Privacy Notice – how your information is used

Who we are

NHS Gloucestershire Clinical Commissioning Group (CCG) is responsible for securing, planning, designing and paying for your NHS services, including planned and emergency hospital care, mental health, rehabilitation, community and primary medical care (GP) services. This is known as commissioning. We need to use information about you to enable us to do this effectively, efficiently and safely.

For further information please refer to the ‘About Us’ page on our website: http://www.gloucestershireccg.nhs.uk/about-us/

To contact us about any of the points in this notice refer to the ‘Contact Us’ page: http://www.gloucestershireccg.nhs.uk/about-us/contact-us/.

If you wish to contact the CCG Data Protection Officer then please e-mail GLCCG.enquiries@nhs.net

What is this page about?

This Privacy Notice (also known as a Fair Processing Notice) tells you about information we collect and hold about you, what we do with it, how we will look after it and who we might share it with.

It covers information we collect directly from you or receive from other individuals or organisations.

This notice is not exhaustive. However, we are happy to provide any additional information or explanation needed. Any requests for this should be sent to this email address: GLCCG.enquiries@nhs.net, or by post to:

Gloucestershire CCG
Sanger House
5220 Valiant Court
Gloucester Business Park
Brockworth
Gloucester
GL3 4FE

 

Reviews of and Changes to this page

We will keep our privacy notice under regular review. This privacy notice was last reviewed in July 2018.

 

Our Commitment to Data Privacy and Confidentiality

We are committed to protecting your privacy and will only process personal confidential data lawfully and in accordance with data protection and privacy law including the General Data Protection Regulation (GDPR), the Data Protection Act (DPA) 2018, the Human Rights Act 1998, the Health and Social Care (Safety and Quality) Act 2015, and the common law duty of confidentiality.

NHS Gloucestershire CCG is a Data Controller as defined in GDPR. We are legally responsible for ensuring that all personal information that we hold and use is done so in compliance with the law.

All data controllers must register with the Information Commissioner’s Office (ICO).  Our ICO Data Protection Register number is ZA020869 and our entry can be found in the Data Protection Register on the  Information Commissioner’s Office website

 

Everyone working for the NHS has a legal duty to keep information about you confidential. The NHS Care Record Guarantee, the NHS Constitution  and the NHS Confidentiality Code of Practice provide a commitment that all NHS organisations and those providing care on behalf of the NHS will use records about you in ways that respect your rights and promote your health and wellbeing.

If you are receiving services from the NHS, we share information that does not identify you (anonymised) with other NHS and social care partner agencies for the purpose of improving local services, research, audit and public health.

We would not share information that identifies you unless we have a fair and lawful basis such as:

  • You have given us permission;
  • To protect children and vulnerable adults;
  • When a formal court order has been served on us;
  • When we are lawfully required to report certain information to the appropriate authorities e.g. to prevent fraud or a serious crime;
  • Emergency Planning reasons such as for protecting the health and safety of others;
  • When permission is given by the Secretary of State for Health or the Health Research Authority (HRA) on the advice of the Confidentiality Advisory Group to process confidential information without the explicit consent of individuals

All information that we hold about you will be held securely and confidentially. We use administrative and technical controls to do this. We use strict controls to ensure that only authorised staff are able to see information that identifies you. Only a limited number of authorised staff have access to information that identifies you where it is appropriate to their role and is strictly on a need-to-know basis.

All of our staff, contractors and committee members receive appropriate and on- going training to ensure they are aware of their personal responsibilities and have contractual obligations to uphold confidentiality, enforceable through disciplinary procedures.

In all circumstances we will only use the minimum amount of information necessary about you.

We will only keep information for as long as is necessary and in accordance with the retention periods set out in the Records Management Code of Practice for Health and Social Care.

When the retention period has expired and the information is no longer necessary for the stated purpose, the information will be destroyed.  Personal confidential data held on paper is securely destroyed by Shred-it Ltd.  Personal confidential data held electronically is securely destroyed by Countywide IT Services.

 

Overseas Transfers

Your information will not be sent outside the United Kingdom unless we are sure that your privacy will be protected in the same way as it would be in the UK. We will never sell any information about you.

 

Your Rights

GDPR provides the following rights for individuals:

  • The right to be informed
  • The right of access (see the Subject Access Request section below)
  • The right to rectification
  • The right to erasure
  • The right to restrict processing
  • The right to data portability
  • The right to object
  • Rights in relation to automated decision making and profiling.

You also have a right to request that your confidential information is not used beyond your own care and treatment and to have your objections considered.

You have the right at any time to object to the CCG sharing your personal information if you do not wish us to process or share your information.  If you do not agree to certain information being processed or shared with us, or by us, or have any concern, then please let us know. We may need to explain the possible impact this could have on our ability to help you and discuss the alternative arrangements that are available to you.

 

Sharing Your Information – Objections and “opting out”

The NHS Constitution states “You have the right to request that your confidential information is not used beyond your own care and treatment and to have your objections considered”.  There may be occasions when it is not possible to exercise your right to object or “Opt Out”, such as when we have an obligation by law or for the purposes of safeguarding adults and children.

The right to object or opt-out includes for example:

A.    Information directly collected by the CCG:

Your choices can be exercised by objecting to the processing of information that identifies you, unless there is a lawful basis to continue processing, e.g. for safeguarding purposes.

B.    Information not directly collected by the CCG, but collected by organisations that provide NHS services:

  • Type 1 opt-out
    If you do not want personal confidential data that identifies you to be shared outside your GP practice, for purposes beyond your direct care, you can register a ‘Type 1 opt-out’ with your GP practice. This prevents your personal confidential information from being used, except when it is required by law, such as a public health emergency like an outbreak of a pandemic disease.

    Patients are only able to register the opt-out at their GP practice.

    Records for patients who have registered a ‘Type 1 opt-out’ will be identified using a particular code that will be applied to your medical records that will stop your records from being shared outside of your GP Practice.

  • Type 2 opt-out
    NHS Digital collects information from a range of places where people receive care, such as hospitals and community services.

    To support the NHS constitutional rights, patients within England are able to opt out of their personal confidential data being shared by NHS Digital for purposes other than their own direct care, this is known as a ‘Type 2 opt-out’.

    If you do not want your personal confidential information to be shared outside of NHS Digital, for purposes other than your direct care, you can register a ‘Type 2 opt-out’ with your GP practice.

    Patients are only able to register the opt-out at their GP practice.

 

Further Information and Support about Type 2 opt-outs

For further information and support relating to Type 2 opt-outs please contact the NHS Digital contact centre at enquiries@nhsdigital.nhs.uk referencing ‘Type 2 opt-outs – Data requests’ in the subject line; or

Call NHS Digital on (0300) 303 5678; or

Visit the NHS Digital website.

 

Complaints or questions

We try to meet the highest standards when collecting and using personal information. For this reason, we take any complaints we receive about this very seriously. We encourage people to bring concerns to our attention if they think that our collection or use of information is unfair, misleading or inappropriate. We would also welcome any suggestions for improving our procedures.

 

The Right of Access – how to make a Subject Access Request

Individuals can find out if we hold any personal information by making a ‘subject access request’ under the Data Protection Act 1998. If we do hold information about you we will:

  • Give you a description of it;
  • Tell you why we are holding it;
  • Tell you who it could be disclosed to; and
  • Give you a copy of the information

To make a request for any personal information we may hold about you please contact us by using the contact details provided at the end of this notice.

If we do hold information about you, you can ask us to correct any mistakes by, once again, contacting us at the contact address at the end of this notice.

 

Confidentiality Advice and Support – Caldicott Guardian

The CCG has a Caldicott Guardian who is a senior person responsible for protecting the confidentiality of service user information and enabling appropriate and lawful information-sharing.

The Caldicott Guardian for the CCG is Dr Marion Andrews-Evans.

 

Data Protection Officer

The CCG has a Data Protection Officer (DPO) responsible for monitoring compliance with our data protection obligations.  The DPO also acts as a contact point for the Information Commissioner, our employees and the public.

The DPO for Gloucestershire CCG is the Associate Director of Corporate Governance.

The contact address for the DPO is GLCCG.enquiries@nhs.net or see the ‘Contact Us’ section at the end of this notice.

 

Personal Information we collect and hold about you

As a commissioner, we do not routinely hold or have access to your medical records. However, we may need to hold some personal information about you, for example:

  • If you have made a complaint to us about healthcare that you have received and you have asked us to investigate it for you
  • If you ask us to provide funding for Continuing Healthcare services
  • If you ask us for our help or involvement with your healthcare, or where we are required to fund specific specialised treatment for a particular condition that is not already covered in our contracts with organisations that provide NHS care
  • If you ask us to keep you regularly informed and up-to-date about the work of the CCG, or if you are actively involved in our engagement and consultation activities or Service User or Patient Participation Groups.

Our records may include relevant information that you have told us, or information provided on your behalf by relatives or those who care for you and know you well, or from health professionals and other staff directly involved in your care and treatment.

Our records may be held on paper or in a computer system. The types of information that we may collect and use include the following:

 

TYPES OF INFORMATION

DESCRIPTION

 

Identifiable This is data which contains details which can identify individuals such as name, address, telephone number, date of birth, postcode.
Pseudonymised This is data that has undergone a technical process that replaces your identifiable information such as NHS number, postcode, date of birth with a unique reference number (pseudonym), so that the ‘real world’ identity of the individual is not available to those working with the data.
Anonymised This is data which does not identify individuals and where there is no risk that identification is likely to take place.
Aggregated This is anonymised data which is grouped together so that it does not identify an individual

Personal Data

 

This is any information relating to an identified or identifiable natural person who can be identified, directly or indirectly.
Personal Confidential Data This is personal information about identified or identifiable individuals which should be kept private or secret.  The definition includes dead as well as living people and ‘confidential’ includes information ‘given in confidence’ and ‘that which is owed a duty of confidence’.
Special Category Data GDPR defines “special category data” as information about an individual’s: Racial or ethnic origin; political opinions; religious beliefs; trade union membership; health; or sexual life.

 

Our use of your information

Although this is not an exhaustive detailed list, the following table gives key examples of the purposes and rationale for why we collect and process information:

 

ACTIVITY or PURPOSE

RATIONALE

 

Complaints

Rationale

We will process your personal information where it relates to a complaint where you have asked for our help or involvement.

 

The information we will require when you make a complaint will be:

·         Your name, address and contact telephone number and those of the person that you may be complaining for; including their date of birth and NHS Number

·         A summary of what has happened, giving dates where possible

·         Which organisation provided the care or service

·         A list of issues that you are complaining about

·         What you would like to happen as a result of your complaint

 

Legal Basis

The CCG has a duty as to the improvement in quality of services under Section 14R NHS Act 2006 and will rely on your explicit consent as the basis to undertake such activities.

 

Complaint Process

When we receive a complaint from an individual we make up a file containing the details of the complaint. This normally contains the identity of the complainant and any other individuals involved in the complaint.

 

We will only use the personal information we collect to process the complaint and to check on the level of service being provided.

 

We usually have to disclose the complainant’s identity to whoever the complaint is about. This is inevitable where, for example, the accuracy of a person’s record is in dispute.  If a complainant doesn’t want information identifying him or her to be disclosed, we will try to respect that. However, it may not be possible to process a complaint on an anonymous basis.

 

We will keep personal information contained in complaint files in line with NHS retention policy. It will be retained in a secure environment and access to it will be restricted according to the ‘need to know’ principle.

 

We may use service user stories, following upheld complaints, but the individual will remain anonymous. The service user stories will provide a summary of the concern, service improvements identified and how well the complaints procedure has been applied. Explicit consent will always be sought from the service user or carer or both before we use the service user story.

 

Benefits

Managing complaints enables the CCG to continuously improve the quality of the services we commission.

 

Retention Period

Information relating to complaints will be retained for 10 years after which time the information will be reviewed and if no longer necessary will be destroyed.

Individual Funding Request (IFR)

Rationale

We will collect and process your personal information where we are requested to fund a specific treatment or service for a condition that is not already covered in our contracts.

 

This is called an “Individual Funding Request” (IFR).

 

Legal Basis

The CCG has a duty to have regard to the need to reduce health inequalities in access to health services and health outcomes achieved as outlined in the  National Health Service Commissioning Board and Clinical Commissioning Groups (Responsibilities and Standing Rules) Regulations 2012 (SI 2012 No 2996) (Part 7-34 (1) and (2).

 

The clinical professional who first identifies that you may need the treatment will explain to you the information that we need to collect and process in order for us to assess your needs and commission your care and will ask for your informed consent for personal clinical information to be shared with the CCG.

 

Benefits

The Individual Funding Request process allows the CCG to look at evidence for the safety and effectiveness of any treatment and ensures that the services we pay for will give patients the greatest health gains from the resources we have available.

Continuing Healthcare

Rationale

We will collect and process your identifiable information where you have asked us to undertake assessments for your continuing healthcare which is a package of care that is arranged and funded solely by the NHS for individuals who are not in hospital but have been assessed as having a “primary health need”.

 

This is called “Continuing Health Care” (CHC)

 

Legal Basis

The CCG has a duty to have regard to the need to reduce health inequalities in access to health services and health outcomes achieved as outlined in the National Health Service Commissioning Board and Clinical Commissioning Groups (Responsibilities and Standing Rules) Regulations 2012 (SI 2012 No 2996) (Part 6-20-22.

 

The clinical professional who first sees you to discuss your needs will explain to you the information that they need to collect and process in order for us to assess your needs and commission your care and will ask for your informed consent for personal clinical information to be shared with the CCG.

 

Benefits

The CCG can arrange a care and support package that meets your assessed needs.  The CCG can determine how your needs and care will be managed, where your care will be given e.g. in your own home or in a care home and identify which organization will be responsible for meeting your needs.

 

Retention Period

Information relating to Continuing Healthcare will be retained for 8 years after which time the information will be reviewed and if no longer necessary will be destroyed.

 

Medicines Optimisation

Rationale

Medicines Optimisation is about ensuring that the right patients get the right choice of medicine at the right time.   By focusing on patients and their experiences, the goal is to help patients to improve their outcomes, take their medicines correctly, avoid taking unnecessary medicines, reduce wastage of medicine and improve medicines safety.  Ultimately medicines optimisation can help encourage patient to take ownership of their treatment.

 

To achieve the above we will process your personal data for the following purposes:

 

            i.            To carry out direct patient-facing activities on behalf of or at the request of a GP or General Practice.

          ii.            To undertake analysis using specific criteria to identify individual patients that may benefit from a safer, more effective and / or more efficient medicinal regimes and approaches.  This analysis may be carried out proactively or at the direct request of a General Practice and may lead to recommendations to the responsible clinician.

        iii.            To carry out administrative purposes which are necessary to ensure that the right payments are made and staff are suitably trained to undertake the work safely and effectively

 

Legal Basis

The CCG will rely on the below legal basis to process personal data for the purposes of medicines optimisation:

·         Health & Social Care Act 2012 (Section 251b) (duty to share)

·         NHS Act 2006 (Section 3a) (duty as to provision of certain services)

·         GDPR Articles 6(1)(e) and 9(2)(h)

 

Retention Period

The CCG will hold your information for a period of 5 years.  Before records are destroyed we will review information held and take into account any further retention periods which may oblige us to hold the information for a further period of time.

 

Benefits

The CCG can carry out Medicines Optimisation activities to ensure that patients receive prescribed items which are clinically effective and cost effective based on individual, local and national health population needs.  We can also benchmark and share best practice at a practice level, locally and nationally to further improve our patients’ experience of prescribed items and to the benefit of our local population.

 

Safeguarding

Rationale

Safeguarding means protecting people’s health, wellbeing and human rights, and enabling them to live free from harm, abuse and neglect. It is a key part of providing high-quality health and social care.  The CCG will participate in Serious Case Reviews undertaken by either the local Children’s Safeguarding Boards or the Adult Safeguarding Boards for continued learning, to minimize risk and to improve services.

 

Legal Basis

 

The CCG has a statutory responsibility under the Children Act 2004, Care Act 2014 and safeguarding provision within the Data Protection Act 2018 (Schedule 1, Part 2, Subsections 18 and 19) to ensure the safety of all children, and the safety of adults at risk of abuse and neglect.

 

Benefits

Safeguarding is a fundamental element of the CCGs commissioning plans and forms a core part of the commissioning assurance process.

 

Retention Period

The CCG will hold information for a period of 8 years following the closure of a case. Before records are destroyed we will review information held and take into account any serious incident retentions which may require us to hold the information for a further period of time. Each case will be reviewed on an individual basis.

 

Risk stratification

 

Rationale

Risk stratification is a process that uses data from health care services to determine which people are at risk of experiencing certain outcomes, such as unplanned hospital admissions.

The risk stratification process

Risk stratification tools use various combinations of historic information about patients, for example, age, gender, diagnosis, patterns of hospital attendance and admission, and primary care data collected in GP practice systems.

The CCG will use pseudonymised information to understand the local population needs, whereas GPs will be able to identify which of their patients are at risk in order to offer a preventative service to them.

The CCG has commissioned Sollis Partnership Ltd to conduct risk stratification on behalf of itself and its GP practices in partnership with South Central and West Commissioning Support Unity (SCWCSU).  There is a contract between the CCG and Sollis Partnership Ltd that requires Sollis to protect the security and confidentiality of the data.

This processing for risk stratification follows these steps:

·         The CCG has asked NHS Digital to provide data identifiable by your NHS Number about your Acute Hospital attendances for risk stratification purposes and has signed an NHS Digital data sharing contract for the SUS (secondary use services) data.  This data is provided via SCWCSU.

·         Your GP practice instructs its GP IT system supplier to provide primary care data identifiable by your NHS Number for those patients that have not objected to Risk Stratification or there is no Type 1 objection made by the patient. The data is sent securely to Sollis Partnership Ltd.

 

·         Within the secure system which is hosted on a SCWCSU platform, the Sollis risk stratification process automatically links and pseudonymises the identifiable data from GPs and NHS Digital.

Sollis analyse the data in pseudonymised form to produce a risk score for each patient.

The risk scores are only made available to authorised users within the GP Practice where you are registered via a secure portal managed by Sollis.

This portal allows only the GPs to view the risk scores for the individual patients registered in their practice in identifiable form.

If you do not wish information about you to be included in our risk stratification programme, please contact your GP Practice. They can add a code to your records that will stop your information from being used for this purpose.

Further information about risk stratification is available from: https://www.england.nhs.uk/ourwork/tsd/ig/risk-stratification/

 

Legal Basis

The use of identifiable data by CCGs and GPs for risk stratification has been approved by the Secretary of State, through the Confidentiality Advisory Group of the Health Research Authority and this approval has been extended to October 2018 which gives us a statutory legal basis under Section 251 of the NHS Act 2006 to process data for risk stratification purposes which sets aside the duty of confidentiality. We are committed to conducting risk stratification effectively, in ways that are consistent with the laws that protect your confidentiality.

 

Benefits

CCGs and GPs use risk stratification tools as part of their local strategies for supporting patients with long-term conditions and to help and prevent avoidable admissions.  Typically this is because patients have a long term condition such as Chronic Obstructive Pulmonary Disease. NHS England encourages CCGs and GPs to use risk stratification tools as part of their local strategies for supporting patients with long-term conditions and to help and prevent avoidable admissions.

 

Knowledge of the risk profile of our population will help the CCG to commission appropriate preventative services and to promote quality improvement in collaboration with our GP practices.

 

Invoice Validation

Rationale

The validation of invoices ensures that those who provide you with care and treatment can be paid the correct amount.

 

NHS Shared Business Services process invoices on behalf of NHS Gloucestershire CCG.  SBS do not require and should not receive any patient confidential data to provide their services.  However before payment can be made, the CCG need to validate the invoice – i.e. ensure that the treatment and amount is correct.  In order to do this, personal confidential data is submitted by the health care provider to an approved and controlled secure environment within the CCG.  Only certain data can be submitted, and only when it is necessary for the validation process.  The identifier used for invoice validation is NHS number, or the local provider ID if the NHS number is not known to the provider, e.g. hospital number.  We use this information to check that the relevant invoice is correct and ready to be paid by the CCG.

 

The CCG has a duty to detect, report and investigate any incidents where a breach of confidentiality has been made.

 

Legal basis

The use of personal confidential data by CCGs for invoice validation has been approved the Secretary of State for Health through the Confidentiality Advisory Group of the Health Research Authority and this approval has been extended to September 2018.

 

For more information see: https://www.england.nhs.uk/ourwork/tsd/ig/in-val/invoice- validation-faqs/

 

Benefits

The invoice validation process supports the delivery of patient care by ensuring that:

·         service providers are paid for patients treatment,

·         enables services to be planned, commissioned, managed and subjected to financial control,

·         enables commissioners to confirm that they are paying appropriately for the treatment of patients for whom they are responsible

·         fulfilling commissioners duties of fiscal probity and scrutiny

·         enables invoices to be challenged and disputed or discrepancies resolved

 

Patient and Public Involvement

Rationale

If you have asked us to keep you regularly informed and up to date about the work of the CCG or if you are actively involved in our engagement and consultation activities or patient participation groups, we will collect and process personal confidential data which you share with us.

 

This is called ‘Patient and Public Involvement’

 

Where you submit your details to us for involvement purposes, we will only use your information for this purpose. You can opt out at any time by contacting us using our contact details at the end of this document.

 

Legal Basis

Under the NHS Act 2006 Section 14Z2, the CCG has a duty, in relation to health services provided (or which are to be provided) under arrangements made by the CCG exercising its functions, to make arrangements so as to secure that individuals to whom the services are being (or may be) provided are involved at various specified stages.

 

We will rely on your explicit consent for this purpose.

 

Where you have agreed to participate in online surveys on our Citizen Space site, your information will be held for 6 months following the publication of survey results after which your information will be deleted.

 

Records Retention

Where you have provided us with your contact details for us to keep in touch, we will contact you periodically to ensure you are still happy for us to hold these details. If we do not hear back from you we will delete your information from our database.

 

Commissioning

Rationale

This includes wider NHS purposes beyond the provision of direct care and treatment to you, such as managing and funding the NHS, monitoring activity to understand and plan the health needs of the population, and to gain evidence that will improve health and care through research.

 

Legal Basis

Under the Health & Social Care Act 2012 the CCG has a statutory legal basis for collecting and processing information for the purposes of commissioning.

 

Processing Activities

Hospitals and community organisations that provide NHS-funded care are legally and contractually obliged to submit certain information to NHS Digital about services provided to our service users.

 

This information is generally known as commissioning datasets. The CCG obtains these datasets from NHS Digital and they relate to service users registered with GP Practices that are members of the CCG.

 

These datasets are then used in a format that does not directly identify you, for wider NHS purposes such as managing and funding the NHS, monitoring activity to understand and plan the health needs of the population, and to gain evidence that will improve health and care through research.

 

The datasets include information about the service users who have received care and treatment from those services that we are responsible for funding. The CCG is unable to identify you from these datasets. They do not include your name, home address, NHS number, post code or date of birth.  Information such as your age, ethnicity and gender, as well as coded information about any clinic or accident and emergency attendances, hospital admissions and treatment will be included.

 

The specific terms and conditions and security controls that we are obliged to follow when using these commissioning datasets can also be found on the NHS Digital website.

 

We also receive similar information from GP Practices within our CCG membership that does not identify you.

 

Benefits

We use these datasets for a number of purposes such as:

·         Performance managing contracts;

·         Reviewing the care delivered by providers to ensure service users are receiving quality and cost effective care;

·         To prepare statistics on NHS performance to understand health needs and support service re-design, modernisation and improvement;

·         To help us plan future services to ensure they continue to meet our local population needs;

·         To reconcile claims for payments for services received in your GP Practice;

·         To audit NHS accounts and services.

 

If you do not wish your information to be included in these datasets, even though it does not directly identify you to us, please contact your GP Practice and they can apply a code to your records that will stop your information from being included.

 

Primary and Secondary Care

Rationale

We commission a number of organisations to provide primary and secondary healthcare services to you. These organisations may be within the NHS or outside the NHS.

 

Primary Care services cover GP Practices, Dental Practices, Community Pharmacies and high street Optometrists.

 

Secondary Care services are usually (but not always) delivered in a hospital or clinic with the initial referral being received from Primary Care.

 

These organisations may share identifiable, pseudonymised, anonymised, aggregated and personal confidential data information with us for the following purposes:

 

·         To look after the health of the general public such as notifying central NHS groups of outbreaks of infectious diseases

·         To undertake clinical audit of the quality of services provided

·         To carry out risk profiling to identify patients who would benefit from proactive intervention

·         To perform case management where the NHS offers intervention and integrated care programmes involving multiple health and social care providers

·         To report and investigate, complaints, claims and untoward incidents

·         To prepare statistics on our performance for the Department of Health

·         To review out care to make sure that it is of the highest standard

 

Legal Basis

The Health & Social Care Act 2012 allows us to collect your information, which will only be accessed by a limited number of authorised staff and not disclosed to other organisations.  We will never share your personal information unless a legal basis has been identified for the different purposes of sharing or we have obtained your explicit consent.

 

Benefits

Through sharing information ethically and lawfully the NHS is able to improve its understanding of the most important health needs and the quality of the treatment and care provided.

 

Cabinet Office

Rationale

The Cabinet Office is responsible for carrying out data matching exercises. Data matching involves comparing computer records held by one body against other computer records held by the same or another body to see how far they match. This is usually personal information.  Computerised data matching allows potentially fraudulent claims and payments to be identified.  Where a match is found it may indicate that there is an inconsistency which requires further investigation. No assumption can be made as to whether there is fraud, error or other explanation until an investigation is carried out.

 

We participate in the Cabinet Office’s National Fraud Initiative: a data matching exercise to assist in the prevention and detection of fraud. We are required to provide particular sets of data to the Minister for the Cabinet Office for matching for each exercise, as detailed here.

 

Legal Basis

The use of data by the Cabinet Office in a data matching exercise is carried out with statutory authority under Part 6 of the Local Audit and Accountability Act 2014. It does not require the consent of the individuals concerned under GDPR.

 

Data matching by the Cabinet Office is subject to a Code of Practice.

 

View further information on the Cabinet Office’s legal powers and the reasons why it matches particular information:

https://www.gov.uk/government/publications/code-of-data-matching-practice-for-national-fraud-initiative

 

For other organisations to provide support services for us

The CCG will use other organisations to provide us with support services. These organisations will process information on our behalf. These organisations are known as “data processors” and will provide additional expertise to support our work.

 

Legal Basis

We are committed to ensure that a legal basis is identified for all flows of personal identifiable to external organisations.

 

The CCG ensures that this is supported by use of an NHS Standard Contract which is mandated by NHS England for use by commissioners for all contracts for healthcare services other than primary care.  The NHS Standard Contract covers:

 

·                    confidential information of all parties

·                    patient confidentiality, data protection, freedom of information and transparency

 

In addition a Data Sharing Framework Contract (DSFC) and Data Sharing Agreement (DSA) are in place with NHS Digital for the release of patient level data and Service Level Agreements are in place with NHS South Central and West Commissioning Support Unit (SCWCSU) for the services they provide.

Below is a summary of the data processors and the function they carry out on our behalf:

SCWCSU – for Commissioning Intelligence analysis which adds value to the analysis of data that does not directly identify individuals; for processing Freedom of Information requests; and for processing Subject Access Requests.  A Service Level Agreement is in place between the CCG and SCWCSU for this purpose.

NHS Litigation Authority – for Claims Management (we rely on your consent).

NHS Shared Business Service – for Invoice Validation (see above)

Sollis Partnership Ltd  – for Risk Stratification (see above)

Legal basis

These organisations are subject to the same legal rules and conditions for keeping personal confidential data and secure and are underpinned by a contract with us.

 

Before awarding any contract, we ensure that organisations will look after your information to the same high standards that we do. Those organisations can only use your information for the service we have contracted them for and cannot use it for any other purpose.

National Registries National Registries (such as the Learning Disabilities Register) have statutory permission under Section 251 (16/CAG/0056) of the NHS Act 2006, to collect and hold service user identifiable information without the need to seek informed consent from each individual service user.
Research

Data may be collected for the purpose of research.

 

Research can be undertaken using information that does not identify you (anonymised). The law does not require your consent to be obtained in this case but information should be made available to you where your anonymised data is used for the purposes of research. Information can be made available either in waiting rooms, using information leaflets, published on notice boards, waiting room screens and/or an organisations website.

 

Where identifiable data is needed for research, you may be approached by an organisation who has provided you with care and asked if you wish to participate in a research study.  Where identifiable data is required, an organisation must obtain explicit consent.  A member of the research team will discuss the research study with you and will provide you with information on what the study is about, what information they wish to collect, how to opt out and who to contact for more information.

 

If you do not wish your information to be used for research, whether identifiable or non-identifiable, please let your GP Practice know. They will add a code to your records that will stop your information from being used for research.

 

Legal Basis

Your explicit consent will be obtained as the legal basis to process identifiable information for research purposes.

 

Benefits

Results from research studies can provide a direct benefit to individuals who take part in medical trials and indirect benefit to the population as a whole.

 

Retention Period

Retention periods will be included in the research study Information Leaflet related to each study.

 

Data Linkage

Data may be de-identified and linked by organisations so that it can be used to improve health care and monitor NHS performance. Where data is used for these statistical purposes, stringent measures are taken to ensure individual patients cannot be identified. When analysing current health services and proposals for developing future services it is sometimes necessary to link separate individual datasets to be able to produce a comprehensive evaluation.  This may involve linking primary care GP data with other data such as secondary uses service (SUS) data (inpatient, outpatient and A&E).  In some cases there may also be a need to link local datasets which could include a range of acute-based services such as radiology, physiotherapy, audiology etc, as well as mental health and community-based services such as Improving Access to Psychological Therapies, district nursing, podiatry etc.  When carrying out this analysis, the linkage of these datasets is always done using a unique identifier that does not reveal a person’s identity.

 

Data Retention

The CCG will approach the management of its business records in line with their Records Management Policy which sets out roles and responsibilities for records management and the key operating principles for record keeping across the business and manages records in line with the Records Management NHS Code for Practice for Health and Social Care which sets the required standards of practice in the management of records for those who work within or under contract to NHS organisations in England, based on current legal requirements and professional best practice.

The CCGs records shall not be retained indefinitely. At the end of the retention, records shall be disposed of. In most cases this will mean controlled destruction; a small percentage of records may become archived meaning that they will be retained indefinitely under the Public Records Act.

 

Information Governance

Information Governance is to do with the way organisations process or handle information. It covers personal information relating to patients, service users, employees, and corporate information (financial and accounting records.)

The Organisations that we do business with are subject to the same legal rules and conditions for keeping personal confidential data secure and are underpinned by a contract with us.

Before awarding any contract, we ensure that organisations will look after your information to the same high standards that we do. Those organisations can only use your information for the service we have contracted them for and cannot use it for any other purpose.  All organisations are required to complete a Department of Health Information Governance Toolkit which draws together the legal rules and central guidance and presents them in a single standard set of information governance requirements which covers management structures and responsibilities, confidentiality, data protection and information security. All organisations contracted to provide health care services are required to achieve a Level 2 score which demonstrates that organisations can be trusted to maintain the confidentiality and security of personal information and in turn increases public confidence that the NHS and its partners can be trusted with personal data.

Further information

Further information about the way in which the NHS uses personal confidential data and your rights in that respect can be found at the links below:

The NHS Care Record Guarantee:

This guarantee is a commitment that NHS organisations and those providing care on behalf of the NHS will use records about you in ways that respect your rights and promote your health and wellbeing.

http://systems.digital.nhs.uk/rasmartcards/documents/crg.pdf

The NHS Constitution:

The Constitution establishes the principles and values of the NHS in England. It sets out rights to which patients, public and staff are entitled, and pledges which the NHS is committed to achieve, together with responsibilities, which the public, patients and staff owe to one another to ensure that the NHS operates fairly and effectively.

https://www.gov.uk/government/publications/the-nhs-constitution-for-england

To share or not to share? Information Governance Review:

This was an independent review of information about service users shared across the health and care system led by Dame Fiona Caldicott and was published in 2013.

https://www.gov.uk/government/publications/the-information-governance-review

Review of data security, consent and opt-outs:

A further review by Dame Fiona Caldicott published in 2016.

https://www.gov.uk/government/publications/review-of-data-security-consent-and-opt-outs

NHS Digital:

NHS Digital are the trusted national provider of high-quality information, data and IT systems for health and social care and are responsible for collecting data from across the health and social care system.

Information Commissioner’s Office (ICO):

The ICO is the Regulator for the Data Protection Act 1998 and offer independent advice and guidance on the law and personal data, including your rights and how to access your personal information.

http://www.ico.org.uk

Health Research Authority:

The HRA protects and promotes the interests of patients and the public in health and social care research.

http://www.hra.nhs.uk

 

Contact us

Post:

Gloucestershire CCG
Sanger House
5220 Valiant Court
Gloucester Business Park
Brockworth
Gloucester
GL3 4FE

Tel: 0300 421 1500
Email:  GLCCG.enquiries@nhs.net

 

For independent advice about data protection, privacy and data-sharing issues, you can contact the Information Commissioner’s Office:

Information Commissioner Wycliffe House, Water Lane, Wilmslow,
Cheshire, SK9 5AF.

Phone: 08456 30 60 60 or 01625 54 57 45
Website: www.ico.gov.uk