Using your information (Privacy Notice)

 

Find out more about how we, NHS Gloucestershire Clinical Commissioning Group (CCG), use your information:

 


Looking for Joining Up Your Information (JUYI)?

For information about the county’s JUYI shared care record and fair processing notice please click here.

What is a Privacy Notice?

The EU General Data Protection Regulation (GDPR) requires that data controllers provide certain information to people whose information (personal data) they hold and use. A privacy notice is one way of providing this information. This is sometimes referred to as a fair processing notice.

 

A privacy notice should identify who the data controller is, with contact details for its Data Protection Officer. It should also explain the purposes for which personal data are collected and used, how the data are used and disclosed, how long it is kept, and the controller’s legal basis for processing.

 

We will keep our privacy notice under regular review. This privacy notice was last reviewed in October 2018.

What information do we collect about you?

NHS Gloucestershire Clinical Commissioning Group (CCG) is responsible for securing, planning, designing and paying for your NHS services, including planned and emergency hospital care, mental health, rehabilitation, community and primary medical care (GP) services. This is known as commissioning. We need to use information about you to enable us to do this effectively, efficiently and safely.

 

For further information please refer to the ‘About Us’ page on our website: http://www.gloucestershireccg.nhs.uk/about-us/

 

We use the following types of information/data:

Categories of data Description
Personal Data This is any data relating to an identified or identifiable natural person who can be identified, directly or indirectly.
Special Categories of Personal Data The GDPR defines “special categories of personal data” as information about an individual’s: Racial or ethnic origin; political opinions; religious beliefs; trade union membership; health; sexual life; alleged criminal activity; or court proceedings.
Personal Confidential Data As defined under the Caldicott Guardian Review, this is personal data about identified or identifiable individuals which should be kept private or secret. The definition includes dead as well as living people and ‘confidential’ includes information ‘given in confidence’ and ‘that which is owed a duty of confidence’.
Format of the data Description
Aggregated This is anonymised data which is grouped together so that it does not identify any individual
Anonymised This is data which does not identify you and where there is no risk that identification is likely to take place.
Identifiable This is data which can identify a person such as their name, address, telephone number, date of birth, postcode.
Pseudonymised This is data that has undergone a technical process that replaces identifiable information such as your NHS number, postcode, date of birth with a unique identifier, which obscures your ‘real world’ identity to those working with the data.

 

Our records may be held on paper or in a computer system.

 

CCGs commission a number of organisations (both within and outside the NHS) to provide healthcare services to you. We receive anonymised statistical information for the purpose of improving local services, research, audit and public health; for example understanding how health conditions spread across our local area compared against other areas.

 

Who we receive information from

  • NHS England
  • Other Clinical Commissioning Groups
  • Healthcare Providers
  • Patients and their families
  • Partners in connection with Employment of staff
  • Commissioning Support Units
  • Public Authorities or Public Bodies
  • NHS Shared Business Support (SBS)
  • NHS Digital
  • Our Data Processors
  • Members of the public

 

To contact us about any of the points in this notice refer to the ‘Contact Us’ page: http://www.gloucestershireccg.nhs.uk/about-us/contact-us/.

 

If you wish to contact the CCG Data Protection Officer then please e-mail GLCCG.enquiries@nhs.net

Why do we collect your information?

For the purposes of the Data Protection Act 2018, the Controller is NHS Gloucestershire Clinical Commissioning Group.

 

Our legal basis for processing personal data

Every use of personal data must be lawful and must comply with the Data Protection Act (2018)/GDPR and satisfy the common law duty of confidentiality.
NHS Gloucestershire Clinical Commissioning Group is a public body established by the NHS Act 2006 as amended by the Health and Social Care Act 2012, and we are regulated by The National Health Service Commissioning Board and Clinical Commissioning Groups (Responsibilities and Standing Rules) Regulations 2012. As such our business is based upon statutory powers which underpin the legal bases that apply for the purposes of the GDPR.

 

Under the GDPR, the legal basis for the majority of our processing is:

  • Article 6(1)(e) – processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.

 

For some activities we may ask for your consent and the legal basis is:

  • Article 6(1)(a) the data subject has given consent to the processing of his or her personal data for one or more specific purposes;

 

For entering into and managing contracts with the individuals concerned, for example our employees, the legal basis is:

  • Article 6(1)(b) – processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract.

 

Where we have a specific legal obligation that requires the processing of personal data, the legal basis is:

  • Article 6(1)(c) – processing is necessary for compliance with a legal obligation to which the controller is subject.

 

Where we process special categories data, for example data concerning including health, racial or ethnic origin, or sexual orientation, we need to meet an additional condition in the GDPR. Where we are processing special categories personal data for purposes related to the commissioning and provision of health services the condition is:

  • Article 9(2)(h) – processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services.

 

Where we process special categories data for employment or safeguarding purposes the condition is:

  • Article 9(2)(b) – processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment and social security and social protection law.

 

We may also process personal data for the purpose of, or in connection with, legal proceedings (including prospective legal proceedings), for the purpose of obtaining legal advice, or for the purpose of establishing, exercising or defending legal rights. Where we process personal data for these purposes, the legal basis for doing so is:

  • Article 6(1)(e) – processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller; or
  • Article 6(1)(c) – processing is necessary for compliance with a legal obligation to which the controller is subject; or
  • Article 6(1)(f) – processing is necessary for the purposes of legitimate interests pursued by the controller.

 

Where we process special categories of personal data for these purposes, the legal basis for doing so is:

  • Article 9(2)(f) – processing is necessary for the establishment, exercise or defence of legal claims; or
  • Article 9(2)(g) – processing is necessary for reasons of substantial public interest.

 

In ‘Why do we collect your information’ we set out the key ways in which we may process your personal data for the purposes of, or in connection with our statutory functions. If you want to know more about how we process your data please contact our Data Protection Officer: GLCCG.enquiries@nhs.net

What do we use your information for?

As a commissioner of health services, we do not routinely hold or have access to your medical records. However, we may need to hold some personal information about you, for example:

 

  • If you have made a complaint to us about healthcare that you have received and you have asked us to investigate it for you
  • If you ask us to provide funding for Continuing Healthcare services or submit an Individual Funding Request
  • If you ask us for our help or involvement with your healthcare, or where we are required to fund specific specialised treatment for a particular condition that is not already covered in our contracts with organisations that provide NHS care
  • If you ask us to keep you regularly informed and up-to-date about the work of the CCG, or if you are actively involved in our engagement and consultation activities or Service User or Patient Participation Groups.

 

Our records may include relevant information that you have told us, or information provided on your behalf by relatives or those who care for you and know you well, or from health professionals and other staff directly involved in your care and treatment.

 

We may use your information for the following activities:

  • Complaints
  • Individual Funding Requests
  • Continuing Healthcare
  • Medicines Optimisation
  • Safeguarding
  • Risk Stratification
  • Invoice Validation
  • Patient and Public Involvement
  • Commissioning
  • Primary and Secondary Care

 

Full details of all activities can be found here

Who might we share your information with?

We only use information that may identify you in accordance with the Data Protection Legislation which requires us to process data only if there is a legitimate basis for doing so and that any processing must be fair and lawful.

 

Within the health sector, we also have to follow the common law duty of confidence, which means that where identifiable information about you has been given in confidence, it should be treated as confidential and only shared for the purpose of providing direct healthcare and only between other professionals and clinicians, unless you have agreed otherwise.

 

We will ensure that a legal basis is identified for all flows of personal identifiable information to external organisations.

 

Everyone working for the NHS has a legal duty to keep information about you confidential under the NHS Confidentiality Code of Conduct. The NHS Care Record Guarantee and NHS Constitution provide a commitment that all NHS organisations and those providing care on behalf of the NHS will use records about you in ways that respect your rights and promote your health and wellbeing.

 

We sometimes ask other organisations to help us process and manage our information and the information we process on behalf of our Customers. Any third parties and external processors are legally and contractually bound to operate within security arrangements that are equivalent to those we have in place.

 

Before awarding any contract, we ensure that organisations will look after your information to the same high standards that we do. Those organisations can only use your information for the service we have contracted them for and cannot use it for any other purpose.

 

All organisations are required to complete a Department of Health Data Security and Protection Toolkit, The Data Security and Protection Toolkit is an online self-assessment tool that allows organisations to measure their performance against the National Data Guardian’s 10 data security standards.

All organisations that have access to NHS patient data and systems must use this toolkit to provide assurance that they are practising good data security and that personal information is handled correctly.

 

Who we receive information from

  • NHS England
  • Other Clinical Commissioning Groups
  • Healthcare Providers
  • Patients and their families
  • Partners in connection with Employment of staff
  • Commissioning Support Units
  • Public Authorities or Public Bodies
  • NHS Shared Business Support (SBS)
  • NHS Digital
  • Our Data Processors

 

If we receive a request for your information from another organisation, we will not share information that identifies you unless we have established a fair and lawful basis to do so such as:

  • For the provision of your individual care and you have not objected, or would not reasonably be expected to, object
  • You have given us your explicit consent to do so and we have explained the consequences of the sharing and you understand your rights;
  • We need to act to protect children and vulnerable adults;
  • When a formal court order has been served upon us;
  • When we are lawfully required to report certain information to the appropriate authorities e.g. to prevent fraud or a serious crime;
  • we have been asked to do so by a Controller of the data we are processing on their behalf, this would require a written instruction;
  • Emergency Planning reasons such as for protecting the health and safety of others;
  • When permission is given by the Secretary of State or the Health Research Authority on the advice of the Confidentiality Advisory Group to process confidential information without the explicit consent of individuals

 

SCW staff, payroll data and personal data such as contact details may be provided to bodies responsible for auditing, administering public funds or where undertaking a public function for the purposes of preventing and detecting fraud.

 

The National Fraud Initiative

 

NHS England is required to protect the public funds it administers. It may share information provided to it with other bodies responsible for; auditing, or administering public funds, or where undertaking a public function, in order to prevent and detect fraud.

 

We participate in the Cabinet Office’s National Fraud Initiative: a data matching exercise to assist in the prevention and detection of fraud. We are required to provide particular sets of data to the Minister for the Cabinet Office for matching for each exercise.

 

The use of data by the Cabinet Office in a data matching exercise is carried out with statutory authority under Part 6 of the Local Audit and Accountability Act 2014.

 

For more information on this please visit the following page: NHS England National Fraud Initiative

 

National Registries

National Registries (such as the Learning Disabilities Register) have statutory permission under Section 251 (16/CAG/0056) of the NHS Act 2006, to collect and hold service user identifiable information without the need to seek informed consent from each individual service user.

Other organisations that provide support services for us (Data Processors)

The CCG will use other organisations to provide us with support services. These organisations will process information on our behalf and only on our instruction. These organisations are known as “data processors” and will provide additional expertise to support our work.

 

We will never sell any information about you.

 

We will ensure that a legal basis is identified for all flows of personal identifiable to external organisations.

 

Before awarding any contract, we ensure that organisations will look after your information to the same high standards that we do. Those organisations can only use your information for the service we have contracted them for and cannot use it for any other purpose.

 

The CCG ensures that this is supported by use of an NHS Standard Contract which is mandated by NHS England for use by commissioners for all contracts for healthcare services other than primary care. The NHS Standard Contract covers:

  • confidential information of all parties
  • patient confidentiality, data protection, freedom of information and transparency

 

A Data Processing Agreement will be put in place with each processor to detail the terms of the processing and the required security measures to protect the data.

 

In addition a Data Sharing Framework Contract (DSFC) and Data Sharing Agreement (DSA) are in place with NHS Digital for the release of patient level data and Service Level Agreements are in place with NHS South Central and West Commissioning Support Unit (SCWCSU) for the services they provide.

 

Below is a summary of our data processors and the function they carry out on our behalf:Below is a summary of our data processors and the function they carry out on our behalf:

  • South Central and West Commissioning Support Unit – for Commissioning Intelligence analysis which adds value to the analysis of data that does not directly identify individuals; for processing Freedom of Information requests; and for processing Subject Access Requests. A Service Level Agreement is in place between the CCG and SCWCSU for this purpose.
  • NHS Litigation Authority – for Claims Management (we rely on your consent).
  • NHS Shared Business Service – for Invoice Validation (see above)
  • Sollis Partnership Ltd – for Risk Stratification (see above)

What other information about you do we hold?

Your information may be de-identified and linked by organisations so that it can be used to improve health care and monitor NHS performance. Where data is used for these statistical purposes, stringent measures are taken to ensure individual patients cannot be identified. When analysing current health services and proposals for developing future services it is sometimes necessary to link separate individual datasets to be able to produce a comprehensive evaluation. This may involve linking primary care GP data with other data such as secondary uses service (SUS) data (inpatient, outpatient and A&E). In some cases there may also be a need to link local datasets which could include a range of acute-based services such as radiology, physiotherapy, audiology etc, as well as mental health and community-based services such as Improving Access to Psychological Therapies, district nursing, podiatry.

 

When carrying out this analysis, the linkage of these datasets is always done using a unique identifier that does not reveal a person’s identity.

How long do we keep your information?

All records held by the CCG will be kept for the duration specified by national guidance from NHS Digital, Records Management Code of Practice. Once information that we hold has been identified for destruction it will be disposed of in the most appropriate way for the type of information it is. Personal confidential and commercially sensitive information is disposed of by approved and secure confidential waste procedures. Personal confidential data held on paper is securely destroyed by Shred-it Ltd. Personal confidential data held electronically is securely destroyed by Countywide IT Services.

 

A small percentage of records may become archived, meaning that they will be retained indefinitely under the Public Records Act.

Where is my information stored?

We ensure the information we process is held in secure locations. We restrict access to certain categories of information to authorised personnel only where they can demonstrate a clear need for access as part of their job role. We ensure that where we process information on equipment such as laptops or other types of equipment outside of our normal office environment, we protect it with encryption software (which masks data so that unauthorised users cannot see or make sense of it).

 

All of our staff, contractors and committee members receive appropriate and on- going training to ensure they are aware of their personal responsibilities and have contractual obligations to uphold confidentiality, enforceable through disciplinary procedures.

 

In all circumstances we will only use the minimum amount of information necessary about you.

 

Overseas Transfers

 

Your information will not be sent outside the United Kingdom unless we are sure that your privacy will be protected in the same way as it would be in the UK.

What are your rights?

GDPR provides the following rights for individuals:

 

  • The right to be informed
  • The right of access (see the Subject Access Request section below)
  • The right to rectification
  • The right to erasure
  • The right to restrict processing
  • The right to data portability
  • The right to object
  • Rights in relation to automated decision making and profiling

 

You also have a right to request that your confidential information is not used beyond your own care and treatment and to have your objections considered.

 

Object to the CCG using your personal data

 

You have the right at any time to object to the CCG sharing your personal information if you do not wish us to process or share your information. If you do not agree to certain information being processed or shared with us, or by us, or have any concern, then please let us know. We may need to explain the possible impact this could have on our ability to help you and discuss the alternative arrangements that are available to you. There may be a lawful basis to continue processing, e.g. for safeguarding purposes.

Request to have your personal data rectified

 

If we do hold information about you, you can ask us to correct any mistakes. You are entitled to have personal data rectified if it is inaccurate or incomplete.

The CCG must respond within 30 calendar days. However, we may extend this period up to 60 calendar days for complex requests. The CCG may refuse the request if it believes the information is accurate/complete or there is a legal basis to refuse and you will be notified of this. You have the right to complain to the Information Commissioner’s Office and to seek correction by order of a Court.

 

Request to have your personal data erased

This is more commonly known as the ‘right to be forgotten’. You may request to have your data erased where:

 

  • It no longer needs to be kept by the CCG (it has surpassed the minimum retention period)
  • You withdraw your previously given consent or object to the use of your data and there is no requirement for the Trust to retain the data
  • It has been used unlawfully
  • The CCG must comply with a legal obligation
  • You are under 16 and data has been stored electronically by the CCG at your request

 

The CCG may refuse your request (in full or part) where there is a legal basis to refuse and you will be notified of this.

 

Request a copy of your personal data held by the CCG

You are entitled to a free-of-charge copy of information that we hold about you. However, the CCG may charge a ‘reasonable fee’ for particularly bulky, complex or repetitive requests (for the same information) based on the administrative cost of providing the information.

The CCG must provide you with the requested information (where it is appropriate to provide) within 30 calendar days once it has sufficient details to be able to process the request. However, we may extend this period up to 90 calendar days or refuse to respond for bulky, complex or repetitive requests.

If we do hold information about you we will:

 

  • Give you a description of it;
  • Tell you why we are holding it;
  • Tell you who it could be disclosed to; and
  • Give you a copy of the information

 

How to make a request

To make a request for any personal information we may hold about you, or exercise any of your information rights, please contact us

Post:

Gloucestershire CCG

Sanger House

5220 Valiant Court

Gloucester Business Park

Brockworth

Gloucester

GL3 4FE

 

Telephone:

0300 421 1500

 

Email:

GLCCG.enquiries@nhs.net

How the CCG ensures information is used appropriately

We are committed to protecting your privacy and will only process personal confidential data lawfully and in accordance with data protection and privacy law including the General Data Protection Regulation (GDPR), the Data Protection Act (DPA) 2018, the Human Rights Act 1998, the Health and Social Care (Safety and Quality) Act 2015, and the common law duty of confidentiality.

 

NHS Gloucestershire CCG is a Data Controller as defined in GDPR. We are legally responsible for ensuring that all personal information that we hold and use is done so in compliance with the law.

 

The Data Protection (Charges and Information) Regulations 2018 requires every organisation that processes personal information to pay a fee to the Information Commissioner’s Office (ICO), unless they are exempt. Our ICO Register number is ZA020869 and our entry can be found in the Data Protection Register of Fee Payers on the Information Commissioner’s Office website.

 

Everyone working for the NHS has a legal duty to keep information about you confidential. The NHS Care Record Guarantee, The NHS Constitution and The NHS Confidentiality Code of Practice provide a commitment that all NHS organisations and those providing care on behalf of the NHS will use records about you in ways that respect your rights and promote your health and wellbeing.
If you are receiving services from the NHS, we share information that does not identify you (anonymised) with other NHS and social care partner agencies for the purpose of improving local services, research, audit and public health.

 

Confidentiality Advice and Support – Caldicott Guardian

 

The CCG has a Caldicott Guardian who is a senior person responsible for protecting the confidentiality of service user information and enabling appropriate and lawful information-sharing.

The Caldicott Guardian for the CCG is Dr Marion Andrews-Evans.

 

Data Protection Officer

 

The CCG has a Data Protection Officer (DPO) responsible for monitoring compliance with our data protection obligations. The DPO also acts as a contact point for the Information Commissioner, our employees and the public.

The DPO for Gloucestershire CCG is the Associate Director of Corporate Governance.

The contact address for the DPO is GLCCG.enquiries@nhs.net or see the ‘Contact Us’ section at the end of this notice.

How the NHS and care services use your information: Type 1 opt-out and the National Data Opt-Out

The NHS Constitution states “You have the right to request that your confidential information is not used beyond your own care and treatment and to have your objections considered”. There may be occasions when it is not possible to exercise your right to object or “Opt Out”, such as when we have an obligation by law or for the purposes of safeguarding adults and children.

 

The right to object or opt-out includes information not directly collected by the CCG, but collected by organisations that provide NHS services:

 

  • Type 1 opt-out

If you do not want personal confidential data that identifies you to be shared outside your GP practice, for purposes beyond your individual care, you can register a ‘Type 1 opt-out’ with your GP practice. This prevents your personal confidential information from being used for anything except your care, except when it is required by law, such as a public health emergency like an outbreak of a pandemic disease.

Patients are only able to register this opt-out at their GP practice. If you would like to opt-out or discuss further then please talk to your GP or the healthcare professional supporting you.

  • The national data opt-out

Whenever you use a health or care service, such as attending Accident and Emergency or using Community Care services, important information about you is collected in a patient record for that service. Collecting this information helps to ensure you get the best possible care and treatment.

The information collected about you when you use these services can also be used and provided to other organisations for purposes beyond your individual care, for instance to help with:

 

  • improving the quality and standards of care provided
  • research into the development of new treatments
  • preventing illness and diseases
  • monitoring safety
  • planning services

 

This may only take place when there is a clear legal basis to use this information. All these uses help to provide better health and care for you, your family and future generations. Confidential patient information about your health and care is only used like this where allowed by law.

 

Most of the time, anonymised data is used for research and planning so that you cannot be identified in which case your confidential patient information isn’t needed.

 

You have a choice about whether you want your confidential patient information to be used in this way. If you are happy with this use of information you do not need to do anything. If you do choose to opt-out your confidential patient information will still be used to support your individual care.

 

To find out more or to register your choice to opt out, please visit Your NHS Data Matters

 

On this web page you will:

 

  • See what is meant by confidential patient information
  • Find examples of when confidential patient information is used for individual care and examples of when it is used for purposes beyond individual care
  • Find out more about the benefits of sharing data
  • Understand more about who uses the data
  • Find out how your data is protected
  • Be able to access the system to view, set or change your opt-out setting
  • Find the contact telephone number if you want to know any more or to set/change your opt-out by phone
  • See the situations where the opt-out will not apply.

 

You can also find out more about how patient information is used at:

 

NHS Health Research Authority (which covers health and care research);

Understanding Patient Data (which covers how and why patient information is used, the safeguards and how decisions are made)

 

You can change your mind about your choice at any time.

 

Data being used or shared for purposes beyond individual care does not include your data being shared with insurance companies or used for marketing purposes and data would only be used in this way with your specific agreement.

 

Health and care organisations have until 2020 to put systems and processes in place so they can apply your national data opt-out choice.

What to do if you have concerns about the use of your information

Complaints or questions

 

We try to meet the highest standards when collecting and using personal information. For this reason, we take any complaints we receive about this very seriously. We encourage people to bring concerns to our attention if they think that our collection or use of information is unfair, misleading or inappropriate. We would also welcome any suggestions for improving our procedures.

 

You can contact the CCG’s Data Protection Officer at: GLCCG.enquiries@nhs.net

 

Post:

Gloucestershire CCG

Sanger House

5220 Valiant Court

Gloucester Business Park

Brockworth

Gloucester

GL3 4FE

Tel: 0300 421 1500

Email: GLCCG.enquiries@nhs.net

 

For independent advice about data protection, privacy and data-sharing issues, you can contact the Information Commissioner’s Office:

 

Information Commissioner

Wycliffe House,

Water Lane,

Wilmslow,

Cheshire,

SK9 5AF.

Tel: 08456 306060 or 01625 545745

Website: www.ico.gov.uk

Translate
Accessibility