s)

NHS Sheffield CCG


Invoice validation is part of the process by which providers of care or services get paid for the work they do.

Invoices, with supporting information, are submitted to the CCG of their service for payment, but before payment can be released, the CCG needs to ensure that the activity claimed for each patient is their responsibility. These invoices are validated within a special secure area known as a Controlled Environment for Finance (CEfF), hosted on our behalf by NHS Rotherham CCG, to ensure that the right amount of money is paid, by the right organisation, for the treatment provided. The process followed ensures that only the minimum amount of information about individuals is used by a very limited number of people and is designed to protect confidentiality.

Type of information Used

Identifiable (NHS number, date of birth or postcode) and Special Category (health information)

Legal basis

GDPR Article 6(1)(e) – processing is necessary for the performance of a task carried out in the exercise of official authority vested in the controller.

GDPR Article 9(2)(h) processing is necessary for the purposes of the provision of health or social care or treatment or the management of health or social care systems and services.

A section 251 approval (CAG 7-07(a)(b)(c)/2013) from the Secretary of State, through the Confidentiality Advisory Group of the Health Research Authority, enables the CCG to process identifiable information for the purpose of invoice validation within a Controlled Environment for Finance.

How we collect (the source) and use the information

Organisations that provide treatment submit their invoices to the CCG for payment. The nominated secure area (Controlled Environment for Finance) receives additional information, including the NHS Number, or occasionally date of birth and postcode, from the organisation that provided the treatment.

NHS Digital sends information into the secure area, including the NHS number and details of the treatment received. The information is then validated ensuring that any discrepancies are investigated and resolved between the Controlled Environment for Finance and the organisation that submitted the invoice. The invoices will be paid when the validation is completed.

The CCG does not receive any identifiable information for purposes of invoice validation; however we do receive aggregated reports to help us manage our finances.

Data Processors

NHS Rotherham CCG who operate the Controlled Environment for Finance as a shared service.

NHS Shared Business Services - used by the Controlled Environment for Finance as a Data Processor

Transfers of Data Overseas


NHS SBS carry out some of their processing activity in India. Where this occurs it is governed by the use of approved Model Contract Clauses.

Your Rights

If you do not want the NHS to use information about you, collected by your GP then you can opt out by completing an opt-out form and returning it to your GP practice.

Type 2 opt outs apply to invoice validation - where you do not wish for your information to be shared by NHS Digital.

From 25 May 2018 the type 2 opt-out has been replaced by the national data opt-out. Type 2 opt-outs that have been recorded previously have been automatically converted to national data opt-outs. Further information about the Type 2 opt out and the conversion to the national data opt-out is available from NHS Digital.

Details of the national patient opt out can be found here:

With regards to Invoice Validation under GDPR you have the right:

  • To be informed about the processing of your information (this notice)
  • Of access to the information held about you
  • To have the information corrected in the event that it is inaccurate
  • To object to it being processed or used
  • Not to be subject automated decision-taking or profiling
  • To be notified of data breaches

How long we will keep the information

Invoices are retained for 6 years after the end of the financial year to which they relate.

Who we will share the information with (recipients)

This information is not shared outside of the CCG.



NHS Sheffield Clinical Commissioning Group

722 Prince of Wales Road
S9 4EU

Logo: Facebook Logo: Twitter Logo: Youtube Logo: Pinterest