Dudley CCG Logo
Close Icon
Thinking Differently

The Fair Processing Notice

How your information is used

This Fair Processing/Privacy Notice reminds you of your rights under Data Protection Legislation (this includes the European General Data Protection Legislation 2016 and the UK Data Protection Act 2018) and demonstrates that the CCG are committed to protecting your privacy when you use out services in order to meet our obligations as a Clinical Commissioning Group.

It also explains the choices you can make about the way in which your information is used and how you can opt-out of any sharing agreements that may be in place.

It covers information we collect directly from your or collect indirectly from other individuals or organisations for the CCG’s registered population.

This FPN is part of our programme to make transparent the data processing activities we are carrying out in order to deliver on our commissioning activities.

This Fair Processing/Privacy Notice will tell you

  • Why we collect information about you
  • What types of information we collect, use, hold and process about you, including information we obtain directly from you and information we use from other sourc
  • Who we share information with
  • Your rights
  • How we keep your information secure
  • Who you can contract for more information

We are happy to provide any additional information or explanation needed. Any request should be sent by email to emma.smith72@nhs.net or by post to:

Governance Team,
Brierley Hill Health & Social Care Centre,
Venture Way,
Brierley Hill,
West Midlands,
DY5 1RU

Your Rights

Data Protection Legislation, in particular EU General Data Protection Regulations 2016 provides you with a number of rights set out in Articles 13-22 relating to the data the CCG holds about you, these are detailed below. You have the right:

You have the right to be informed of any processing of your data by the CCG, this notice provides you with a summary of the information that the CCG holds and hopes that this will provide you with enough information that you are fully informed. If you wish to know more detail about any aspect of the processing, please contact emma.smith72@nhs.net.

Under Data Protection Act Legislation you have the general right request to see or be provided copes of personal data held about you. You do not need to give a reason. This right can be exercised in writing or verbally. To submit a Subject Access Request (SAR) to Dudley CCG, please email dudleyccg.sar@nhs.net or telephone 01384 322040. Any requests made will be jointly managed by both the CCG and Commissioning Support Unit unless you specifically state in your request that you do not wish this to happen.

We will not charge for complying with your request unless it is deemed to be “manifestly unfounded or excessive”. In these circumstances we will work with you to moderate your request to avoid a charge or give you reasonable notice of the potential cost before we proceed with your request.

If you have made your request in an electronic form (i.e. via email) and wish to receive the response in the same format, we will take all reasonable measures to comply with your request. Where we cannot provide information in the format of your choosing, we will notify you before proceeding with the request.

We will endeavour to respond to your request within one calendar month. However this may be extended to 40 calendar days if the request is particularly complex.

Under current Data Protection Legislation, we reserve the right as data controller to withhold personal data if disclosing it would “adversely affect the rights and freedoms of any third party referred to in information held about you”.  We will of course advise you of our rationale for withholding any information, whilst observing the right of confidentiality of the third party.

The CCG will not publish any information that identifies you or routinely disclose any information about you without your express permission.

The CCG does not directly provide healthcare services and as such does not hold personal healthcare records. If you wish to have sight of, or obtain copies of your own personal healthcare records you will need to apply to your GP Practice, the hospital or the NHS organisation which provided your healthcare. However the CCG will hold information in relation to the provision of Continuing Healthcare, the management of a complaint and/or the outcome of an Individual Funding Request (IFR).

Further information on Subject Access Requests can be found via the Information Commissioners Office (ICO) website: https://ico.org.uk/for-the-public/personal-information/.

You have the right to ‘be forgotten’ unless there is an overriding legal requirement to retain the information held on you. Within the NHS It is a statutory responsibility to retain a record of Health care events; i.e. a medical record. All Health related records are held in line with the NHS Records Management Code of Practice 2016 retention schedules unless otherwise stated.

If you wish to discuss the content of your medical record then please contact the GP Practice, the hospital or the NHS organisation which provided your healthcare to address your concerns.

You have the right to have accurate and up to date records held on you by an organisation. If you are aware of a mistake in the information held on you, contact the service you supplied your information to for rectification of your record. If the information is not part of your health record (these will follow specific DOH Records Management Code of Practice 2016 guidance) the CCG will work with you to rectify the inaccurate information.

or suppress the use of your personal data. It is a statutory responsibility for the NHS to retain a record of Health care events; i.e. a medical record. If you wish to discuss the content of your medical record then please contact the contact the GP Practice, the hospital or the NHS organisation which provided your healthcare to address your concerns. If you wish to discuss this right in relation to the data the CCG holds please contact the CCG.

You have the right to refuse and withdraw consent to information sharing at any moment in time. If you wish to withhold consent, it may have an impact on the services and responses we can offer you. If you do not wish to consent to your personal information being shared with us, or have any concerns or questions about the use of your personal information, please contact the CCGs Data Protection Officer, Emma Smith at emma.smith72@nhs.net

The National Opt-Out Programme in 2018 provides you with information on how you can control your information being used for research and planning.  The programme has simplified this splitting this into two, one is information being used for your individual care and the second is for information being used for research and planning. You can log on to NHS Choices website: https://www.nhs.uk/your- nhs-data-matters/ where you will see all options and allows you to manage the choices available to you.

Information from other places where you receive care, such as hospitals and community services is collected nationally by NHS Digital. There are some specific situations where your data may still be used. Data that does not identify you may still also be used and where your confidential patient information will still be used to support your individual care. Any preference you set using this service will not change this.

If the CCG holds information about you in an identifiable form on the basis of consent and you no longer wish us to hold this data please contact the CCG and stating that you wish the CCG to stop holding and processing your data. The CCG will explain if this is possible, i.e. if there is no other overriding legal or statutory reason.

Where you have provided information directly to the CCG or the CCG has collected your information for the performance of a contract, you can exercise your right to data portability, this means that if you can use your own personal data for your own purpose. In practice this means that you could transfer your information to another source and that this is   provided in format which would allow you to do this. The CCG will assist you explain where this is possible such as where it is held electronically and if it is in an easily readable format.

An organisation would have to evidence specific conditions in order to process information that relies solely on automated and/or profiling techniques to process, An organisation can only carry out this type of decision-making where the decision is:

  • Necessary for the entry into or performance of a contract; or
  • Authorised by Union or Member state law applicable to the controller; or
  • Based on the individual’s explicit consent

We try to meet the highest standards when collecting and using personal information. For this reason, we take any complaints we receive about this very seriously. We encourage people to bring concerns to our attention if they think that our collection or use of information is unfair, misleading or inappropriate. We would also welcome any suggestions for improving our procedures.

To exercise any of your rights listed above, please contact:

Dudley CCG Governance Team / Data Protection Officer Tel: 01384 322040 or

Email: emma.smith72@nhs.net

You also have the right to complain to, appeal to or raise your concerns about the processing of your information with the Information Commissioner’s Office by writing to:

Information Commissioner’s Office
Wycliffe House Water Lane Wilmslow Cheshire
SK9 5AF
Enquiry Line: 01625 545700

www.ico.gov.uk

What is the new Single National Data opt-out?

The NHS Constitution states “You have the right to request that your confidential information is not used beyond your own care and treatment and to have your objections considered”. If you do not wish your confidential information to be used for anything except your direct health care you are able to ‘opt-out’. As your data may be used in a variety of ways and for a variety of purposes you are able to opt-out of some of these but remain ‘in’ for others e.g. you may not wish a sub-set of your data being uploaded to the National Spine so you would opt-out of this, but may wish your anonymised data to   be used for research purposes so you would not opt-out of this. You can discuss this with your GP Practice who will explain the different options you have.

There may be occasions when it is not possible to exercise your right to “opt out”, such as when we have an obligation by law or for the purposes of safeguarding adults and children.

You can choose whether your confidential patient information is used for research and planning. To find out more visit nhs.uk/your-nhs-data-matters.

You do not need to do anything if you are happy about how your confidential patient information is used. You can change your choice at any time.

Type 1 and Type 2 opt-out: move to single opt-out process

Previously if you did not want personal confidential data information that identifies you to be shared outside your GP practice, for purposes beyond your direct care you registered a type 1 opt-out with your GP practice. This prevents your personal confidential information from being used other than in particular circumstances required by law, such as a public health emergency like an outbreak of a pandemic disease. As previously stated this has now been changed to a single opt-out that can be applied by yourself following the instructions on the website nhs.uk/your-nhs-data-matters.

You will need your NHS number to hand in order to make your opt-out choice.

Please note that any patients who registered a type 2 opt-out previously will automatically be migrated over to the new single opt-out system, there is no need for you to re-register your decision.

Type 2 opt-out: carried over

Previously you could tell your GP surgery if you did not want NHS Digital to share confidential patient information collected from the across the health and care service for purposes other than your individual care. This was called a type 2 opt-out. You can find further information here: https://digital.nhs.uk/about-nhs-digital/our-work/keeping-patient-data-safe/how-we-look-after-your- health-and-care-information/your-information-choices/how-opt-outs-work.

From 25 May 2018 the type 2 opt-out has been replaced by the national data opt-out. Type 2 opt- outs that have been recorded previously have been automatically carried over to the new single national data opt-out process.

 

Why we collect information about you

In carrying out our role and responsibilities as a commissioner of services for people working and living within the footprint of the CCG, it is essential that the CCG have an understanding of the health and social care needs of our community so as to ensure that these are correctly identified and made available and effective.

The information is kept in written or digital form. The records where necessary will include basic details about you, such as your name and address or may also contain more sensitive information about your health and social care usage and also information such as outcomes of needs assessments, where this is necessary to deliver a service directly to you. The key reasons the CCG holds data is to:

  • Check the quality of care we provide to everyone (a clinical audit)
  • Protect the health of the general public
  • Monitor how we spend public money
  • Train healthcare workers
  • Carry out research
  • Help the NHS plan for the future
  • Pay for the services we commission

From time to time the CCG uses patient data to analyse the health of a population. This is required for the commissioning of health services to our local population, or to help target preventive care to certain patients. If we use your information for these reasons, we will remove your name and other details which could identify you. If we need the information in a way that identifies you, we will ask you first.

The people caring for you use your information (paper or electronic) to provide treatment, to check the quality of your care, to help you make good decisions about your health and to investigate complaints, claims and commissioning purposes.

Under EU General Data Protection Regulations 2016 purposes Dudley CCG’s processing is carried out under the basis for lawful processing carried out under the conditions set out in Article 6(1)(e) – ‘…exercise of official authority…’ as a commissioner of Health Services. Conditions applied for processing of special categories (health) data the basis is Article 9(2)(h) – ‘…health or social care…’ for the purpose of managing and planning these types of services. However, further detail has been given in this notice on specific types of information we process and the Legal Basis for doing so i.e. Safeguarding, Individual Funding Requests and so on.

Personal information we legally collect and hold about you

As a commissioner, we do not routinely hold or have access to your medical records. However, there are some circumstances in which we may need to hold some personal information about you. There are a number of different categories of personal data used by the CCG which are defined below:

This is information which is sometimes called Identifiable information and is any information which may on its own or combined with others identify you such as your name and address The CCG only has access to identifiable information where a legal basis exists to hold that information.

This is data that is considered as data that would not usually be disclosed and is personal to you. The list below is the seen as an example of special category data, The CCG with a legal basis will hold personal data which can include health data this is then classed as special data. All personal data the CCG holds is protected and requires a legal basis for it to be held. The following are examples of Special Categories of data; race; ethnic origin; political opinion; religion; trade union membership; genetics; biometrics (where used for ID purposes); health; sex life; or sexual orientation.

About individuals but with identifying details removed and so cannot be tracked back to you. Where unique identifiers such as your name and full address have been removed so the information is no longer ‘person identifiable ‘. This information is used to plan health care services. Specifically, it is used to:

  • Check the quality and efficiency of the health services that the CCG commissions
  • Prepare performance reports on the services commissioned
  • Establish what illnesses people will have in the future, so the CCG can plan and prioritise services and ensure these meet the needs of patients in the futu
  • Review the care being provided to make sure it is of the highest standard
  • Pseudonymised data – where personal information about you is replaced with a code, which allows the CCG to map your treatment through the health care system but only allows the provider/organisations providing treatment to identify yo This can also be shared with third parties who without the key would not be able to identify you. This is often used for example, when information is needed for research purposes.
  • Aggregated information – anonymised information grouped together so that it cannot easily be put back together in order to identify individuals.

Where possible, we ensure your information is anonymised / aggregated or pseudonymised (especially when using information for purposes other than for direct patient care).

In the circumstances where we are required to hold or receive personal information we will only do this if:

For example;

  • We have permission to do so from the Secretary of State for Health to use certain confidential patient information when it is necessary for our work and whilst changes are made to our systems that ensure de-identified information is used for all purposes other than direct care
  • if you have made a complaint to us about healthcare that you have received and we need to investigate
  • if you ask us to provide funding for Continuing Healthcare services
  • if you ask us for our help or involvement with your healthcare, or where we are required to fund specific specialised treatment for a particular condition that is not already covered in our contracts with organisations that provide NHS c
  • if you ask us to keep you regularly informed and up-to-date about the work of the CCG, or if you are actively involved in our engagement and consultation activities or service user participation groups

Our records may include relevant information that you have told us, or information provided on your behalf by relatives or those who care for you and know you well, or from health professionals and other staff directly involved in your care and treatment.

The CCG as a commissioner has a number of functions it performs as part of its day to day activities. Some activities listed below are conducted by the CCG using a data processor (a data processor processes data on behalf of another organisation a data controller who will decide on the purpose of data and how it will be processed) on behalf of the CCG, each activity explains, what information is collected, from which sources and for what purposes.

Although this is not an exhaustive detailed listing, the following table lists key examples of the purposes and rationale for why we collect and process information. For each purpose we have provided information for you on the purpose, including benefits to you as a patient; the type of information used (see ‘Definitions’); the legal basis identified for the collection and use of information; how we collect and use the information required; data processing activities – listing any third parties we may use for each purpose and information on how to opt out of your information being used for each purpose.

  • Complaints
  • Funding Treatments
  • Continuing Healthcare
  • Risk Stratification
  • Patient and Public Involvement
  • Commissioning
  • National Registries
  • Research

Complaints

To process your personal information if it relates to a complaint where you have asked for our help or involvement.

Type of Information Used

Identifiable

Legal Basis

We will need to rely on your explicit consent to undertake such activities.

Complaint Processing Activities

When we receive a complaint from a person we make up a file containing the details of the complaint. This normally contains the identity of the complainant and any other individuals involved in the complaint.

We will use the personal/clinical information we collect to process the complaint and to check the level of service we provide subject to explicit consent

We usually have to disclose the complainant’s identity to whoever the complaint is about. This is inevitable where, for example, the accuracy of a person’s record is in dispute.

If a complainant doesn’t want information identifying him or her to be disclosed, we will try to respect that. However, it may not be possible to handle a complaint on an anonymous basis.

We will keep personal information contained in complaint files in line with NHS retention policy. It will be retained in a secure environment and access to it will be restricted according to the ‘need to know’ principle.

We will publish service user stories, following upheld complaints, anonymously via our governing body. The service user stories will provide a summary of the concern, service improvements identified and how well the complaints procedure has been applied. Consent will always be sought from the service user and carer or both before we publish the service user story.

Opt out details

If you do not want information identifying you to be disclosed we will try to respect that.  However, it may not be possible to handle a complaint on an anonymous basis.

Funding treatments

We will collect and process your personal information where we are required to fund specific treatment for you for a particular condition that is not already covered in our contracts.

This may be called an “Individual Funding Request” (IFR).

Type of Information Used

Identifiable – to make payments

Anonymous – to provide reports for analysis of payments made

Legal Basis

The clinical professional who first identifies that you may need the treatment will explain to you the information that we need to collect and process in order for us to assess your needs and commission your care and gain your explicit consent.

How We Collect and Use Information in relation to Funding Treatments

Information required to make payments in relation to Funding Treatments is provided by you, along with relevant information from primary and secondary care with regard to the referral for specialist treatment.

Opt out details

Payments will not be able to be made if you choose not to provide identifiable information. Alternative arrangements will need to be considered.

 

Continuing Healthcare

We will collect and process your identifiable information where you have asked us to undertake assessments for Continuing Healthcare (a package of care for those with complex medical needs) and commission resulting care packages.

Type of Information Used

Identifiable

Legal Basis

The clinical professional who first sees you to discuss your needs will explain to you the information that they need to collect and process in order for us to assess your needs and commission your care and gain your explicit consent.

How We Collect and Use Information in relation to Continuing Healthcare

The assessment team will collect, use, share and securely store information from / with the Local Authority (Social Services) and other organisations or

individuals that are either directly or indirectly involved in the assessment, decision making process, the arranging of care, the funding and payment of care and appropriate monitoring of and audit of the safety and quality of care.

Data Processing Activities

The CCG has engaged the services of NHS Arden and Greater East Midlands Commissioning Support Unit to provide this service on our behalf.

Opt out details

A Continuing Healthcare Assessment will not be able to be carried out if you choose not to provide identifiable information. Alternative arrangements will need to be considered.

 

Risk stratification

Risk stratification is a process for identifying and managing patients who are at high risk of emergency hospital admission.

Type of Information Used

Different types of data are legally allowed to be used by different organisations within, or contracted to, the NHS.

Identifiable – when disclosed from GP Practices and NHS Digital to a Risk Stratification supplier (see below, Data Processing Activities)

Aggregated – the CCG can only receive this information in format which cannot identify you.

Pseudonymised – GP’s are provided with pseudonymised data for risk stratification planning purposes, however, where a direct care impact is identified on a patient through the process the GP will be able to re-identify the patient concerned.

Legal Basis

We are committed to conducting risk stratification effectively, in ways that are consistent with the laws that protect your confidentiality.

The use of identifiable data by CCGs and GPs for risk stratification has been approved by the Secretary of State, through the Confidentiality Advisory Group of the Health Research Authority and this approval has been extended to April 2017.

Commissioning Benefits

Typically this is because patients have a long term condition such as Chronic Obstructive Pulmonary Disease. NHS England encourages CCGs and GPs to use risk stratification tools as part of their local strategies for supporting patients with long-term conditions and to help and prevent avoidable admissions.

Knowledge of the risk profile of our population will help the CCG to commission appropriate preventative services and to promote quality improvement in collaboration with our GP practices.

Data Processing activities for Risk Stratification

The service provider for Risk Stratification purposes for Dudley registered patients is EMIS Health which uses your NHS number as a unique identifier.

The risk stratification tool use various combinations of historic information about patients, for example, age, gender, diagnoses, patterns of hospital attendance and admission and primary care data collected in GP practice systems.

All data is held within the EMIS Web system which the CCG will use pseudonymised information to understand the local population needs, whereas GPs will be able to identify which of their patients, by the use of your NHS number as the identifier, are at risk in order to offer a preventative service to them.

The risk scores are only made available to authorised users within the GP Practice where you are registered via a secure portal.

This portal allows only the GPs to view the risk scores for the individual patients registered in their practice in identifiable form.

If you do not wish information about you to be included in our risk stratification programme, please contact your GP Practice. They can add a code to your records that will stop your information from being used for this purpose.

Opt out details

National Data opt-out applies.

Additionally, your GP practice can apply a code which will stop your identifiable information being used for this purpose.

Further information about risk stratification is available here.

Patient and Public Involvement

If you have asked us to keep you regularly informed and up to date about the work of the CCG or if you are actively involved in our engagement and consultation activities or patient participation groups, we will collect and process personal confidential data which you share with us.

Type of Information Used

Identifiable

Legal Basis

We will rely on your consent for this purpose

Benefits

Where you submit your details to us for involvement purposes, we will only use your information for this purpose. You can opt out at any time by contacting us using our contact details at the end of this document.

Opt out details

You can opt out at any time by contacting us.

Commissioning

To collect NHS data about service users that we are responsible for.

Type of Information Used

Different types of commissioning data are legally allowed to be used by different organisations within, or contracted to, the NHS.

Identifiable – when disclosed from Primary and Secondary Care Services to NHS Digital

Aggregated – the CCG can only receive this information in aggregated format which does not identify individuals

Legal Basis

Our legal basis for collecting and processing information for this purpose is statutory.

Processing Activities

Hospitals and community organisations that provide NHS-funded care must submit certain information to the Health and Social Care Information Centre (HSCIC) about services provided to our service users. This data is held securely and processed by a system called the Secondary Uses Service (SUS) which anonymises the data so that we, the CCG, cannot identify any patients by the data we receive from SUS.

This information is generally known as commissioning datasets. The CCG obtains these datasets from the HSCIC and they relate to service users registered with GP Practices that are members of the CCG.

These datasets are then used in a format that does not directly identify you, for wider NHS purposes such as managing and funding the NHS, monitoring activity to understand and plan the health needs of the population and to gain evidence that will improve health and care through research.

The datasets include information about the service users who have received care and treatment from those services that we are responsible for funding. The CCG is unable to identify you from these datasets. They do not include your name, home address, NHS number, post code or date of birth. Information such as your age, ethnicity and gender as well as coded information about any clinic or accident and emergency attendances, hospital admissions and treatment will be included.

The specific terms and conditions and security controls that we are obliged to follow when using those commissioning datasets can also be found on the NHS Digital website.

More information about how this data is collected and used by the Health and Social Care Information Centre (HSCIC) is available on their website http://www.hscic.gov.uk/patientconf

We also receive similar information from GP Practices within our CCG membership that does not identify you. We use this dataset for a number of purposes such as:

  • Performance managing contracts;
  • Reviewing the care delivered by providers to ensure service users are receiving quality and cost effective care;
  • To prepare statistics on NHS performance to understand health needs and support service re-design,
  • modernisation and improvement;
  • To help us plan future services to ensure they continue to meet our local population needs;
  • To reconcile claims for payments for services received in your GP Practice;
  • To audit NHS accounts and services;

Opt out details

National Data opt-out applies.

If you do not wish your information to be included in these datasets, even though it does not directly identify you to us, please contact your GP Practice and they can apply a code to your records that will stop your information from being included.

The specific terms and conditions and security controls that we are obliged to follow when using those commissioning datasets can also be found on NHS Digital website.

More information about how this data is collected and used by NHS Digital is available on their website  http://www.hscic.gov.uk/patientconf

National Registries

National Registries (such as the Learning Disabilities Register) have statutory permission under Section 251 of the NHS Act 2006, to collect and hold service user identifiable information without the need to seek informed consent from each individual service user.

Type of Information Used

Identifiable and pseudonymised – dependant on purpose. Legal Basis

A Section 251 approval from the Secretary of State, through the Confidentiality Advisory Group of the Health Research Authority enables NHS Digital to process identifiable information without consent for the purposes of approved National Registries.

How We Collect and Use Information in relation to National Registries

The GP Practices within our CCG membership provide this information to NHS Digital using a secure transfer method.

Opt out details

National Data opt-out applies.

Additionally, your GP practice can apply a code which will stop your identifiable information being used for this purpose.

Research

To support research oriented proposals and activities in our commissioning system

Type of Information Used

Identifiable and anonymised – dependant on the purpose.

Legal Basis

Your consent will be obtained by the organisation holding your records before identifiable information about you is disclosed for any research.

Sometimes research can be undertaken using information that does not identify you. The law does not require us to seek your consent in this case, but the organisation holding your information will make notices available on the premises and on the website about any research projects that are undertaken.

Benefits

Researchers can provide direct benefit to individuals who take part in medical trials and indirect benefit to the population as a whole.

Service user records can also be used to identify people to invite them to take part in clinical trials, other interventional studies or studies purely using information from medical records.

Processing Activities

Where identifiable data is needed for research, service users will be approached by the organisation where treatment was received, to see if they wish to participate in research studies.

Opt out details

Where consent is required to take part in a research project you will also be provided with details by the organisation holding your records on how to opt out at any time.

Where s251 approval has been granted you can request that your identifiable information is not included. The Register of current s251 approval across England and Wales can be found here:

The organisation holding your records will provide notices on their premises and websites about any research projects being undertaken which will provide opt out details.

Your GP practice can apply a code which will stop your identifiable information being used for this purpose.

Information processed by specific teams

The tables attached document where identifiable information is being processed within specific teams in the CCG, and the legal basis for processing.

Primary and Secondary Care Data

The NHS provides a wide range of services which involve the collection and use of information. Different care settings are considered as either ‘primary care’ or ‘secondary care’. Primary care settings include GP practices, pharmacists, dentists and some specialised services such as including military health services. Secondary care settings include local hospitals, rehabilitative care, urgent and emergency care (including out of hours and NHS 111), community and mental health services.

Throughout this Privacy Notice you will see reference to an organisation called NHS Digital who are the national provider of information, data and IT systems for commissioners (such as the CCG), analysts and clinicians in health and social care. NHS Digital provide information based on identifiable information passed securely to them by Primary and Secondary Care Providers who are legally obliged to provide this information. The way in which NHS Digital collect and use your information can be found here.

For EU General Data Protection Regulations 2016 purposes Dudley CCG’s basis for lawful processing is Article 6(1)(e) – ‘…exercise of official authority…’ as a commissioner. For special categories (health) data the basis is Article 9(2)(h) – ‘…health or social care…’ for the purpose of managing and planning these types of services.

Invoice Validation

Invoice validation is an important process because we are using public funds. It involves using your NHS number, as an identifier and other identifiable data to check that we are the CCG that is responsible for paying for your treatment. We can also use this information to check whether your care has been funded through specialist commissioning, which NHS England will pay for. The process makes sure that the organisations providing your care are paid correctly.

Any information utilised for the purposes of invoice validation will only be retained for the length of time required to validate the invoice to which it relates. After this time the information will be securely destroyed by the CCG.

Legal Basis

A Section 251 approval from the Secretary of State, through the Confidentiality Advisory Group of the Health Research Authority enables the Arden and GEM CSU CEfF (see below) to process identifiable information without consent for the purposes of invoice validation within a Controlled Environment for Finance – CAG 7-07(a)(b)(c)/2013.

Other organisations who provide support services for us

This involves other organisations processing data on our behalf.

Legal Basis

We have entered into contracts with other NHS organisations to provide some services for us or on our behalf. These organisations are known as “data processors”.

Below are details of our data processors and the function that they carry out on our behalf:

  • Arden & GEM CSU – Invoice Validation, Commissioning Intelligence analysis, Continuing Healthcare, Individual Funding Requests, Medicines Optimisation
  • Iron Mountain – Archiving of Records
  • CW Audit – Internal Audit related purposes
  • Grant Thornton – External Audit related purposes
  • Mills & Reeves – Legal Advice
  • NHSLA – Claims Management
  • Datashred – The CCG’s Confidential Waste Disposal Company

 

  • Dudley MBC – Assessments and evaluation of safeguarding concerns for individuals through the Dudley Multi Agency Safeguarding Hub (MASH) and the Child Protection Information Sharing (CP-IS) process.
  • Qualified Clinicians – Incident investigation by appointed specialists
  • Midlands & Lancashire CSU – To identify specific patient groups and enable clinicians with the duty of care for the patient to offer appropriate care and treatment; this is known as risk stratification
  • University Hospitals Birmingham NHS Trust – Staff Payroll & Occupational Health Services

Midlands & Lancashire CSU are an NHS England approved Data Services for Commissioning Regional Office (DSCRO). They provide a secure and compliant data processing function of health and social care data sets. This type of processing is to support commissioning, planning, risk stratification, patient care and paying and validating invoices. The output data from this process will be anonymised or pseudonymised. The CCG does not receive any personal identifiable information from this service.

Benefits

These organisations are subject to the same legal rules and conditions for keeping personal confidential data and secure and are underpinned by a contract with us.

Before awarding any contract, we ensure that organisations will look after your information to the same high standards that we do. Those organisations can only use your information for the service we have contracted them for and cannot use it for any other purpose

Our Commitment to Data Privacy and Confidentiality Issues

We are committed to protecting your privacy and will only process personal confidential data in accordance with Data Protection Legislation including the European General Data Protection Regulations 2016 and Data Protection Act 2018, the Common Law Duty of Confidentiality and the Human Rights Act 1998 and will only process personal data if there is a legitimate basis for doing o and that any such processing is fair and lawful.

Dudley CCG is a Data Controller under the terms of the European General Data Protection Regulations 2016 and Data Protection Act 2018, we are legally responsible for ensuring that all personal information that we process i.e. hold, obtain, record, use or share about you is done in compliance with Data Protection Legislation.

All data controllers must notify the Information Commissioner’s Office (ICO) of all personal information processing activities. Our ICO Data Protection Register number is Z3548596 and our entry can be found in the Data Protection Register on the Information Commissioner’s Office website

Everyone working for the NHS has a legal duty to keep information about you confidential. The NHS Care Record Guarantee and NHS Constitution provide a commitment that all NHS organisations and those providing care on behalf of the NHS will use records about you in ways that respect your rights and promote your health and wellbeing.

If you are receiving services from the NHS, we share information that does not identify you (anonymised) with other NHS and social care partner agencies for the purpose of improving local services, research, audit and public health.

We would not share information that identifies you unless we have a fair and lawful basis such as:

  • You have given us permission;
  • To protect children and vulnerable adults;
  • When a formal court order has been served upon us;
  • and/or
  • When we are lawfully required to report certain information to the appropriate authorities e. to prevent fraud or a serious crime;
  • Emergency Planning reasons such as for protecting the health and safety of others;
  • When permission is given by the Secretary of State or the Health Research Authority on the advice of the Confidentiality Advisory Group to process confidential information without the explicit consent of individuals.

The Health and Social Care Information Centre (HSCIC) has published a guide to confidentiality in health and social care that explains the various laws and rules about the use and sharing of confidential information which can be found here.

How we keep your information secure

All information that we hold about you will be held securely and confidentially. We use administrative and technical controls to do this. We use strict controls to ensure that access to information is restricted and only authorised staff are able to see information that identifies you. Only a limited number of authorised staff have access to information that identifies you where it is appropriate to their role and is strictly on a need-to-know basis.

All of our staff, contractors and committee members receive appropriate and on-going training to ensure they are aware of their personal responsibilities and have contractual obligations to uphold confidentiality, enforceable through disciplinary procedures.

We will only use the minimum amount of information necessary about you.

Retention and destruction of records

All records held by the CCG will be retained in accordance with the schedules set out in the Records Management Code of Practice for Health and Social Care 2016 which concentrates on the management of records through their lifecycle, i.e. from creation to eventual archiving or destruction.

The NHS Care Record Guarantee is a commitment that all NHS organisations (and other organisations which provide NHS-funded care) will use your records in ways that respect your rights and promote your health and wellbeing. The NHS Constitution establishes the principles and values of the NHS in England. It provides a summary of your legal rights and contains pledges that the NHS is committed to achieve, including certain rights and pledges concerning your privacy and confidentiality.

Overseas Transfers

Your information will not be sent outside of the United Kingdom where the laws do not protect your privacy to the same extent as the law in the UK. We will never sell any information about you.

Review and Changes to our Fair Processing/Privacy Notice

We will keep our Fair Processing/Privacy Notice (FPN) under regular review. This FPN was updated in October 2018, Version 14.

Key roles in the CCG

The CCG have a number of key roles which support the protection of your data:

  • Caldicott Guardian – The CCGs Caldicott Guardian is a senior person responsible for protecting the confidentiality of patient and service-user information and enabling appropriate and lawful information sharin The Caldicott Guardian actively supports work to enable information sharing where it is appropriate to share, and advises on options for lawful and ethical processing of information. The CCGs Caldicott Guardian is Dr Jonathan Darby, who can be contacted via jonathan.darby@nhs.net.

 

  • Senior Information Risk Owner (SIRO) – A SIRO is a CCG Executive Director or member of the Senior Management Board of an organisation with overall responsibility for an organisation’s information risk policy. The SIRO is accountable and responsible for information risk across the organisation. The SIRO ensures that everyone is aware of their personal responsibility to exercise good judgement, and to safeguard and share information appropriately. The CCGs SIRO is Matthew Hartland and can be contacted via matthewhartland@nhs.net.

 

  • Data Protection Officer – The CCG has appointed a Data protection Officer as required by Data Protection Legislation. The Data Protection officer ensures that your rights are respected and the CCG is complaint with the law. If you have any concerns or questions about how the CCG looks after your personal information, please contact the Data Protection Officer by using the contact details abov The CCGs Data Protection Officer is Emma Smith, who can be contacted via emma.smith72@nhs.net.

Contact us

If you have any questions or concerns regarding how we use your information, please contact us at:

Data Protection Officer
Brierley Hill Health & Social Care Centre, Venture Way, Brierley Hill,
West Midlands, DY5 1 RU
Phone: 01384 322040
Email: emma.smith72@nhs.net

If you would like to request any personal information that the CCG may hold about you under Data Protection Legislation, please submit a Subject Access Request:

Subject Access Request Team,
Brierley Hill Health & Social Care Centre, Venture Way, Brierley Hill,
West Midlands, DY5 1 RU
Phone: 01384 322040
Email: dudleyccg.sar@nhs.net

For independent advice about data protection, privacy and data-sharing issues, you can contact the:

Information Commissioner’s Office
Wycliffe House, Water Lane,Wilmslow, Cheshire, SK9 5AF.
Phone: 08456 30 60 60 or 01625 54 57 45
Websitewww.ico.gov.uk

 

Further information

Further information about the way in which the NHS uses personal confidential data and your rights in that respect can be found via the following links:

  • Data Protection Act 2018
  • General Data Protection Regulations
  • NHS Confidentiality Code of Practice
  • NHS Digital Guide to confidentiality in health and social care
  • Health Research Authority
  • NHS England
  • The NHS Constitution is founded on a common set of principles and values that bind together the communities and people it serves – patients and public – and the staff who work for i The NHS Constitution establishes the principles and values of the NHS in England. It sets out rights to which patients, public and staff are entitled, and pledges which the NHS is committed to achieve, together with responsibilities, which the public, patients and staff owe to one another to ensure that the NHS operates fairly and effectively.
  • The NHS Care Record Guarantee sets out the rules that govern how patient information is used in the NHS and what control the patient has over this. It covers people’s access to their own records; controls on others access; how access will be monitored and policed; options people have to further limit access; access in an emergency; and what happens when someone cannot make decisions for themselv Everyone who works for the NHS, or for organisations delivering services under contract to the NHS has to comply with this guarantee. The NHS Care Record Guarantee was first published in 2005 and is regularly reviewed by the National Information Governance Board to ensure it remains clear and continues to reflect the law and best practice. It was last reviewed in January 2011. An independent review of information about service users is shared across the health and care system led by Dame Fiona Caldicott was conducted in 2012. The report, Information: To share or not to share?
  • The Information Governance Review, be found at: https://gov.uk/government/publications/the-information-governance-review
  • The NHS Commissioning Board – NHS England – Better Data, Informed Commissioning, Driving Improved Outcomes: Clinical Data Sets provides further information about the data flowing within the NHS to support commissioning http://www.england.nhs.uk/wp- content/uploads/2012/12/clinical-datasepdf
  • Please visit the Health and Social Care Information Centre’s website for further information about their work. Information about their responsibility for collecting data from across the health and social care system can be found at http://hscic.gov.uk/collectingdata
  • The Information Commissioner’s Office is the Regulator of Data Protection Legislation and offer independent advice and guidance on the law and personal data, including your rights and how to access your personal information. For further information please visit the Information Commissioner’s Office website at http://ico.org.uk.

The Heath Research Authority (HRA) has been established to promote and protect the interests of patients, streamline regulation and promote transparency in health and social care research. http://www.hra.nhs.uk.