Fair Processing Notice
Who we are
South Warwickshire Clinical Commissioning Group (CCG) is responsible for securing, planning, designing and paying for your NHS services, including planned and emergency hospital care, mental health services, rehabilitation and community services. We need to use information about you to enable us to do this effectively, efficiently and safely.
How we use your information
This Fair Processing Notice tells you about the information we collect and hold about you, what we do with it, how we will look after it and who we might share it with. It also explains the choices you can make about the way in which your information is used and how you can opt-out of any sharing arrangements that may be in place.
It covers information we collect directly from you or collect indirectly from other individuals or organisations for the CCG’s registered population.
This notice is not exhaustive. However, we are happy to provide any additional information or explanation needed. Contact details are available on these pages.
This Fair Processing Notice applies to all information held by the CCG relating to individuals, whether you are a patient, service user or a member of staff.
Reviews of and Changes to our Fair Processing Notice
We will keep our Fair Processing Notice under regular review at our Information Governance Steering Group Meeting.
Types of Information we collect and hold about you
We need to use information in various forms about you and will only use the minimum amount of information necessary for the purpose. Where possible, we will use information that does not identify you.
1. The CCG processes several different types of information:
2. Identifiable – containing details that identify individuals. The following are data items that are considered identifiable: name, address, NHS Number, full postcode, date of birth;
3. Pseudonymised information - individual-level information where individuals can be distinguished by using a coded reference, which does not reveal their ‘real world’ identity;
4. Anonymised – about individuals but with identifying details removed;
5. Aggregated – statistical information about several individuals that has been combined to show general trends or values without identifying individuals within the data.
Our records may be held on paper or in a computer system.
While we have made this Fair Processing Notice as easy to read and understandable for you as we can there are some legal concepts / terms which will be used further in the Fair Processing Notice which may require some further explanation throughout this Fair Processing Notice are explained on the further definitions and terms page.
Legal obligations to collect and use information
In the circumstances where we are required to use personal identifiable information we will only do this if:
· The information is necessary for your direct healthcare;
· There is an overriding public interest in using the information e.g. in order to safeguard an individual, or to prevent a serious crime;
· There is a legal requirement that will allow us to use or provide information (e.g. a formal court order or legislation);
· We have permission to do so from the Secretary of State for Health to use certain confidential patient identifiable information when it is necessary for our work;
· Emergency Planning reasons such as for protecting the health and safety of others;
· Information necessary for equality and diversity.
Primary and Secondary Care Data
The NHS provides a wide range of services which involve the collection and use of information. Different care settings are considered as either ‘primary care’ or ‘secondary care’. Primary care settings include GP practices, pharmacists, dentists and some specialised services such as including military health services. Secondary care settings include local hospitals, rehabilitative care, urgent and emergency care (including out of hours and NHS 111), community and mental health services.
Throughout this Fair Processing Notice you will see reference to an organisation called NHS Digital who are the national provider of information, data and IT systems for commissioners (such as the CCG), analysts and clinicians in health and social care. NHS Digital provide information based on identifiable information passed securely to them by Primary and Secondary Care Providers who are legally obliged to provide this information. The way in which NHS Digital collect and use your information can be found here.
Our Commitment to Data Privacy and Confidentiality Issues
We are committed to protecting your privacy and will only process personal confidential data in accordance with the Data Protection Act 2018, the Common Law Duty of Confidentiality and the Human Rights Act 1998. The various laws and rules about using and sharing confidential information, with which the CCG will comply, are available in “A guide to confidentiality in health and social care” which is published on the NHS Digital website.
South Warwickshire CCG is a Data Controller under the terms of the Data Protection Act 2018 we are legally responsible for ensuring that all personal confidential data that we collect and use i.e. hold, obtain, record, use or share about you is done in compliance with the 7 Data Protection Principles.
All data controllers must notify the Information Commissioner’s Office (ICO) of all personal information processing activities. Our ICO Data Protection Register number is Z3611807 and our entry can be found in the Data Protection Register on the Information Commissioner’s Office website
Everyone working for the NHS has a legal duty to keep information about you confidential. The NHS Care Record Guarantee and NHS Constitution provide a commitment that all NHS organisations and those providing care on behalf of the NHS will use records about you in ways that respect your rights and promote your health and wellbeing.
All identifiable information that we hold about you will be held securely and confidentially. We use administrative and technical controls to do this. We use strict controls to ensure that only authorised staff are able to see information that identifies you. Only a limited number of authorised staff have access to information that identifies you where it is appropriate to their role and is strictly on a need-to-know basis. All health and social care organisations are required to provide annual evidence of compliance with applicable laws, regulation and standards through the Information Governance Toolkit which show our current level of compliance as ‘satisfactory’ providing assurance to you of how we protect your information. The individual requirements we must provide evidence for can be found here. Further information regarding Information Governance and the Information Governance Toolkit can be found on the definitions and terms page.
All of our staff, contractors and committee members receive appropriate and on-going training to ensure they are aware of their personal responsibilities and have contractual obligations to uphold confidentiality, enforceable through disciplinary procedures. All staff are trained to ensure they understand how to recognise and report an incident ensuring that the organisation’s procedure for investigating, managing and learning lessons from incidents.
We will only retain information in accordance with the schedules set out in the Records Management Code of Practice for Health and Social Care 2016. The CCG’s Records Management Policy includes guidance around the secure destruction of information in line with the Code of Practice.
Your information will not be sent outside of the United Kingdom where the laws do not protect your privacy to the same extent as the law in the UK. We will never sell any information about you.
Confidentiality Advice and Support
The CCG has a Caldicott Guardian who is a senior person responsible for protecting the confidentiality of service user and service user information and enabling appropriate and lawful information-sharing. Further information about the role of the Caldicott Guardian can be found on our definitions page.
You have the following eight rights as a “data subject”:
1. The right to be informed: You can ask an organisation what kind of information they have about this person and what they process that information.
2. The right of access: You can make a Subject Access Request (SAR) to view or receive a copy of the data that an organisation has about them.
3. The right to rectification: You can ask an organisation to correct the details the organisation has about them.
4. The right to erasure: Also called the “right to be forgotten”. You can ask an organisation to delete or destroy their data. See the section below “Data Retention and Data Erasure”.
5. The right to restrict processing: You can ask an organisation to put their data “on hold”.
6. The right to data portability: You can ask an organisation to receive their data from an organisation in order to transfer it to another organisation. Good examples include gym memberships and mobile phone contacts.
7. The right to object: You can tell an organisation that they object to receiving direct marketing communications.
8. Rights in relation to automated decision making and profiling: You can ask an organisation for a person to review decision about the data subject that was done through an automatic process. Good examples include loan applications and credit scoring.
What is the patient opt-out?
The NHS Constitution states "You have the right to request that your confidential information is not used beyond your own care and treatment and to have your objections considered". If you do not wish your confidential information to be used for anything except your direct health care you are able to ‘opt-out’. As your data may be used in a variety of ways and for a variety of purposes you are able to opt-out of some of these but remain ‘in’ for others e.g. you may not wish a sub-set of your data being used for clinical audit purposes, but may wish your anonymised data to be used for research purposes so you would not opt-out of this. You can discuss this with your GP Practice who will explain the different options you have.
There are several forms of opt- outs available at different levels. These include for example:
A. Information directly collected by the CCG.
Your choices can be exercised by withdrawing your consent for the sharing of information that identifies you, unless there is no overriding legal obligation, for example because pseudonymised information only is being used.
Where you have provided identifiable information directly to a ‘CCG Care Service’ e.g. Mental Health services… we will ensure that you are provided with full information about how your data will be used to provide the service and you will be asked for explicit consent where it is planned to share your identifiable information with other organisations and for other purposes.
B. Information not directly collected by the CCG, but collected by organisations that provide NHS services.
Opt-out and Medical Records Held at your GP practice
You can also tell your GP practice if you do not want your confidential patient information held in your GP medical record to be used for purposes other than your individual care. This is commonly called a “type 1 opt-out”. This opt-out request can only be recorded by your GP surgery.
National Data Opt-Out Programme
NHS organisations and affiliated companies (e.g. university researchers, hospital researchers, medical royal colleges, pharmaceutical companies researching new treatments) sometimes use patient data for research and planning purposes, but not for marketing or insurance purposes.
· preventing serious illnesses;
· developing new treatments;
· learning more about disease.
· planning NHS health services.
· making services safer.
· improving quality of care.
Most of the time, organisations use anonymous data.
Patients can opt out of organisations using their data for research and planning purposes if the organisations use non-anonymous data.
If you would like to opt out, you can either:
· manage your choice online
· call 0300 303 5678
· complete a form and send it by post
Data Retention and Data Erasure
Commercial organisations have processes to erase a data subject’s record, such as removing customer information from various databases.
NHS organisations, however, cannot simply remove records or remove information held on patients. For example, if a patient was treated for depression, this information cannot be removed, even if the patient requests this erasure. This is because the NHS manages information and records to provide of high quality care. Providing health-related care means keeping an accurate clinical record and, at times, looking at the patient’s health (and treatments) over long periods of time.
The document Records Management Code of Practice for Health and Social Care 2016, with its comprehensive retention schedule, states the following about a patient’s record held at GP surgeries:
“It is important to note that the General Practitioner (GP) record, usually held at the General Practice, is the primary record of care and that the majority of other services must inform the GP through a discharge note or a clinical correspondence that the patient has received care. This record is to be retained for the life of the patient plus at least ten years after death. The GP record transfers with the individual as they change GP throughout their lifetime.”
Other types of records are kept for different periods of time, for example:
· Occupational health records, for example, are kept for 6 years after the staff member has left or until that person’s 75th birthday after they left – whichever is sooner.
· Basic sexual health clinic records are kept for 8 years after the adult patient was discharged or last seen.
Special Allocation Scheme
Where patients are referred onto the Special Allocation Scheme, the CCG collects information about those patients from their referring GP practice. It also uses and shares this information with the Special Allocation Scheme GP Practice provider(s) and Primary Care Services England (PCSE), and in the case of a patient appealing their placement on the Special Allocation Scheme, with the referring GP Practice.
The CCG try to meet the highest standards when collecting and using personal information. For this reason, we take any complaints we receive about this very seriously. We encourage people to bring concerns to our attention if they think that our collection or use of information is unfair, misleading or inappropriate. We would also welcome any suggestions for improving our procedures. Contact details for complaints to either ourselves or the ICO can be found on this website.
Details of information collected and used for specific purposes
Although this is not an exhaustive detailed listing, the following table lists key examples of the purposes and rationale for why we collect and process information. For each purpose we have provided information for you on the purpose, including benefits to you as a patient; the type of information used (see definition above); the legal basis identified for the collection and use of information; how we collect and use the information required; data processing activities – listing any third parties we may use for each purpose and information on how to opt out of your information being used for each purpose.
· Clinical audit
· Continuing Healthcare
· Funding Treatments
· Invoice Validation
· National Registries
· Patient and Public Involvement
· Risk Stratification
· Serious Incident Reports
· Special Allocation Scheme
Role of the Data Protection Officer (DPO)
The DPO is a natural, identifiable person that informs and advises the CCG and its data processors, monitors their compliance, and is a primary contact for data subjects and the Information Commissioner’s Office (ICO). The DPO works with staff in Information Governance. CCG staff consult the DPO when, for example, conducting a Data Protection Impact Assessment (DPIA) and when serious personal data breaches need to be reported to the ICO.
The DPO for the CCG is Judith Jordan, Arden & GEM Head of Integrated Governance. You can contact the DPO on email@example.com or by calling 0121 611 0730.