West Suffolk CCG – Privacy Notice
The purpose of this notice is to inform you of the type of information (including personal information) that the Clinical Commissioning Group (CCG) holds; how that information is used; who we may share that information with; and how we keep it secure and confidential.
This privacy statement only covers NHS West Suffolk CCG and does not cover any other organisations or organisations that can be linked to from this site.
The CCG has a duty to ensure that your personal confidential data is kept confidential, secure and used appropriately.
WHO WE ARE AND WHAT WE DO
NHS West Suffolk Clinical Commissioning Group (CCG)
West Suffolk House,
Bury Saint Edmunds
Information Commissioners Office registration number: Z3612881
Data Protection Officer Paul Cook (IG) – email: firstname.lastname@example.org
NHS West Suffolk CCG are responsible for implementing the commissioning roles as set out in the Health and Social Care Act 2012.
Clinical Commissioning Groups are overseen by NHS England, all GP practices now belong to a CCG, and together they are responsible for commissioning most health and care services for the local community, for example hospital services, nursing in the community and mental health services. NHS West Suffolk CCG is made up of the 24 GP practices that are based in the West Suffolk area.
The CCG also manages the performance of services that it commissions to make sure that they are safe, provide high quality care and meet the needs of local people. Part of this performance management role includes responding to any concerns from our patients about those services.
As a Clinical Commissioning Group we have many other functions, but these do not generally need data that may identify a person.
WHAT KIND OF INFORMATION WE USE
For the majority of our work we do not need to know the personal details of individuals who live in our community, and this is our preferred way of working. It should be noted that information which cannot identify an individual does not come under the Data Protection Act 2018. There are different types of information collected and used across the NHS.
We use six types of information/data:
- Anonymised data, which is data about you but from which you cannot be personally identified;
- De-identified data with pseudonym identifier, which is data about you but we are able to track you through the patient pathway without using your personal information, and you cannot be personally identified;
- De-identified data with weakly pseudonym identifier such as the NHS number. We use this to link two or more types of datasets together using your NHS number. For example, using your NHS number to link and analyse datasets such as acute hospital data with community data to see the full picture of your patient pathway. No other personal information is used during this process and you will not be personally identified. However, there may be times whereby you may be re-identified in the event of patient safety requirements, or re-identified for direct care purposes where we pass on information to your GP to treat you;
- Anonymised information (for commissioning purposes), which is de-identified data about you but from which you cannot be personally identified within a commissioning (CCG) environment.
- Personal data from which you can be personally identified; and
- Sensitive information/data about you from which you can be identified.
INFORMATION WE COLLECT
We hold information centrally which is used for statistical purposes to allow us to plan the commissioning of healthcare services. We will only use anonymised data for this purpose which will mean you would not be able to be identified from that information. Examples of this include:
- Evaluation and review of services such as checking their quality and efficiency.
- Checking NHS accounts and services.
- Working out what illnesses people will have in the future so that we can work with the local primary care services, community services and hospital services to make sure that patient needs are met.
- Preparing performance reports about the services we commission
- Reviewing the care we commission to make sure it is of the highest standard.
- We will only use information that may identify you (known also as personal confidential data) in accordance with the: Data Protection Act 2018– The Data Protection Act requires us to have a legal basis if we wish to process any personal information.
- NHS Care Record Guarantee– sets out high level commitments for protecting and safeguarding your information, particularly in regard to your rights to access your information, how information will be shared, how decisions on sharing information will be made and investigating and managing inappropriate access (audit trails)
- NHS Constitution for England– this states that you have the right to privacy and confidentiality and to expect the NHS to keep your confidential information safe and secure.
- Caldicott Principles– sets out a number of general principles that health and social care organisations should use when reviewing its use of patient information. All staff are expected to follow these principles to ensure that information is protected and only shared in the best interests of their patients.
A Duty of Confidence
We also have to honour any duty of confidence attached to information and apply Common Law Duty of Confidentiality requirements. This will mean where a legal basis does not exist to use your personal or confidential information we will not do so.
Therefore, as a commissioning organisation we do not routinely hold medical records or patient confidential data. There are some specific areas, however, because of our assigned responsibilities where we do hold and use personal information. In order to process that information we will have met a legal requirement, in general this is where we have complied with one of the following:
- The information is necessary for facilitating direct healthcare for patients
- We have received consent from individuals to be able to use their information for a specific purpose
- There is an overriding public interest in using the information e.g. in order to safeguard an individual, or to prevent a serious crime
- There is a legal requirement that will allow us to use or provide information (e.g. a formal court order)
- We have special permission for health purposes (granted by the Health Research Authority Section 251).
- For the health and safety of others, for example to report an infectious disease such as meningitis or measles
Circumstances where we might need to use personal information
The areas where we use personal information are:
- Individual funding requests – a process where patients and their GPs can request special treatments not routinely funded by the NHS.
- Continuing Healthcare Assessments (a package of care for those with complex medical needs).
- Responding to your queries, concerns or complaints.
- Incident investigations.
- Assessment and evaluation of safeguarding concerns for individuals.
- If you are a member of our patient participation group, or have asked us to keep you up to date about our work and involved in our engagement and public consultations.
We keep your information in written form and / or on a computer securely and confidentially.
The records may include basic personal details about you, such as your name, address and NHS number. They may also contain more sensitive information about your health and also information such as outcomes of needs assessments, funding requests or details relating to your complaint investigation.
WHAT WE USE YOUR INFORMATION FOR
Patient Related Information:
Your information may be used to help assess the needs of the general population both on a local and national level to help make informed decisions about the provision of future services. Information may be used to conduct health research and development, public health activities and to monitor NHS performance in order to allow the NHS to plan for the future. Only anonymised or pseudonymised information will be used for this purpose.
Pseudonymisation is a technical process that replaces identifiable information such as a NHS number, postcode, date of birth with a unique identifier, which obscures the ‘real world’ identity of the individual patient to those working with the data.
Data may be linked and de-identified so that it can be used to improve health care and development and monitor NHS performance. For example linking those who receive Home Care and District Nurses, to understand how we might improve the patient’s experience. This is often referred to as a ‘secondary use’ of data. Where data is used for these statistical purposes, stringent measures are taken to ensure individual patients cannot be identified.
Risk stratification is a process GPs use to help them to identify a person who may benefit from a targeted healthcare intervention and to help prevent un-planned hospital admissions or reduced the risk of certain diseases developing such as type 2 diabetes. This is called risk stratification for case-finding.
The CCG uses risk stratified data to understand the health needs of the local population in order to plan and commission the right services. This is called risk stratification for commissioning. The CCG does not have access to your personal data. The information is pseudonymised.
Where care is provided and the CCG is responsible for it, we will need to provide payment to the care provider. In most cases limited data is used to make such payments. In some instances information to confirm that you are registered at a GP Practice within the CCG is needed to make such payments. This is done in line with the Who Pays Invoice Validation Guidance issued by NHS England.
We will use limited information about individual patients when validating invoices received for your healthcare, to ensure that the invoice is accurate and genuine. This will be performed in a secure environment and will be carried out by a limited number of authorised staff. These activities and all identifiable information will remain with the Controlled Environment for Finance approved by NHS England.
The legal basis for data flows (Section 251 of the NHS Act 2006)
The Secretary of State for Health gives limited permission for the CCG (and other NHS commissioners) to use certain confidential patient information when it is necessary for our work for purposes other than direct care such as information from NHS Digital for commissioning, Risk Stratification and Invoice Validation.
This approval is given under Regulations made under Section 251 of the NHS Act 2006 and is based on the approval of the Health Research Authority’s Confidentiality and Advisory Group.
This allows the Secretary of State for Health to make regulations to set aside the common law duty of confidentiality for defined medical purposes. Section 251 came about because it was recognised that there were essential activities of the NHS, and important medical research, that required the use of identifiable patient information – but, because patient consent had not been obtained to use people’s personal and confidential information for these other purposes, there was no secure basis in law for these uses.
Section 251 was established to enable the common law duty of confidentiality to be overridden to enable disclosure of confidential patient information for medical purposes, where it was not possible to use anonymised information and where seeking consent was not practical, having regard to the cost and technology available.
More information about Section 251 is available from the Health Research Authority web site.
HOW YOUR DATA IS USED TO HELP THE NHS
The law provides some NHS bodies, particularly the Health and Social Care Information Centre, with ways of collecting and using patient data that cannot identify individuals. This helps Commissioners such as the CCG, to design and procure the combination of services that best suit the population they serve.
Data may be linked and de-identified by these special bodies so that it can be used to improve health care and development and monitor NHS performance. This is often referred to as a ‘secondary use’ of data. Where data is used for these statistical purposes, stringent measures are taken to ensure individual patients cannot be identified.
From time to time the CCG may collect information about you in order to perform its duties or answer queries, enquiries or complaints you have raised and it applies to:
- Visitors to our website
- Complainants and other individuals.
- People who use the CCG’s services.
- Staff of the CCG
Visitors to our website
When someone visits the CCG’s website https://www.westsuffolkccg.nhs.uk/ information is collected in a standard internet log to enable the CCG to monitor how the website is used. This is done to find out things such as the number of visitors to the various parts of the site. This information is collected in such a way that does not identify people who have visited our websites.
From time to time, you may be asked to submit personal information about yourself (e.g. name and email address) in order to receive or use services on our website. Such services include bulletins, email updates, website feedback, requesting investigation of complaints and any other enquiries.
By entering your details in the fields requested or sending us an email, you enable the CCG and its service providers to provide you with the services you select. Any information you provide will only be used by the CCG, or our agents or service providers, and will not be disclosed to other parties unless we are obliged or permitted to do so.
We work with a number of other NHS and partner agencies to provide health and social care services to you. We may also share anonymised statistical information with them for the purpose of improving local services, for example understanding how conditions spread across our local area compared against other areas.
We contract with other organisations to provide a range of services to us such as IT services, Payroll and other support services. In these instances, we ensure that our partner agencies have contracts which outline that your information is processed under strict conditions and in line with the law.
We ensure our external data processors that support us are legally and contractually bound to operate and prove security arrangements are in place where data that could or does identify a person are processed.
Current external data processors:
Data Services for Commissioners Regional Offices (DSCRO) this is a regional secure service provided to the CCG by NHS Digital via North of England Commissioning Support Unit (NECSU).
Information may also be required to be shared for your benefit with other non NHS organisations, from which you are also receiving care, such as social services and other providers from which we commission services. Where information sharing is required with third parties, we will not disclose any health information without your explicit consent unless it is to facilitate direct care or there are exceptional circumstances or a legal obligation such as;
- There is a risk of harm to someone or the wider community
- The prevention or detection of a serious crime
- Where we are required to do so by law
- Reporting some infectious diseases.
In the event that we are obligated to release information as described above, this will usually only be done with the approval of our Caldicott Guardian.
The CCG is party to a number of information sharing agreements which are drawn up to ensure information is shared in a way that complies with relevant legislation. These NHS and non-NHS organisations may include, but are not restricted to social services, education services, local authorities, police, and public health.
KEEPING YOUR INFORMATION SECURE AND CONFIDENTIAL
All staff have contractual obligations of confidentiality, enforceable through disciplinary procedures. All staff will receive appropriate training on confidentiality of information and staff who have regular access to personal confidential data will have received additional specialist training.
We take relevant organisational and technical measures to make sure that the information we hold is secure – such as holding information in secure locations, restricting access to information to authorised personnel, protecting personal and confidential information held on equipment such as laptops with encryption and information is transferred safely and securely.
The CCG does not transfer personal confidential information overseas.
Under the Data Protection Act 2018, the CCG is required to register with the Information Commissioner’s Office detailing all purposes for which personal identifiable data is collected, held and processed.
The CCG has a legal duty to protect any information we collect from you. We use leading technologies and encryption software to safeguard your data and keep strict security standards to prevent any unauthorised access to it
The CCG will not pass on your details to any third party or other government department unless you consent to this or when it is necessary and or required to by law.
Subject to some legal exceptions, you have the right to:
- request a copy of the personal information Act Now Training holds about you;
- to have any inaccuracies corrected;
- to have your personal data erased;
- to place a restriction on our processing of your data;
- to object to processing; and
- to request your data to be ported (data portability).
To learn more about these rights please see the ICO website.
If you are dissatisfied with our response you can complain to the Information Commissioner’s Office
Information Commissioner’s Office
Telephone: 0303 123 1113 (local rate) or 01625 545 745
HOW LONG WE WILL KEEP YOUR INFORMATION
There are different retention schedules for different types of information and types of record. In the NHS, all commissioners and providers apply retention schedules in accordance with the Information Governance Alliance’s Records Management Code of Practice for Health and Social Care which determines the length of time records should be kept.
NHS data are subject to legal retention periods and should not be destroyed unless specific instructions to do so has been determined and received from the Data Controller.
CHANGES TO THIS PRIVACY NOTICE
If our privacy notice changes in any way, we will place an updated version on this page. Regularly reviewing the page ensures you are always aware of what information we collect, how we use it and under what circumstances, if any, we will share it with other parties.
If you have any questions regarding the information we hold about you or you believe the CCG has not complied with the Data Protection Act 2018 in the way we have processed your personal information, you have the right to make a complaint by contacting:
Data Protection Officer Paul Cook (IG) at Email: email@example.com
In order to investigate your complaint we will need to process the information you provide us with along with other information we may already hold about you which is relevant to your complaint. If as part of investigating your complaint we need to share some information about you with a health or social care provider, we will ask for your permission to do so.
The record of your complaint will be retained in line with the Records Management Code of Practice for Health and Social Care.
For independent advice about data protection, privacy and data-sharing issues, you can contact:
The Information Commissioner, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF