Fair Processing Notice

Text size:

How we use your information / Privacy Notice

Who we are

Sandwell and West Birmingham Clinical Commissioning Group (CCG) is responsible for securing, planning, designing and paying for your NHS services, including planned and emergency hospital care, mental health services, rehabilitation and community services.  We need to use information about you to enable us to do this effectively, efficiently and safely.

http://sandwellandwestbhamccg.nhs.u/about-us

How we use your information

This Privacy Notice tells you about the information we collect and hold about you, what we do with it, how we will look after it and who we might share it with.  It also explains the choices you can make about the way in which your information is used and how you can opt-out of any sharing arrangements that may be in place.

It covers information we collect directly from you or collect indirectly from other individuals or organisations for the CCG’s registered population.

This notice is not exhaustive. However, we are happy to provide any additional information or explanation needed. Contact Details can be found here.

This Privacy Notice applies to all information held by the CCG relating to individuals, whether you are a patient, service user or a member of staff.

Reviews of and Changes to our Privacy Notice

We will keep our privacy notice under regular review. This privacy notice was last reviewed in September 2016.

Types of Information we collect and hold about you

We need to use information in various forms about you and will only use the minimum amount of information necessary for the purpose.  Where possible, we will use information that does not identify you.

Definitions

The CCG processes several different types of information:

  1. Identifiable – containing details that identify individuals.  The following are data items that are considered identifiable:  name, address, NHS Number, full postcode, date of birth
  2. Pseudonymised information -  individual-level information where individuals can be distinguished  by using a coded reference, which does not reveal their ‘real world’ identity
  3. Anonymised – about individuals but with identifying details removed
  4. Aggregated – statistical information about several individuals that has been combined to show general trends or values with identifying individuals within the data.

Our records may be held on paper or in a computer system.

While we have made this Privacy Notice as easy to read and understandable for you as we can there are some legal concepts / terms which will be used further in the Privacy Notice which may require some further explanation throughout this Privacy Notice are explained here.

Legal obligations to collect and use information

In the circumstances where we are required to use personal identifiable information we will only do this if:

  • The information is necessary for your direct healthcare
  • We have received explicit consent from you to use your information for a specific purpose
  • There is an overriding public interest in using the information e.g. in order to safeguard an individual, or to prevent a serious crime
  • There is a legal requirement that will allow us to use or provide information (e.g. a formal court order or legislation)
  • We have permission to do so from the Secretary of State for Health to use certain confidential patient identifiable information when it is necessary for our work
  • Emergency Planning reasons such as for protecting the health and safety of others  

Primary and Secondary Care Data 

The NHS provides a wide range of services which involve the collection and use of information.  Different care settings are considered as either ‘primary care’ or ‘secondary care’.  Primary care settings include GP practices, pharmacists, dentists and some specialised services such as including military health services.  Secondary care settings include local hospitals, rehabilitative care, urgent and emergency care (including out of hours and NHS 111), community and mental health services.  

Throughout this Privacy Notice you will see reference to an organisation called NHS Digital who are the national provider of information, data and IT systems for commissioners (such as the CCG), analysts and clinicians in health and social care.  NHS Digital provide information based on identifiable information passed securely to them by Primary and Secondary Care Providers who are legally obliged to provide this information.  The way in which NHS Digital collect and use your information can be found here.

Our Commitment to Data Privacy and Confidentiality Issues

We are committed to protecting your privacy and will only process personal confidential data in accordance with the Data Protection Act 1998, the Common Law Duty of Confidentiality and the Human Rights Act 1998.   The various laws and rules about using and sharing confidential information, with which the CCG will comply, are available in “A guide to confidentiality in health and social care” which is published on the NHS Digital website.

Sandwell and West Birmingham CCG is a Data Controller under the terms of the Data Protection Act 1998 we are legally responsible for ensuring that all personal confidential data that we collect and use i.e. hold, obtain, record, use or share about you is done in compliance with the 8 Data Protection Principles. 

All data controllers must notify the Information Commissioner’s Office (ICO) of all personal information processing activities. Our ICO Data Protection Register number is ZA022957 and  our entry can be found in the Data Protection Register on the Information Commissioner’s Office website

Everyone working for the NHS has a legal duty to keep information about you confidential. The NHS Care Record Guarantee and NHS Constitution provide a commitment that all NHS organisations and those providing care on behalf of the NHS will use records about you in ways that respect your rights and promote your health and wellbeing.

All identifiable information that we hold about you will be held securely and confidentially.  We use administrative and technical controls to do this.  We use strict controls to ensure that only authorised staff are able to see information that identifies you.  Only a limited number of authorised staff have access to information that identifies you where it is appropriate to their role and is strictly on a need-to-know basis.  All health and social care organisations are required to provide annual evidence of compliance with applicable laws, regulation and standards through the Information Governance Toolkit which show our current level of compliance as ‘satisfactory’ providing assurance to you of how we protect your information.  The individual requirements we must provide evidence for can be found here.  Further information regarding Information Governance and the Information Governance Toolkit can be found here.

All of our staff, contractors and committee members receive appropriate and on-going training to ensure they are aware of their personal responsibilities and have contractual obligations to uphold confidentiality, enforceable through disciplinary procedures.  All staff are trained to ensure they understand how to recognise and report an incident ensuring that the organisation’s procedure for investigating, managing and learning lessons from incidents.

We will only retain information in accordance with the schedules set out in the Records Management Code of Practice for Health and Social Care 2016.  The CCG’s Records Management Policies include guidance around the secure destruction of information in line with the Code of Practice.

Your information will not be sent outside of the United Kingdom where the laws do not protect your privacy to the same extent as the law in the UK. We will never sell any information about you .  

Confidentiality Advice and Support 

The CCG has a Caldicott Guardian who is a senior person responsible for protecting the confidentiality of service user and service user information and enabling appropriate and lawful information-sharing.  Further information about the role of the Caldicott Guardian can be found in Further Definitions and Terms used in Privacy Notice

Your Rights  

You have certain legal rights, including a right to have your information processed fairly and lawfully and a right to access any identifiable information Subject Access Requests we hold about you.  

You have the right to privacy and to expect the NHS to keep your information confidential and secure. 

You also have a right to request that your confidential information is not used beyond your own care and treatment and to have your objections considered. 

If we do hold identifiable information about you, you can ask us to correct any mistakes by contacting us at the contact address further below.

You have the right to refuse/withdraw consent to information sharing at any time.  The possible consequences can be fully explained to you and could include delays in receiving care. Details of the national opt-out programme can be found here.

We have provided details of information collected and used for specific purposes with information on how to withdraw consent specific to each purpose and details of the possible impact this may have on you if you are to opt-out. 

These are commitments set out in the NHS Constitution, for further information please visit 

https://www.gov.uk/government/publications/the-nhs-constitution-for-england

Complaints 

The CCG try to meet the highest standards when collecting and using personal information. For this reason, we take any complaints we receive about this very seriously. We encourage people to bring concerns to our attention if they think that our collection or use of information is unfair, misleading or inappropriate. We would also welcome any suggestions for improving our procedures. Contact details for complaints to either ourselves or the ICO can be found at the end of this notice.

Details of information collected and used for specific purposes

Although this is not an exhaustive detailed listing, the following table lists key examples of the purposes and rationale for why we collect and process information.  For each purpose we have provided information for you on the purpose, including benefits to you as a patient;  the type of information used (see definition above);  the legal basis identified for the collection and use of information;  how we collect and use the information required;  data processing activities – listing any third parties we may use for each purpose and information on how to opt out of your information being used for each purpose.

What is the patient opt-out?

The NHS Constitution states "You have the right to request that your confidential information is not used beyond your own care and treatment and to have your objections considered". If you do not wish your confidential information to be used for anything except your direct health care you are able to ‘opt-out’. As your data may be used in a variety of ways and for a variety of purposes you are able to opt-out of some of these but remain ‘in’ for others e.g. you may not wish a sub-set of your data being used for clinical audit purposes, but may wish your anonymised data to be used for research purposes so you would not opt-out of this. You can discuss this with your GP Practice who will explain the different options you have.

There may be occasions when it is not possible to exercise your right to “opt out”, such as when we have an obligation by law or for the purposes of safeguarding adults and children.  

There are several forms of opt- outs available at different levels. These include for example:

A. Information directly collected by the CCG: 

Your choices can be exercised by withdrawing your consent for the sharing of information that identifies you, unless there is no overriding legal obligation, for example because pseudonymised information only is being used.

Where you have provided identifiable information directly to a ‘CCG Care Service’ e.g. Mental Health services… we will ensure that you are provided with full information about how your data will be used to provide the service and you will be asked for explicit consent where it is planned to share your identifiable information with other organisations and for other purposes.

B. Information not directly collected by the CCG, but collected by organisations that provide NHS services

Type 1 opt-out

GP’s are required by law to provide patient confidential data to NHS Digital who has responsibility for collecting data from across the health and social care system from a range of organisations where you may receive care, such as hospitals and community services.  Strict controls are used to ensure that all data is held securely and confidentially and only available to authorised staff who have a statutory or other legitimate reason for viewing the data. All required steps have been taken to ensure the safe, secure and confidential transfer of this information. 

If you do not want personal confidential data information to be shared outside your GP practice, for purposes beyond your direct care you can register a type 1 opt-out with your GP practice. This prevents your personal confidential information from being used other than in particular circumstances required by law, such as a public health emergency like an outbreak of a pandemic disease.

Patients are only able to register the opt-out at their GP practice. 

Type 2 opt - out

Patients within England are able to opt out of their identifiable information being shared by NHS Digital for purposes other than their own direct care, this is known as the 'Type 2 opt-out'

Further details of the circumstances under which NHS Digital may share out identifiable information can be found under their Privacy Notice - http://digital.nhs.uk/patientconf

Patients are only able to register the opt-out at their GP practice. 

Further Information and Support about Type 2 opt-outs

For further information and support relating to type 2 opt-outs the following options are available:

1. visit the website http://www.hscic.gov.uk/article/7092/Information-on-type-2-opt-outs

2. contact  NHS Digital contact centre at This email address is being protected from spambots. You need JavaScript enabled to view it. referencing 'Type 2 opt-outs - Data requests' in the subject line; or

3. call NHS Digital on (0300) 303 5678; or 

Subject Access Requests

You can find out if we hold any personal information by making a ‘subject access request’ under the Data Protection Act 1998. If we do hold information about you we will:

  • Give you a description of it; 
  • Tell you why we are holding it; 
  • Tell you who it could be disclosed to; and 
  • Let you have a copy of the information in an intelligible form. 

To make a request to any personal information we may hold you need to put the request in writing to our contact address provided further below.

Further Definitions and Terms used in Privacy Notice:

Data Protection Act 1998 (DPA)

The Act of Parliament which regulates the processing of information relating to living individuals, including the collecting, holding, use, and sharing (disclosure) of such information.  Sandwell and West Birmingham CCG as a Data Controller is required to ensure the principles of the DPA are adhered to ensuring we are legally compliant in the way we collect and use your information.

Data Controller

A person (individual or organisation) who determines the purposes for which and the manner in which your identifiable information will be collected and used.  Data Controllers must ensure that any collection and use of identifiable information complies with the principles of the Data Protection Act 1998.  For health and social care organisations the Data Controller will be the organisation holding your information.  Providing a complete, factually correct and easy to read Privacy Notice is just one of the requirements of a Data Controller.  Sandwell and West Birmingham CCG is the Data Controller unless otherwise stated in this Privacy Notice .

Data Processor

Any person (other than an employee of the Data Controller) who process the data on behalf of the Data Controller.  Data Processors are not directly subject to the Data Protection Act 1998 but the Information Commissioner, who is statutorily responsible for ensuring organisations comply with the Act, recommends that organisations should choose data processors carefully and have in place effective means of monitoring, reviewing and auditing their processing with a written contract in place.  Please see hyperlink  for further information about the controls we ensure are in place before making agreements with any data processors and a list of data processors contracted by Sandwell and West Birmingham CCG in our capacity as Data Controller.  There is further information detailing the use of data processors in the section informing you of the details of information collected and used for specific purposes

Consent

Consent describes the informed agreement for something to happen after consideration by you.  For consent to be legally valid, you must be informed, must have the capacity to make the decision in question and must give consent voluntarily.  In the context of consent to share information, this means you should know and understand how your information is to be used and shared (there should be ‘no surprises’) and you should understand the implications of your decision, particular where your refusal to allow information to be shared is likely to affect the care you receive.  This applies to both explicit and implicit consent.

Explicit Consent

Explicit consent is unmistakeable.  It can be given in writing or verbally, or conveyed through another form of communication such as signing.  You may have the capacity to give consent, but may not be able to write or speak.  Explicit consent is required when sharing information with staff who are not part of the team caring for you.  It may also be required for a use other that than for which the information was originally collected, or when sharing is not related to your direct health and social care.

Implied Consent

Implied consent is applicable only within the context of direct care of individuals.  It refers to instances where your consent can be implied without having to make any positive action, such as giving your verbal agreement for a specific aspect of sharing information to proceed.  Examples of the use of implied consent would include where a referral is being made by a GP to a community or hospital service we would consider your consent as implied when discussing the referral with you, another example would be within the hospital setting where there are ward handovers, the consent to share your identifiable in this situation is required for your care and you would not expect to be asked to provide explicit consent at each ward handover.

Confidentiality

Within the NHS and in social care organisations the term Personal Confidential Data is used to describe identifiable information which you have provided in confidence, for example, in discussion with your GP or hospital specialist.  This information should be kept private or secure.  For the purposes of this Privacy Notice ‘identifiable information’ includes the Data Protection Act 1998 definition of personal data, but it is adapted to include dead as well as living people and ‘confidential’ includes both information ‘given in confidence’ and ‘that which is owed a duty of confidence’ and is adapted to include ‘sensitive information’ as defined in the Data Protection Act 1998

Caldicott Guardian

A senior person responsible for protecting the confidentiality of patient and service-user information and enabling appropriate information sharing.  Each NHS organisation is required to have a Caldicott Guardian which was mandated for the NHS in 1999.

Information Governance Toolkit

An online system which allows NHS and social care organisations to assess themselves or be assessed against Information Governance policies and standards.  It also allows members of the public to view participating organisations’ IG Toolkit assessments, you can access HSCIC IG Toolkit page here

Information Governance

The set of multi-disciplinary structure, policies, procedures, processes and controls implemented to manage information at a senior level, supporting an organisation’s immediate and future regulatory, legal, risk, environmental and operational requirements.

Sharing information - with external health and social care organisations

In 2012 a new Health and Social Care Act was introduced which ensures that all health and social organisations involved in your care are working collaboratively to ensure you receive the best possible care with the services available through different organisations.  To achieve this was are required to ensure that where you are receiving services from different health and social care organisations the relevant information is shared, securely and in a timely fashion.

Information Sharing Agreements and contracts will be in place ensuring these arrangements meet both the requirements of the Health and Social Care Act 2012 and the Data Protection Act 1998 ensuring that your confidentiality and rights are not breached.  The CCG is actively working with health and social care partners to ensure that where you receive a referral, for example for community services, the relevant information that service require to offer you a full service is available.  We are also working with the hospitals who provide services to our population to ensure that if you find yourself in an emergency situation, relevant and potentially lifesaving information from your GP record will be available showing any latest tests and any allergies you may suffer from which the hospital clinicians will need to know.  

Whenever a new arrangement to share information externally, both with health and social care organisations and with third party suppliers, we will ensure that a legal basis has been identified using a tool called a Privacy Impact Assessment which will highlight any risks to your information which will ensure are resolved before any sharing takes place.

Sharing information - with external third party suppliers

We will also, in the course of our business, engage with third party suppliers who will process your information on our behalf.  The CCG will work with these partner organisations to ensure that appropriate Data Processing and contracts are in place setting out the security standards and legal obligations required to be met to protect your information.  Only the minim information necessary for the purpose will be shared and only where pseudonymised / anonymised data cannot be used.  Further information regarding the external organisations we work with can be found in the section details information collected and used for specific purposes.   You will find the Data Processors that the CCG uses listed here.

Whenever a new arrangement to share information externally, both with health and social care organisations and with third party suppliers, we will ensure that a legal basis has been identified using a tool called a Privacy Impact Assessment which will highlight any risks to your information which will ensure are resolved before any sharing takes place.

Details of information collected and used for specific purposes

Although this is not an exhaustive detailed listing, the following table lists key examples of the purposes and rationale for why we collect and process information.  For each purpose we have provided information for you on the purpose, including benefits to you as a patient;  the type of information used (see ‘Definitions’);  the legal basis identified for the collection and use of information;  how we collect and use the information required;  data processing activities – listing any third parties we may use for each purpose and information on how to opt out of your information being used for each purpose.

  • Complaints
  • Funding Treatments
  • Continuing Healthcare
  • Safeguarding
  • Risk Stratification
  • Patient and Public Involvement
  • National Registries
  • Research
  • Serious Incident Reports
  • Clinical audit

COMPLAINTS

Purpose

A complaint may relate to a service which the CCG is directly responsible for providing or it may relate to a service which we have commissioned for the patients who we are responsible for, for example hospital services.  The CCG require this information in order to manage and help to resolve complaints which is then used to prevent such complaints arising in future.

Type of Information Used

Identifiable

Legal Basis

Explicit consent

How We Collect and Use Information in relation to Complaints

When the CCG Time2Talk team This email address is being protected from spambots. You need JavaScript enabled to view it. receive a complaint from a person we make up a file containing the details of the complaint which will contain the identity of the complainant and any other individuals involved.

The CCG will only use the identifiable information we collect to process the complaint and to check the level of service we provide.

The CCG usually have to disclose the complainant’s identity to whoever the complaint is about.  This is inevitable where, for example, the accuracy of a person’s record is in dispute

The CCG will publish service user stories, following upheld complaints, anonymously via our governing body.  The service user stories will provide a summary of the concern, service improvements identified and how well the complaints procedure has been applied.  Consent will always be sought from the service user and carer or both before we publish the service user story.

Opt out details 

If you do not want information identifying you to be disclosed we will try to respect that.  However, it may not be possible to handle a complaint on an anonymous basis.

FUNDING TREATMENTS

Purpose

To fund specific treatment for you for a particular condition that is not covered in our contracts.  This may be called an ‘Individual Funding Request (IFR)’ which provides you with the payments required to receive specialist treatment.

Type of Information Used

Identifiable – to make payments

Anonymous – to provide reports for analysis of payments made

Legal Basis

Explicit Consent to use identifiable information to make payments

How We Collect and Use Information in relation to Funding Treatments

Information required to make payments in relation to Funding Treatments is provided by you, along with relevant information from primary and secondary care with regard to the referral for specialist treatment.

Data Processing Activities 

Opt out details

Payments will not be able to be made if you choose not to provide identifiable information.  Alternative arrangements will need to be considered.

CONTINUING HEALTHCARE

Purpose

To undertake assessments where you have asked us to undertake assessments for Continuing Healthcare – a package of care for those with complex medical needs.  We use your information in order to be able to make the appropriate arrangements for resulting care packages.

Type of Information Used

Identifiable

Legal Basis

Explicit Consent

How We Collect and Use Information in relation to Continuing Healthcare

The assessment team will collect, use, share and securely store information from / with the Local Authority (Social Services) and other organisations or individuals that are either directly or indirectly involved in the assessment, decision making process, the arranging of care, the funding and payment of care and appropriate monitoring of and audit of the safety and quality of care.

Data Processing Activities 

The CCG has engaged the services of NHS Arden and Greater East Midlands Commissioning Support Unit to provide this service on the CCGs behalf.  

Opt out details

A Continuing Healthcare Assessment will not be able to be carried out if you choose not to provide identifiable information.  Alternative arrangements will need to be considered.

SAFEGUARDING

Purpose

To assess and evaluate any safeguarding concerns to ensure all patients / service users are effectively protected

Type of Information Used

Identifiable

Legal Basis

Legal requirement to use and share information relating to Safeguarding concerns with Safeguarding Boards and Multi-Agency Safeguarding Hubs where all members sign confidentiality agreements.  

How We Collect and Use Information in relation to Safeguarding 

The CCG may receive information relating to Safeguarding concerns from yourself directly or relatives or through notification of concerns from other Health and Social Care organisations.  All Health and Social Care professionals have a legal requirement to share information with appropriate agencies where Safeguarding concerns about children or adults have been received.  Where it is appropriate to do so the sharing organisations will keep you informed of when information is required to be shared to provide with assurance regarding the security of that sharing and the benefit to you or the person you are raising Safeguarding concerns about. Access to this information is strictly controlled and where there is a requirement to share information e.g with police or social services, all information will be transferred safely and securely ensuring that only those with a requirement to know of any concerns are appropriately informed.

Opt out details

We have a legal requirement to provide information where there are Safeguarding concerns due to public interest issues, e.g. to protect the safety and welfare of vulnerable children and adults.

RISK STRATIFICATION 

Purpose

Risk stratification is a process for identifying and caring for patients with long term health conditions and patients who are at high risk of emergency hospital admission.  NHS England encourages CCGs and GPs to use risk stratification tools as part of their local strategies for supporting patients with long-term conditions, such as chronic obstructive pulmonary disease (COPD) and diabetes, to help prevent hospital admissions that could have been avoided.  As well as helping GP Practices to provide Direct Care support, risk stratification is used by the CCG to support planning and commissioning, for example, understanding the numbers of patients in the region who require services to support COPD will enable us to commission the right services to better manage periods of ill health and to improve the quality of the services we are able to offer you.  

Type of Information Used

Different types of data are legally allowed to be used by different organisations within, or contracted to, the NHS.

Identifiable – when disclosed from GP Practices and NHS Digital to a Risk Stratification supplier (see below, Data Processing Activities)

Aggregated – the CCG can only receive this information in format which cannot identify you.

Pseudonymised – GP’s are provided with pseudonymised data for risk stratification planning purposes, however, where a direct care impact is identified on a patient through the process the GP will be able to re-identify the patient concerned.

Legal Basis

The use of identifiable data for risk stratification has been approved by the Secretary of State, through the Confidentiality Advisory Group of the Health Research Authority (known as Section 251 approval).  Further information on Section 251 can be obtained by clicking here.  The reference number for the risk stratification approval is CAG7-04(a)/2013.  This approval allows your GP or staff within your GP Practice who are responsible for providing your care, to see information that identifies you, but the CCG staff will only be able to see information in a format that does not reveal your identity.

How We Collect and Use Information in relation to Risk Stratification 

Risk stratification tools use a mix of historic information about patients such as age, gender, diagnoses and patterns of hospital attendance and admission as well as data collected in GP practices. 

NHS Digital provides information, identifiable by your NHS Number only, about hospital attendances.  GP Practices provide information from GP records also identifiable by your NHS Number only.  Both sets of information are sent via secure transfer to the risk stratification system where they are immediately pseudonymised and linked to each other.  The risk stratification system uses a formula to analyse the pseudonymised data to produce a risk score.  These risk scores are available to the GP practice you are registered with where authorised staff who are responsible for providing direct care for you are able to see these scores in a format that identifies you.  This will help the clinical team make better decisions about your future care, for example you may be invited in for a review or if they think you may benefit from a referral to a new service they will discuss this with you.  The CCG is provided with reports containing aggregate information, which do not identify you, to ensure we are commissioning and planning for these services as required by the population we serve.  

Data Processing Activities 

On behalf of its GP Practices, the CCG has entered into a contract with Midlands and Lancashire CSU as their Risk Stratification Supplier to produce the analysis as above.

In addition the CCG on behalf of the Modality group of GP Practices uses Optum for Risk Stratification analysis processing Purposes

Opt out details

Type 1 and Type 2 opt-outs apply.

Additionally, your GP practice can apply a code which will stop your identifiable information being used for this purpose.

Additional information is also available from the NHS England website: https://www.england.nhs.uk/ourwork/tsd/ig/risk-stratification/

INVOICE VALIDATION

Purpose

Where we pay for care, particularly where different providers are caring for the same person, we may ask for evidence before paying, or we may commission a service where the payment is all or partly based on the providers ensuring the service user has a healthy outcome. We need to ensure that we are paying the right amount of money for the right services to the right people. 

These invoices are validated within a special secure area known as a Controlled Environment for Finance (CEfF) to ensure that the right amount of money is paid, by the right organisation, for the treatment provided.  

A small amount of information that could identify an individual is used within this secure area (such as NHS number or date of birth and postcode).  The process followed ensures that only the minimum amount of information about individuals is used by a very limited number of people.  The process is designed to protect confidentiality.  

Type of Information Used

Identifiable - within the Controlled Environment for Finance, for invoice validation.

Pseudonymised, anonymised or aggregated - within the CCG, for commissioning purposes such as financial planning, management and contract monitoring.

Legal Basis

A Section 251 approval from the Secretary of State, through the Confidentiality Advisory Group of the Health Research Authority enables the Arden and GEM CSU CEfF (see below) to process identifiable information without consent for the purposes of invoice validation within a Controlled Environment for Finance – CAG 7-07(a)(b)(c)/2013.  

How We Collect and Use Information in relation to Invoice Validation

Organisations that provide treatment submit their invoices to the CCG for payment.  The secure area (Controlled Environment for Finance, provided by AGEM CSU) receives additional information, including the NHS Number, or occasionally the date of birth and postcode, from the organisation that provided treatment.

NHS Digital sends information into the secure area, including the NHS number and details of the treatment received.  The information is then validated ensuring that any discrepancies are investigated and resolved between the Controlled Environment for Finance and the organisation that submitted the invoices.  The invoices will be paid when the validation is completed.

The CCG does not receive any identifiable information for purposes of Invoice Validation however they will receive reports to help us manage our finances.

Data Processing Activities 

The CCG uses the services of the Arden and GEM CSU Controlled Environment for Finance and has a contract in place with them.  Only authorised staff are able to access this information.

Opt out details

Type 2 opt-out applies

Additionally, your GP practice can apply a code which will stop your identifiable information being used for this purpose.

Additional information is also available from the NHS England website: https://www.england.nhs.uk/ourwork/tsd/ig/in-val/invoice-validation-faqs/

PATIENT AND PUBLIC INVOLVEMENT

Purpose

If you have asked us to keep you regularly informed and up to date about the work of the CCG or if you are actively involved in our engagement and consultation activities or patient participation groups, we will collect and use information which you share with us.  Where you submit your details to us for involvement purposes, we will only use your information for this purpose.

Type of Information Used

Identifiable

Legal Basis

Explicit Consent 

How We Collect and Use Information in relation to Patient and Public Involvement

We will be collecting and using your information to enable us to keep you informed of any news, consultation activities or patient participant groups.  

Data Processing Activities 

The CCG uses the services of the Arden and GEM CSU Engagement, Communications and Marketing Team to help carry out this work

Opt out details

You can opt out at any time by contacting us 

COMMISSIONING

Purpose

Hospitals and community setting organisation that provide NHS-funded care must by law submit certain information to NHS Digital about services provided to you and the population we serve.  This information is known as commissioning datasets.  The CCG obtains these datasets from NHS Digital which relate to patients registered with our GP practices.  This enables us to plan, design, purchase and pay for the best possible care available for you.

Type of Information Used

Different types of commissioning data are legally allowed to be used by different organisations within, or contracted to, the NHS.

Identifiable – when disclosed from Primary and Secondary Care Services to NHS Digital

Aggregated – the CCG can only receive this information in aggregated format which does not identify individuals

Legal Basis

Statutory requirement for NHS Digital to collect identifiable information.

A Section 251 approval from the Secretary of State, through the Confidentiality Advisory Group of the Health Research Authority enables the use of the pseudonymised information by the organisations who submitted the information whose patients the dataset relates to.

There is no requirement for a legal basis for use of the aggregated information which is available to the CCG as this does not identify individuals.

How We Collect and Use Information in relation to Commissioning

The datasets we receive from NHS Digital have been linked and are in a format that does not directly identify you.  Information such as your age, ethnicity and gender as well as coded information about any clinic or accident and emergency attendances, hospital admissions and treatment will be included.

We also receive similar information from the GP Practices within our CCG membership that also does not identify you. 

We use these datasets for a number of purposes such as:

  • Performance managing contracts ; 
  • Reviewing the care delivered by providers to ensure service users are receiving quality and cost effective care;  
  • To prepare statistics on NHS performance to understand health needs and support service re-design, modernisation and improvement; 
  • To help us plan future services to ensure they continue to meet our local population needs;
  • To reconcile claims for payments for services received in your GP Practice; 
  • To audit NHS accounts and services; 

Opt out details

Type 1 and Type 2 opt-outs apply.

Additionally, your GP practice can apply a code which will stop your identifiable information being used for this purpose.

The specific terms and conditions and security controls that we are obliged to follow when using those commissioning datasets can also be found on NHS Digital website.  

More information about how this data is collected and used by NHS Digital is available on their website http://www.hscic.gov.uk/patientconf

NATIONAL REGISTRIES

Purpose

National Registries are used in the NHS to provide support to particular groups of patients to ensure they are receiving the care and support they require, for example, the Learning Disabilities Register.  NHS Digital are responsible for the information collected and used in the Registers who will ensure your information is kept securely and confidentially.  

Type of Information Used

Identifiable and pseudonymised – dependant on purpose.

Legal Basis

A Section 251 approval from the Secretary of State, through the Confidentiality Advisory Group of the Health Research Authority enables NHS Digital to process identifiable information without consent for the purposes of approved National Registries.

How We Collect and Use Information in relation to National Registries

The GP Practices within our CCG membership provide this information to NHS Digital using a secure transfer method.

Opt out details

Type 1 and Type 2 opt-outs apply.

Additionally, your GP practice can apply a code which will stop your identifiable information being used for this purpose.

RESEARCH

Purpose

Research can provide direct benefit to patients who take part in medical trials and indirect benefits to the population as a whole.

Your information can be used to identify people to invite them to take part in clinical trials, other interventional studies or studies purely using information from medical records.

Type of Information Used

Identifiable and anonymised – dependant on the purpose.

Legal Basis

Where identifiable information is being used your explicit consent will be gained.  Where gaining consent from all patients is not appropriate, e.g. for large-scale, nationwide projects, a Section 251 approval from the Secretary of State, through the Confidentiality Advisory Group of the Health Research Authority is required.  The approval ensures that the appropriate security processes are in place to protect your information and ensuring only the minimum information is used for the purpose specified. Research activities using anonymised information does not require your consent.

How We Collect and Use Information in relation to Research

Where identifiable information is needed for research, you will be approached by the organisation where the treatment was received, to see if you wish to participate in the particular research study.  You will be provided with information about the research and the way in which your identifiable information will be used and kept safe and secure before being asked to provide explicit consent to take part.  Where a Section 251 approval has been granted you will be informed of the project and will be able to make a decision as to whether you wish to opt out.  Information related to research projects will be kept safe and secure with access limited to authorised research team members only.

Opt out details

Where consent is required to take part in a research project you will also be provided with details by the organisation holding your records on how to opt out at any time.

Where s251 approval has been granted you can request that your identifiable information is not included.  The Register of current s251 approval across England and Wales can be found here:

The organisation holding your records will provide notices on their premises and websites about any research projects being undertaken which will provide opt out details.

Your GP practice can apply a code which will stop your identifiable information being used for this purpose.

SERIOUS INCIDENT REPORTS

Purpose

The CCG collects and uses information from Serious Incident Reports from Primary and Secondary Care Providers to ensure incidents are dealt with appropriately with lessons learnt.

Type of Information Used

Identifiable

Legal Basis

Explicit consent

How We Collect and Use Information in relation to Serious Incident Reports

We are statutorily required to fully investigate and review incidents.  Where there is a requirement to provide incident reports externally the information will be anonymised unless there is a legal requirement to provide your details.  You will be kept informed of the requirements we are required to meet and asked for consent where information is to be shared externally.

Opt out details

If you do not want information identifying you to be disclosed we will try to respect that.  However, it may not be possible to fully investigate serious incidents on an anonymous basis.  If the incident involved a breach of law or regulations there may be a legal duty to provide identifiable information.  You will be fully informed of this throughout the process.

CLINICAL AUDIT

Purpose

Effective clinical audit can provide direct benefit to you as a patient and to the population the CCG serves to ensure that the services we plan and commission offer high quality and effective care.

Type of Information Used

Identifiable – where clinical audit is undertaken by the GP practice who you are registered with.  The GP’s and clinicians involved in your Direct Care are said to have a ‘legitimate relationship’ with you and any outcomes will directly improve patient’s health and wellbeing.

Anonymous – where clinical audit is being undertaken by GPs and health professionals with whom you do not have a ‘legitimate relationship’ with.  

Legal Basis

For clinical audit undertaken by the GPs and clinicians directly involved in your care we will rely on implied consent to collect and use your information where the outcomes cannot be achieved using anonymous information.

Where clinical audit is undertaken by GPs and health professionals with whom you do not have a ‘legitimate relationship’ with your explicit consent will be required where identifiable information is being used or another statutory basis identified.

Using anonymous data for the purposes of clinical audit does not require a legal basis.

How We Collect and Use Information in relation to clinical audits

Information required for clinical audit will be collected from your records held by the organisation where you have received treatment.  Authorised healthcare professionals will review the records held ensuring that only the minimum information required for the purpose is used.  Where consent is required to use identifiable information you will be contacted by the organisation who has provided your treatment.

Opt out details

Where you have provided explicit consent to take part in a clinical audit you can opt out at any time by contacting the organisation who provided your treatment.

Your GP practice can apply a code which will stop your identifiable information being used for this purpose.

DATA PROCESSORS

Below are details of our data processors and the function that they carry out on our behalf:

  • Arden&GEM CSU – Risk Stratification, Invoice Validation, Commissioning Intelligence analysis, Continuing Healthcare, Individual Funding Requests, Medicines Optimisation
  • Iron Mountain – Archiving of Records
  • CW Audit – Internal Audit related purposes
  • NHSLA – Claims Management
  • Shred-it  - The CCG’s Confidential Waste Disposal Company
  • University Hospitals –Staff Payroll 
  • Midlands and Lancashire CSU – Business Intelligence, IT, HR

Arden&GEM CSU as well as the Midlands and Lancashire CSU are NHS England approved Data Services for Commissioning Regional Office (DSCRO). They provide a secure and compliant data processing function of health and social care data sets. This type of processing is to support commissioning, planning, risk stratification, patient care and paying and validating invoices. The output data from this process will be anonymised or pseudonymised. The CCG does not receive any personal identifiable information from this service.

These organisations are subject to the same legal rules and conditions for keeping personal confidential data secure and are underpinned by a contract with us.   Before awarding any contract, we ensure that organisations will look after your information to the same high standards that we do.  Those organisations can only use your information for the service we have contracted them for and cannot use it for any other purpose.  Other NHS organisations can act as Data Processors, such as Arden&GEM CSU, the same legal rules and conditions apply with contracts and agreements required to be in place.

Contact Details

If you have any questions or concerns regarding how we use your information, please contact us at:

Post:  

Time2Talk,
Sandwell and West Birmingham CCG,
Kingston House, High Street,
West Bromwich,
B70 9LD

Email: This email address is being protected from spambots. You need JavaScript enabled to view it.

The contact detail of our Caldicott Guardian is as follows:

Dr Samar Mukherjee, SWB CCG Caldicott Guardian

Email C/O: This email address is being protected from spambots. You need JavaScript enabled to view it.

http://sandwellandwestbhamccg.nhs.uk/our-governing-body

For independent advice about data protection, privacy and data-sharing issues, you can contact the:

Information Commissioner
Wycliffe House, Water Lane, 
Wilmslow, 
Cheshire, SK9 5AF. 

Phone: 08456 30 60 60 or 01625 54 57 45 

Website: www.ico.gov.uk

Further information

Further information about the way in which the NHS uses personal confidential data and your rights in that respect can be found in: