Fair Processing Notice
How We Use Your Information
PRIVACY & FAIR PROCESSING NOTICE
Published Sept 2016
This privacy statement only covers the NHS North East Lincolnshire CCG and does not cover any other organisations or organisations that can be linked to from this site. It is important you are aware when you are moving to the site of, or engaging in correspondence with another organisation that you read the privacy statement of that organisation.
Who We Are and What We Do
North East Lincolnshire Clinical Commissioning Group (hereafter referred to as “the CCG”) is responsible for implementing the commissioning roles as set out in the Health and Social Care Act 2012.
Clinical Commissioning Groups are groups of GP Practices that are responsible for commissioning health and care services for the local community, for example hospital services, nursing in the community and mental health services. We ensure the care providers provide safe high quality care, which includes responding to concerns from our citizens; please see below for details of how to make comments and complaints.
As a Clinical Commissioning Group we have many other functions, but these do not generally need data that may identify a person individually (identifiable data).
The Data Protection Act
Under the Data Protection Act 1998 the CCG is required to register with the Information Commissioners Office detailing all purposes for which personal identifiable data is collected, held and processed.
The CCG has a legal duty to protect any information we collect from you. We use leading technologies and encryption software to safeguard your data and keep strict security standards to prevent any unauthorised access to it.
The CCG will not pass on your details to any third party or other government department unless you consent to this or when it is necessary and we are allowed or required to by law.
The Information Commissioners Office maintains a public register of organisations that process personal identifiable data. The NHS North East Lincolnshire Clinical Commissioning Group’s registration number is Z3526987.
View the CCG’s Notification online: http://www.ico.org.uk/esdwebpages/search
The entry sets down:
- The purpose for which the personal data are held, such as the management of personnel, provision of health services to the local community, marketing or research;
- Categories of individuals, such as employees, services users, CCG members;
- Categories of personal data held, such as name, address, medical history;
- To whom the personal data will be disclosed, such as NHS England, Central Government;
- Whether personal information will be transferred overseas.
Information we collect and how we use it
For the majority of our work we do not need to know individually who lives in our community, and this is our preferred way of working. It should be noted that information which cannot identify an individual does not come under the Data Protection Act 1998.
The CCG uses information for statistical purposes to allow it to better plan and commission health services for the local area. This could include:
Monitoring of quality and efficiency of services commissioned
Statistical analysis of the local populations illnesses
Preparing national data submissions for quality and cost
The CCG does not directly provide health care services and therefore does not routinely create or hold any clinical records about any individuals as it does not provide direct care. If you wish to have sight of your own personal health care records you will need to apply to your GP Practice, or the NHS Hospital or NHS organisation which provided your healthcare.
We have been granted an exemption under Section 251 of the NHS Act 2006 which allows us to process personal information for limited purposes including:
Ensuring that the CCG is billed accurately for the treatment of its patients, which is known as "Invoice Validation"
- Where we pay for care, particularly where different providers are caring for the same person, we may ask for evidence before paying, or we may design a service where the payment is all or partly based on the providers ensuring the service user’s health improves. When processing invoices for payment of treatment or procedures you have received – information such as NHS number, name, address and date of treatment might be used by the CCG. Where this happens, these details are held within a secure environment and kept confidential; such information is only used to validate invoices and not shared for any other purpose.
Section 251 was introduced because it was recognised that there were essential activities of the NHS, and important medical research, that required the use of identifiable patient information – but, because patient consent had not been obtained to use people’s personal and confidential information for these other purposes, there was no secure basis in law for these uses.
We currently use the following organisation to help carry out this work:
North of England CSU (NECS)
Other functions for which we do currently process personal identifiable data after gaining an individual’s consent include:
- If a complaint is made about a service we have commissioned, we might need to look at the complainant’s clinical record to understand the impact on that person’s health. Please see below for further information on how to make a complaint
- Individual Funding or High Cost Drug requests require identifiable data to allow requests for care that is not normally funded to be reviewed and if appropriate approved. Sometimes, to assess the request, we will have to speak to the care providers about the patient
- Continuing Health Care Assessments to allow packages of care to be assessed and agreed
- To enable referrals for specific specialities to be assessed by a specialist clinician to ensure the most appropriate care pathway has been identified patients
There are some circumstances where we are legally required to process personal information or share it with partner organisations without seeking consent, including:
- Investigating and reporting infectious diseases. The CCG is required to investigate the causes of an infection, sometimes contagious, which may cause risk to the public (Post Infection Review). We do not always need to ask permission to access a person’s record if there is a risk to the public
- To allow the organisation to fulfil its obligations to safeguarding children and vulnerable adults, this is a statutory obligation on all NHS Organisations
- As part of an investigation into serious crimes
- Where instructed to by a court order
From time to time the CCG may collect information about you in order to perform its duties or answer queries, enquiries or complaints you have raised and it applies to:
- Visitors to our website
- People who use the CCG’s services.
- Staff of the CCG
Planning and Improving Healthcare
The CCGs uses anonymised and pseudonymised patient information to design and commission care services across its area as well as to identify gaps in healthcare services.
Anonymised information is data about you, but from which you cannot be personally, individually identified
Pseudonymised information is where any identifiable information (e.g. names) have been removed and replaced with a unique code (to represent each individual) so that specific people cannot easily be identified from the remaining data.
This code still allows information from several sources to be linked together, without seeing the identity of the patient. This de-identification and linking work is carried out by the Health and Social Care Information Centre (a public body granted additional legal rights to carry out the work).
Information across the following sources (national and local) may be used and linked to help manage the health and social care needs of North East Lincolnshire and its surrounding area.
- Primary Care data. This information is extracted from individual GP practices.
- Providers Trusts (collected nationally by (NHS Digital):Inpatient, Outpatient, Accident and Emergency, Out of Hours, Urgent Care, Community Nursing, Community Mental Health,
- Provider Trusts (collected locally): other local patient level activity provided directly to the DSCRO (Data Services for Commissioners)hosted by NECS (North East of England Commissioning Support Unit).
- Other datasets as agreed and approved by the Caldicott Guardian – e.g. social care activity data sets provided by the local council
Visitors to our Website
When someone visits the CCG’s website, http://www.northeastlincolnshireccg.nhs.uk/ information is collected in a standard internet log to enable the CCG to monitor how the website is used. This is done to find out things such as the number of visitors to the various parts of the site. This information is collected in such a way that does not identify people who have visited our websites.
From time to time, you may be asked to submit personal information about yourself (e.g. name and email address) in order to receive or use services on our website. Such services include bulletins, email updates, website feedback, requesting investigation of complaints and any other enquiries.
By entering your details in the fields requested or sending us an email, you enable the CCG and its service providers to provide you with the services you select. Any information you provide will only be used by the CCG, or our agents or service providers, and will not be disclosed to other parties unless we are obliged or permitted to do so.
We will hold your personal information on our systems for as long as you use the service you have requested, and remove it in the event the purpose has been met or when you no longer wish to continue your subscription.
You can read more about how cookies work on the CCG website at: Cookies
People who email us
Any email sent to the CCG, including any attachments, may be monitored and used by the CCG for reasons of security and for monitoring compliance with office policy.
Email monitoring or blocking software may also be used. Please be aware that you have a responsibility to ensure that any email you send to us is within the bounds of the law.
If you post or send offensive, inappropriate or objectionable content anywhere on http://www.northeastlincolnshireccg.nhs.uk/ or otherwise engage in disruptive behaviour on this website we may use whatever information is available to us, about you, to stop such behaviour.
The CCG as NHS Employers needs to process information in relation to staff. This information is used in a variety of ways to ensure staff are paid, that the CCG complies with employment law, or to provide other services related to their employment.
National Fraud Initiative
This organisation is required [by law] to protect the public funds it administers. It may share information provided to it with other bodies responsible for; auditing, or administering public funds, or where undertaking a public function, in order to prevent and detect fraud.
The Cabinet Office is responsible for carrying out data matching exercises.
Data matching involves comparing computer records held by one body against other computer records held by the same or another body to see how far they match. This is usually personal information. Computerised data matching allows potentially fraudulent claims and payments to be identified. Where a match is found it may indicate that there is an inconsistency which requires further investigation. No assumption can be made as to whether there is fraud, error or other explanation until an investigation is carried out.
We participate in the Cabinet Office’s National Fraud Initiative: a data matching exercise to assist in the prevention and detection of fraud. We are required to provide particular sets of data to the Minister for the Cabinet Office for matching for each exercise, as detailed here.
The use of data by the Cabinet Office in a data matching exercise is carried out with statutory authority under Part 6 of the Local Audit and Accountability Act 2014. It does not require the consent of the individuals concerned under the Data Protection Act 1998.
Data matching by the Cabinet Office is subject to a Code of Practice.
View further information on the Cabinet Office’s legal powers and the reasons why it matches particular information. For further information on data matching at the CCG please use the “Contact Us” section below.
Declarations of Interests, Gifts, and Hospitality
The CCG is required to maintain and publish on its website registers of interests, gifts and hospitality for staff of the CCG, as well as its Members, Governing Body and Committee Members.
In exceptional circumstances, where the public disclosure of information could lead to a real risk of harm or is prohibited by law, a person’s name or other information may be withheld from the published registers. If you feel that substantial damage or distress may be caused to you or somebody else by the publication of information in the registers, you are entitled to request that the information is not published. Such requests must be made in writing to the CCG or via the contact us page.
Make a complaint to us
When we receive a complaint from anyone we will need to make up a file containing details of the complainant and the complaint they are making. How we use a complainant’s information to investigate a complaint is explained further on our Compliments and Complaints page at: : http://www.northeastlincolnshireccg.nhs.uk/get-involved/have-you-say/
Continuing Health Care
The CCG operates an internal Continuing Health Care Team who assess and arrange packages of care individuals found to have a primary health need.
In order for the CCG to provide these services they need to collect and keep a record of personal information about the person to whom the service is to be provided. This record may be either written down or held electronically on computer, these details may include:
- Basic details such as name, address, and next of kin
- Details of health conditions, diagnostic tests, treatments and medications
- Information from other health care professionals and those who provide care
This information may be shared with other agencies involved in providing care or where required by law, for example with social services or for safeguarding purposes, however such information will only be shared with the appropriate consent or under a statutory legal requirement.
Keeping Information Secure and Confidential
Everyone working for the NHS is subject to the Common Law Duty of Confidentiality and all staff are trained to keep information confidential and have contractual obligations in respect of confidentiality, which are enforceable through disciplinary procedures. Information provided in confidence will only be used for the purposes to which the patient has consented, unless there are specific circumstances allowed by law.
The NHS Confidentiality Code of Conduct applies to all of our staff, and they are required to protect your information, inform you of how your information will be used, and allow you to decide if and how your information can be shared.
We take relevant organisational and technical measures to make sure that the information we hold is secure; such as holding information in secure locations, restricting access to information to authorised personnel, protecting personal and confidential information held on equipment such as laptops with encryption.
We also have a duty to show that the systems and processes we use are secure and that legal agreements are put in place to maintain security.
We ensure external data processors that support us are legally and contractually bound to operate and prove security arrangements are in place where data that could or does identify a person are processed.
Each NHS organisation has a senior person responsible for protecting the confidentiality of patient information and enabling appropriate information sharing. This person is called the Caldicott Guardian. The Caldicott Guardian for NHS North East Lincolnshire CCG is Dr. Anne Spalding.
Partner Organisations With Whom We May Share Your Personal Data
We work with and commission a number of partner organisations (both within and outside the NHS) to provide healthcare services to you. We will only share personal information where there is valid legal basis to do so. We may also share anonymised statistical information with them for the purpose of improving local services, for example understanding how health conditions spread across our local area compared against other areas. These partners include:
- NHS Trusts
- General Practitioners (GPs)
- Local Authorities (including Social Care and Public Health and Education Services)
- Ambulance Trusts
- Other local care providers
- Clinical Commissioning Groups (CCGs)
- Data Processors working on the CCGs behalf including:
- North East of England Commissioning Support Unit (NECS)
- eMBED Health Consortium, who support the data gathering and processing across the Yorkshire and Humber area
The CCG’s Use of Your Information …Your Right To Opt-Out or Withdraw Consent
You have the right, in law and additionally in the NHS Constitution,
to request that your confidential information is not used beyond your own care and treatment and to have your objections considered, and where your wishes cannot be followed, to be told the reasons including the legal basis.
In addition you may at any time withdraw any consent you may have previously given the CCG to process information about you.
If you wish to exercise your right to opt-out, withdraw consent to use your information, or to speak to somebody to understand what impact this may have, if any, please contact us.
Opt-Out (Stopping) Information About You Across The NHS Being Used Outside Of Direct Care
If you do not want the NHS to use information about you, collected by your GP or other parts of the NHS then you can opt-out by completing an opt-out form and returning it to your GP practice. There two different types or levels of opt-out available:
- A Type 1 opt-out prevents information about you held by your GP, from being shared with others for reasons other than direct care.
- A Type 2 opt-out prevents information collected by NHS digital from hospitals and community care services, from being shared with others for reasons other than direct care.
Depending on the type of opt out you may choose, this will prevent your information being shared outside of your GP practice or NHS Digital for purposes beyond your direct care (except in special circumstances allowed by law, such as when there is a public health emergency or safeguarding issue). More information about these opt-out types is available from NHS Digital.
The possible consequences of opting-out will be fully explained to you and could include problems and delays in identifying and providing the most appropriate care or making additional care resources available.
Access to Personal Information
Everybody has the right to see, or have a copy, of data we hold that can identify you, with some exceptions. You do not need to give a reason to see your data. If we do hold any information about you we will:
- Give you a description of that information
- Tell you why we are holding it
- Tell you who it could be disclosed to
- Let you have a copy
If you want to access your data you must make the request in writing. Under special circumstances, some information may be withheld. To make a request to NHS North East Lincolnshire CCG for any personal information we may hold, you will need to put the request in writing and send it to:
By post to:
Subject Access Requests
North East Lincolnshire Clinical Commissioning Group
North East Lincolnshire
By email to: NELCCG.GovernanceTeam@nhs.net
How Long Do You Hold Confidential Information For?
All records held by the CCG will be kept for the duration specified by national NHS guidance (see Records Management Code of Practice for Health and Social Care 2016 Retention Schedule for further information). At the end of the retention period, data will be reviewed as to whether it can then be securely destroyed. When destroying records the CCG will do so in line with the Records Management Code of Practice for Health and Social Care 2016.
Links to Other Websites
This privacy notice does not cover the links within this site linking to other websites. We encourage you to read the privacy statements on the other websites you visit.
Changes to this Privacy Notice
How to contact us:
North East Lincolnshire Clinical Commissioning Group
North East Lincolnshire
or Email General Enquiries at: firstname.lastname@example.org
For independent advice about protection, privacy or data sharing issues, you can contact:
For independent advice about protection, privacy or data sharing issues, you can contact:
The Information Commissioner
Phone: 08456 30 60 60 0r 01625 54 57 45
The links below give more information about your rights and the ways that the NHS uses personal information:
• NHS Care Record Guarantee
• NHS Constitution
• Confidentiality: The NHS Code of Practice
• An independent review named Information: To share or not to share? The Information Governance Review was conducted in 2012.
• NHS England advice for CCGs and GPs on information governance and risk stratification
• Health and Social Care Information Centre
• The Information Commissioner (the Regulator for the Data Protection Act 1998, who can offer independent advice and guidance on the law and personal data, including your rights and how to access your personal information)