Fair Processing Notice – Data Protection Act 1998
Your Information and how we use it
Who we are
As a commissioning organisation, our purpose is not to provide care and so we do not routinely hold or receive information about patients and service users in a format from which they can be identified.
The CCG has various roles and responsibilities, but a major part of our work involves making sure that:
- Contracts are in place with local health service providers;
- routine and emergency NHS services are available to patients;
- those services provide high quality care and value for money; and
- paying those services for the care and treatment they have provided.
This is called “commissioning” and is explained in more detail on our website at http://www.lancashirenorthccg.nhs.uk/about-us/
Accurate, timely and relevant information is essential for our work to help us to design and plan current and future health and care services, evidence and review our decisions and manage budgets.
The following information explains why we use information, who we share it with, how we protect your confidentiality and your legal rights and choices.
We are committed to protecting your rights to confidentiality
We want patients to understand:
- How the CCG uses and shares information
- How GPs use and share your information
- Your health record, what it contains and how you can access it
- When you can choose to opt-out of your personal information being collected or shared and what this will mean to you
Why we collect information about you
Information about your health and care held in your health records is confidential and not routinely shared with the CCG for direct health care purposes. However, there may be times when we need to hold and use certain information about you, for example:
- Individual Funding Requests — a process where patients and their GPs or Consultants can request treatments not routinely funded by the NHS
- Assessments for continuing healthcare assessments (a package of care for those with complex medical needs)
- The management of referrals from GP Practice to another care provider
- Responding to your queries, concerns or complaints
- Assessment and evaluation of safeguarding concerns for individuals
- Incident investigations
This may include relevant information that you have told us, or information provided on your behalf by relatives or those who care for you and know you well, or from health professionals and other staff directly involved in your care and treatment.
We may also hold identifiable information, at the level of NHS number, or use de-identified or anonymised information for non-direct health care purposes such as:
- determining the general health needs of the population
- ensuring that our services meet future patient needs
- teaching and training healthcare professionals
- investigating complaints, legal claims, etc.
- conducting health research and development
- preparing statistics on NHS performance
- auditing NHS accounts and service
- paying your health care provider
Access to the identifiable information is strictly controlled and it is only used when it is absolutely necessary to use identifiable information. The CCG currently pseudonymises this information for non-direct health care purposes.
In the circumstances where we are required to hold or receive personal information we will only do this if:
- The information is necessary for the direct healthcare of patients
- We have received explicit consent from individuals to be able to use their information for a specific purpose
- There is an overriding public interest in using the information e.g. in order to safeguard an individual, or to prevent a serious crime
- There is a legal requirement that will allow us to use or provide information (e.g. a formal court order or legislation)
- We have permission to do so from the Secretary of State for Health to use certain confidential patient information when it is necessary for our work and whilst changes are made to our systems that ensure de-identified information is used for all purposes other than direct care.
The Health and Social Care Information Centre (HSCIC) has published a guide to confidentiality in health and social care that explains the various laws and rules about the use and sharing of confidential information.
Invoice validation is an important process. It involves using your NHS number to check that we are the CCG that is responsible for paying for your treatment.
Lancashire North CCG is an accredited Controlled Environment for Finance (CEfF) under a Section 251 exemption which enables us to process patient identifiable information without consent for the purposes of invoice validation – CAG 7–07(a)(b)©/2013.
We can also use your NHS number to check whether your care has been funded through specialist commissioning, which NHS England will pay for. The process makes sure that the organisations providing your care are paid correctly.
Risk stratification is a process GPs use to help them to identify and support patients with long-term conditions and to help prevent un-planned hospital admissions or reduce the risk of certain diseases developing such as type 2 diabetes. This is called risk stratification for case-finding.
The CCG also uses risk stratified data to understand the health needs of the local population in order to plan and commission the right services. This is called risk stratification for commissioning.
Risk stratification tools use historic information about patients, such as age, gender, diagnoses and patterns of hospital attendance and admission collected by the HSCIC from NHS hospitals and community care services. This is sometimes linked to data collected in GP practices and analysed to produce a risk score.
GPs are able to identify individual patients from the risk stratified data when it is necessary to discuss the outcome and consider preventative care. Where the risk stratification process has linked GP data to health data obtained from other sources i.e. HSCIC or other health care provider, the GP will ask for your permission to access the details of that information.
How we use information provided by the Health and Social Care Information Centre (HSCIC)
We use information collected by the HSCIC from healthcare providers such as hospitals, community services and GPs, which includes information about the patients who have received care and treatment from the services that we fund.
The data we receive does not include patients’ names or home addresses, but it may include information such as your NHS number, postcode, date of birth, ethnicity and gender as well as coded information about your visits to clinics, Emergency Department, hospital admissions and other NHS services.
The Secretary of State for Health has given limited permission for us (and other NHS commissioners) to use certain confidential patient information when it is necessary for our work and whilst changes are made to our systems that ensure de-identified information is used for all purposes other than direct care. This approval is given under Regulations made under Section 251 of the NHS Act 2006 and is based on the advice of the Health Research Authority’s Confidentiality and Advisory Group.
In order to use this data, we have to meet strict conditions that we are legally required to follow, which includes making a written commitment to the HSCIC that we will not use information in any way that would reveal your identity. These terms and conditions can be found on the HSCIC website.
How GP Practices use information about your health and care
Your GP keeps information about your health and the care and treatment you receive in your health record. This information is used by your doctor, nurse and other healthcare professionals to assess your health and, together with you, decide the appropriate care for you.
With your agreement, your GP may refer you to other services such as community care, Out of Hours or hospital. Your GP will share information about you only with the healthcare professionals involved in providing your care. Other services and health care providers will normally tell your GP surgery about the treatment they provide you and your GP or nurse will include this in your record. Further details can be found below in the section on Sharing & Consent
You have the right to see information your GP practice holds about you. They may charge for this. Please ask them about this
It may also be necessary to share your information with non-NHS services or health providers but only in accordance with the rights of the individual and statutory obligations or by law.
How we keep your records confidential
Everyone working for the NHS is required to comply with the Data Protection Act 1998 or, in circumstances when this is not applicable, is subject to the Common Law Duty of Confidence. Information provided to us in confidence will only be used for the purposes stated and where you have given your consent, unless there are other circumstances covered by the law.
Under the Data Protection Act 1998, all of our staff are required to protect your information, inform you of how your information will be used, and allow you to decide if and how your information can be shared. Any decisions you make about how we can use information we hold about you will be recorded along with that information.
We also take relevant organisational and technical measures to ensure the information we hold is secure.
Other NHS organisations with whom we share your Personal Information
We may share your information with other NHS services who are involved in your direct care, such as Hospital and Community Trusts, General Practitioners (GPs) or Ambulance Services.
We may need to share your information with other commissioning organisations to allow us to effectively support the purpose for which you have provided the information, for example to manage a complaint or investigation.
Some of the services outlined above in the section “Why we collect information about you” are provided by Midlands and Lancashire Commissioning Support Unit, acting as a data processor on behalf of the CCG.
We also contract with other organisations to provide a range of services to us such as data analysis, Human Resource and IT services. In these instances we ensure that our partner agencies handle our information under strict conditions and in line with the law.
Information Sharing with Non-NHS Organisations
For your benefit, we may also need to share information we hold about you with other non-NHS organisations from which you are also receiving care, such as Social Services. However, we will not disclose any information to third parties without your explicit consent, unless there are exceptional circumstances, such as when the health or safety of others is at risk or where the law requires it.
If we are asked to share information with a non-NHS organisation that does not directly relate to your care, we will always seek consent prior to any information being shared. If you choose not to consent to this when asked, then that decision will be recorded and upheld.
Your rights under the Data Protection Act
Patients and service users, as data subjects, have a number of rights under the Data Protection Act, including a general right of access to personal data (electronic or paper) held about them.
Right of Access
You can make your own application to see the information we hold about you, or you can authorise someone else to make an application on your behalf. A parent or guardian, a patient representative, or a person appointed by the Court may also apply. If you wish to access your personal data, then please write to:
Lancashire North Clinical Commissioning Group
Moor Lane Mills
Tel No. 01524 519333
In order to fulfil our responsibilities under the Act, you may be asked to provide proof of your identity, and any further information required to locate the record you have requested.
Objections and “opting out”
At any time you have the right to refuse/withdraw consent, in full or in part, to information sharing. The possible consequences will be fully explained to you to allow you to make an informed decision.
You also have a right to request that your confidential information is not used beyond your own care and treatment and to have your objections considered. These commitments are set out in the NHS Constitution.
If you do not want your personal information being shared and used for purposes other than your care and treatment, then you should contact the GP Practice you are registered with and ask for further information about how to register your objections. This should not affect the care and treatment you receive. See section on Patient Control of Information for further details
Patient control of information
You may want to prevent confidential information about you from being shared or used for any purpose other than providing your care.
There are two choices available to you:
- You can object to information about you leaving a GP Practice in an identifiable form for purposes other than your direct care, which means confidential information about you will not be shared with the CCG, the Health and Social Care Information Centre (HSCIC) or other organisation for any non-direct care purpose. This is referred to as a ‘type 1′ objection; In addition.
- You can object to information about you leaving the HSCIC in identifiable form, which means confidential information about you will not be sent to anyone outside the HSCIC. This is referred to as a ‘type 2′ objection.
Information from other places where you receive care, such as hospitals and community services is collected nationally by the Health and Social Care Information Centre.
If you do not want information that identifies you to be shared outside your GP practice, please speak to a member of staff at your GP practice to ask how to “opt-out”.
The Practice will add the appropriate code to your records to prevent your confidential information from being used for non-direct care purposes. Please note that these codes can be overridden in special circumstances required by law, such as a civil emergency or public health emergency.
If you do not want your personal confidential information to be shared outside of the HSCIC, for purposes other than for your direct care you can register a type 2 opt-out with your GP practice.
Patients are only able to register the opt-out at their GP practice.
For further information and support relating to type 2 opt-outs please contact the HSCIC contact centre at firstname.lastname@example.org referencing ‘Type 2 opt-outs — Data requests’ in the subject line; or
Alternatively, call the HSCIC on (0300) 303 5678; or
Alternatively visit the website http://www.hscic.gov.uk/article/7092/Information-on-type-2-opt-outs.
In both cases, it is still necessary for the HSCIC to hold information about you in order to ensure data is managed in accordance with your expressed wishes. Please see “Patient Objections Management” on the HSCIC website for further information.
Further information about your right to opt-out from the NHS Care.data programme will be posted here shortly when it is available from NHS England.
If you have questions about this, please speak to staff at your GP practice, check the HSCIC frequently asked questions, or call their dedicated patient information line on 0300 456 3531.
Withholding information about you
Information may be withheld if the organisation believes that releasing the information to you could cause serious harm to your physical or mental health. We do not have to tell you that information has been withheld.
Information may also be withheld if another person (i.e. third party) is identified in the record, and they do not want their information disclosed to you. However, if the other person was acting in their professional capacity in caring for you, in normal circumstances they could not prevent you from having access to that information.
Correcting inaccurate information
We have a duty to ensure your information is accurate and up to date to make certain we have the correct contact and treatment details about you.
If your information is not accurate and up-to-date, you can ask us to correct the record. If we agree that the information is inaccurate or incomplete, it will be corrected. If we do not agree that the information is inaccurate, we will ensure that a note is made in the record of the point you have drawn to the organisation’s attention.
If you would like to know more about how we use your information, or if (for any reason) you do not wish to have your information used in any of the ways described above, please contact:
Lancashire North Clinical Commissioning Group
Moor Lane Mills
Tel No. 01524 519333
For independent advice about data protection, privacy and data-sharing issues, you can contact:
The Information Commissioner
Phone: 08456 30 60 60 or 01625 54 57 45
Data Protection Statement
Lancashire North CCG is a ‘Data Controller’ under the Data Protection Act 1998. This means we are legally responsible for ensuring that all personal data that we hold and use is done so in a way that meets the data protection principles. We must also tell the Information Commissioner about all of our data processing activity. Our registration number is ZA001559and our registered entry can be found on the Information Commissioner’s website.
All of our staff receive training to ensure they remain aware of their responsibilities. They are obliged in their employment contracts to uphold confidentiality, and may face disciplinary procedures if they do not do so. A limited number of authorised staff have access to personal data where it is appropriate to their role.
We have entered into contracts with other organisations to provide services for us. These organisations include:
- Midlands and Lancashire Commissioning Support Unit — Risk Stratification, Invoice Validation, Commissioning Intelligence analysis, HR
- North East Commissioning Support Unit – collaborative working
- Mersey Internal Audit – Internal audit related purposes
- Blackpool Teaching Hospitals NHS Foundation Trust – Staff Payroll
- University Hospitals of Morecambe Bay NHS Foundation Trust – IT Provider
This includes holding and processing data including patient information on our behalf. These services are subject to the same legal rules and conditions for keeping personal information confidential and secure. We are responsible for making sure that staff in those organisations are appropriately trained and that procedures are in place to keep information secure and protect privacy. These conditions are written into legally binding contracts, which we will enforce if our standards of information security are not met and confidentiality is breached.
We will not share, sell or distribute any of your personal information to any third party (other person or organisation) without your consent, unless required by law. Data collected will not be sent to countries where the laws do not protect your privacy to the same extent as the law in the UK, unless rigorous checks on the security and confidentiality of that data are carried out in line with the requirements of the Data Protection Act (Principle 8).