Fair Processing and Privacy Notice

FAIR PROCESSING/ PRIVACY NOTICE

This notice tells you about the type of information (including personal information) that NHS Greater Huddersfield Clinical Commissioning Group holds, how that information might be used, who we may share that information with, and how we keep it secure and confidential.

This privacy statement only covers the NHS Greater Huddersfield Clinical Commissioning Group and does not cover any other organisations or organisations that can be linked to from this site.

Personal confidential data is a term used in the Caldicott Information Governance Review and describes personal information about identified or identifiable individuals, which should be kept private or secret and includes deceased as well as living people.

The Caldicott Information Governance Review interpreted ‘personal’ as including the Data Protection Act definition of personal data, and also included data relating to the deceased as well as living people, and ‘confidential’ includes both information ‘given in confidence’ and ‘that which is owed a duty of confidence’ and is adapted to include ‘sensitive’ as defined in the Data Protection Act.

The CCG has a duty to ensure that this personal confidential data is kept confidential, secure and used appropriately.

WHO WE ARE AND WHAT WE DO

NHS Greater Huddersfield Clinical Commissioning Group (hereafter referred to as “the CCG”) is responsible for implementing the commissioning roles as set out in the Health and Social Care Act 2012.

Clinical Commissioning Groups are overseen by NHS England, all GP practices now belong to a CCG, and together they are responsible for commissioning most health and care services for the local community, for example hospital services, nursing in the community and mental health services.

The CCG also manages the performance of services that it commissions to make sure that they are safe, provide high quality care and meet the needs of local people. Part of this performance management role includes responding to any concerns from our patients about those services.

As a Clinical Commissioning Group we have many other functions, but these do not generally need data that may identify a person.
WHAT KIND OF INFORMATION WE USE

For the majority of our work we do not need to know the personal details of individuals who live in our community, and this is our preferred way of working. It should be noted that information which cannot identify an individual does not come under the Data Protection Act 1998.

There are different types of information collected and used across the NHS, we use six types of information/data:

  1. Anonymised data, which is data about you but from which you cannot be personally identified;
  2. De-identified data with pseudonym identifier, which is data about you but we are able to track you through the patient pathway without using your personal information, and you cannot be personally identified;
  3. De-identified data with weakly pseudonym identifier such as the NHS number. We use this to link two or more types of datasets together using your NHS number. For example, using your NHS number to link and analyse datasets such as acute hospital data with community data to see the full picture of your patient pathway. No other personal information is used during this process and you will not be personally identified. However, there may be times whereby you may be re-identified in the event of patient safety requirements, or re-identified for direct care purposes where we pass on information to your GP to treat you;
  4. Anonymised information (for commissioning purposes), which is de-identified data about you but from which you cannot be personally identified within a commissioning (CCG) environment.
  5. Personal data from which you can be personally identified; and
  6. Sensitive information/data about you from which you can be identified.

We hold information centrally which is used for statistical purposes to allow us to plan the commissioning of healthcare services. We will only use anonymised data for this purpose which will mean you would not be able to be identified from that information. Examples of this include:

evaluation and review of services such as checking their quality and efficiency

  • checking NHS accounts and services
  • working out what illnesses people will have in the future so we can work with the local primary care services, community services and hospital services to ensure that patient needs are met
  • preparing performance reports about the services we commission
  • reviewing the care we commission to make sure it is of the highest standard.

As a Clinical Commissioning Group we have many other functions which do not generally need data that may identify a person.

 

PERSONAL AND CONFIDENTIAL INFORMATION

For information that may identify you (known as personal confidential data) we would only use in accordance with the:

  • Data Protection Act 1998 – This Data Protection Act requires us to have a legal basis if we wish to process any personal information.
  • NHS Care Record Guarantee – sets out high level commitments for protecting and safeguarding your information, particularly in regard to your rights to access your information, how information will be shared, how decisions on sharing information will be made and investigating and managing inappropriate access (audit trails)
  • NHS Constitution for England – this states that you have the right to privacy and confidentiality and to expect the NHS to keep your confidential information safe and secure.
  • Caldicott Principles – sets out a number of general principles that health and social care organisations should use when reviewing its use of patient information.  All staff is expected to follow these principles to ensure that information is protected and only shared in the best interests of their patients.

We also have to honour any duty of confidence attached to information and apply Common Law Duty of Confidentiality requirements. This will mean where a legal basis does not exist to use your personal or confidential information we will not do so.

Therefore, as a commissioning organisation we do not routinely hold medical records or patient confidential data. There are some specific areas, however, because of our assigned responsibilities where we do hold and use personal information. In order to process that information we will have met a legal requirement, in general this is where we have complied with one of the following:

  • The information is necessary for facilitating direct healthcare for patients
  • We have received consent from individuals to be able to use their information for a specific purpose
  • There is an overriding public interest in using the information e.g. in order to safeguard an individual, or to prevent a serious crime
  • There is a legal requirement that will allow us to use or provide information (e.g. a formal court order)
  • We have special permission for health purposes (granted by the Health Research Authority Section 251).
  • For the health and safety of others, for example to report an infectious disease such as meningitis or measles.

Circumstances where we might need to use personal information

The areas where we use personal information are:

  • Individual funding requests – a process where patients and their GPs can request special treatments not routinely funded by the NHS.
  • Continuing Healthcare Assessments (a package of care for those with complex medical needs)
  • Responding to your queries, concerns or complaints
  • Incident investigations
  • Assessment and evaluation of safeguarding concerns for individuals
  • If you are a member of our patient participation group, or have asked us to keep you up to date about our work and involved in our engagement and public consultations.

We keep your information in written form and / or on a computer securely and confidentially.

The records may include basic personal details about you, such as your name, address and NHS number. They may also contain more sensitive information about your health and also information such as outcomes of needs assessments, funding requests or details relating to your complaint investigation.

 

WHAT WE USE YOUR INFORMATION FOR

Patient Related Information:

Your information may be used to help assess the needs of the general population both on a local and national level to help make informed decisions about the provision of future services. Information may be used to conduct health research and development, public health activities and to monitor NHS performance in order to allow the NHS to plan for the future.  Only anonymised or pseudonymised information will be used for this purpose.

Pseudonymisation is a technical process that replaces identifiable information such as a NHS number, postcode, date of birth with a unique identifier, which obscures the ‘real world’ identity of the individual patient to those working with the data.

Data may be linked and de-identified so that it can be used to improve health care and development and monitor NHS performance. For example linking those who receive Home Care and District Nurses, to understand how we might improve the patient’s experience.  This is often referred to as a ‘secondary use’ of data.  Where data is used for these statistical purposes, stringent measures are taken to ensure individual patients cannot be identified.

Risk Stratification

Risk stratification is a process GPs use to help them to identify a person who may benefit from a targeted healthcare intervention and to help prevent un-planned hospital admissions or reduced the risk of certain diseases developing such as type 2 diabetes. This is called risk stratification for case-finding.

The CCG uses risk stratified data to understand the health needs of the local population in order to plan and commission the right services. This is called risk stratification for commissioning.  The CCG does not have access to your personal data.  The information is pseudonymised.

Financial Validation

Where care is provided and the CCG is responsible for it, we will need to provide payment to the care provider. In most cases limited data is used to make such payments. In some instances information to confirm that you are registered at a GP Practice within the CCG is needed to make such payments. This is done in line with the Who Pays Invoice Validation Guidance issued by NHS England.

We will use limited information about individual patients when validating invoices received for your healthcare, to ensure that the invoice is accurate and genuine.  This will be performed in a secure environment and will be carried out by a limited number of authorised staff.  These activities and all identifiable information will remain with the Controlled Environment for Finance approved by NHS England.

The legal basis for data flows under Section 251 of the NHS Act 2006

The Secretary of State for Health gives limited permission for the CCG (and other NHS commissioners) to use certain confidential patient information when it is necessary for our work for purposes other than direct care such as information from NHS Digital for commissioning, Risk Stratification and Invoice Validation.

This approval is given under Regulations made under Section 251 of the NHS Act 2006 and is based on the approval of the Health Research Authority’s Confidentiality and Advisory Group.

This allows the Secretary of State for Health to make regulations to set aside the common law duty of confidentiality for defined medical purposes. Section 251 came about because it was recognised that there were essential activities of the NHS, and important medical research, that required the use of identifiable patient information – but, because patient consent had not been obtained to use people’s personal and confidential information for these other purposes, there was no secure basis in law for these uses.

Section 251 was established to enable the common law duty of confidentiality to be overridden to enable disclosure of confidential patient information for medical purposes, where it was not possible to use anonymised information and where seeking consent was not practical, having regard to the cost and technology available.

More information about Section 251 is available from the Health Research Authority web site.

Health and Social Care Analysis

The CCG have partnered with Kirklees Metropolitan Borough Council and Greater Huddersfield CCG in the use of a joint health and social care system designed to analyse health and social care data.  This enables us to effectively improve local health and social care services, by identifying whether the health and social care initiatives and solutions we commission are having the desired effect.  This is done by tracking health and social care outcomes.  Outcomes for example might be reduced numbers of admissions to hospital and associated reduced costs, admission to a care home and increased A&E attendances.  The data processed in the system has been pseudonymised, and the analysts using the system within the CCGs and the Council do not have access to service user identifiable information.

STAFF RELATED INFORMATION

Job Applications, Current and Former Employees

When individuals apply to work at NHS Greater Huddersfield CCG, we will use the information they supply to us to process their application and to monitor recruitment statistics. Where we want to disclose information to a third party, for example where we want to take up a reference we will not do so without informing them beforehand unless the disclosure is required by law.

Personal information about unsuccessful candidates will be held for 12 months after the recruitment exercise has been completed, it will then be destroyed or deleted. We retain de-personalised statistical information about applicants to help inform our recruitment activities, but no individuals are identifiable from that data.

Once a person has taken up employment with us, we will compile a file relating to their employment. The information contained in this will be kept secure and will only be used for purposes directly relevant to that person’s employment. Once their employment with NHS Greater Huddersfield CCG has ended, we will retain the file in accordance with the requirements of our retention schedule and then delete it.

 

Register of Interests and Register of Gifts and Hospitality

All CCG staff, Governing Body and committee members must declare any conflicts of interest. This is usually a personal interest; if someone is connected to an individual that works within the NHS or an associated organisation. Or this may be a professional interest in another organisation that could conflict with the CCG.  Our staff, Governing Body and committee members must also declare any gifts and hospitality.

To make sure we have absolute clarity on any conflicts of interest and gifts and hospitality, we publish our registers which list relevant members by name along with their current position in the CCG and details of the conflict of interest, gift or hospitality.

In exceptional circumstances, where the public disclosure of information could give rise to a real risk of harm or is prohibited by law, an individual’s name and/or other information may be redacted from the publicly available register(s).  Decisions not to publish information are made by the Conflicts of Interest Guardian for the CCG.

 

Workforce Minimum Data Set

Under the Health and Social Care Act 2012 NHS Greater Huddersfield CCG provides individual level employee information to the workforce Minimum Data Set for primary care and secondary care. This data is collected to enable a detailed understanding of the current workforce, its shape, size, skills, competencies and experience. Having this information supports the wider NHS to identify future workforce requirements to ensure we can meet patients’ needs now and in the future.

In order to ensure accuracy and reduce duplication some identifying information is required at the start of this process. However, this identifying information is removed from the dataset following the initial automated process so that no one processing the database can identify an individual. The information collected will be analysed and used for workforce planning, accountability, Parliamentary Questions, Freedom of Information requests, and supplied in aggregated reports to GP Practices, Health Education England, Local Education Training Boards, Clinical Commissioning Groups and NHS England.

More information about the workforce Minimum Data Set and its uses is available from the Department of Health and Health Education England.

 

National Fraud Initiative

We participate in the Cabinet Office’s National Fraud Initiative: a data matching exercise to assist in the prevention and detection of fraud. We are required to provide particular sets of staff and supplier data to the Minister for the Cabinet Office for matching for each exercise. View further information on the Cabinet Office’s legal powers and the reasons why it matches particular information. For further information regarding National Fraud Initiative’s data matching at NHS Greater Huddersfield CCG please contact: Fraud Specialist Liz O’Reilly, 01924 816098 liz.oreilly@nhs.net

If you a member of staff and you would like to access the information the CCG holds about you then you can do this by submitting a subject access request in writing to Governance & Corporate Manager.

HOW YOUR DATA IS USED TO HELP THE NHS

The law provides some NHS bodies, particularly the NHS Digital Health (formally Health and Social Care Information Centre), with ways of collecting and using patient data that cannot identify individuals. This helps Commissioners such as the CCG to design and procure the combination of services that best suit the population they serve.

Data may be linked and de-identified by these special bodies so that it can be used to improve health care and development and monitor NHS performance. This is often referred to as a ‘secondary use’ of data. Where data is used for these statistical purposes, stringent measures are taken to ensure individual patients cannot be identified.

From time to time the CCG may collect information about you in order to perform its duties or answer queries, enquiries or complaints you have raised and it applies to:

  • Visitors to our website
  • Complainants and other individuals.
  • People who use the CCG’s services.
  • Staff of the CCG

VISITORS TO OUR WEBSITE

When someone visits the CCG’s website www.greaterhuddersfieldccg.nhs.uk information is collected in a standard internet log to enable the CCG to monitor how the website is used. This is done to find out things such as the number of visitors to the various parts of the site. This information is collected in such a way that does not identify people who have visited our websites. From time to time, you may be asked to submit personal information about yourself (e.g. name and email address) in order to receive or use services on our website. Such services include bulletins, email updates, website feedback, requesting investigation of complaints and any other enquiries.

By entering your details in the fields requested or sending us an email, you enable the CCG and its service providers to provide you with the services you select. Any information you provide will only be used by the CCG, or our agents or service providers, and will not be disclosed to other parties unless we are obliged or permitted to do so.

SHARING INFORMATION

We work with a number of other NHS and partner agencies to provide health and social care services to you. We may also share anonymised statistical information with them for the purpose of improving local services, for example understanding how conditions spread across our local area compared against other areas.

We contract with other organisations to provide a range of services to us such as invoice validation, business intelligence, IT services, Human Resources and Payroll and other support service. In these instances, we ensure that our partner agencies have contracts which outline that your information is processed under strict conditions and in line with the law.

We ensure our external data processors that support us are legally and contractually bound to operate and prove security arrangements are in place where data that could or does identify a person are processed.

Current external data processors:

  • North of England Commissioning Support (NECS) – who process information in support of risk stratification. NECS process primary care data (identifiable at the level of NHS number) on behalf of the CCG and GPs and link this data with Secondary Uses Service data for the purpose of risk stratification. The output data from this process will be pseudonymised before sharing with the CCG and will be identifiable at the level of NHS Number for GPs to support re-identification for direct care interventions.   The CCG does not receive any personal identifiable information from this service.
  • eMBED Health Consortium – who process information in support of commissioning and planning services.   The output data from this process will be anonymised or pseudonymised before sharing with the CCG. The CCG does not receive any personal identifiable information from this service.
  • Calderdale & Huddersfield NHS Foundation Trust provide IT Services, Human Resources, payroll and learning development services to the CCG, they will process personal information linked to the above services on behalf of the CCG.

Information may also be required to be shared for your benefit with other non NHS organisations, from which you are also receiving care, such as social services and other providers from which we commission services. Where information sharing is required with third parties, we will not disclose any health information without your explicit consent unless it is to facilitate direct care or there are exceptional circumstances or a legal obligation such as;

  • There is a risk of harm to someone or the wider community
  • The prevention or detection of a serious crime
  • Where we are required to do so by law
  • Reporting some infectious diseases.The CCG is party to a number of information sharing agreements which are drawn up to ensure information is shared in a way that complies with relevant legislation. These NHS and non-NHS organisations may include, but are not restricted to social services, education services, local authorities, police, and public health.
  • At any time, you have the right to refuse / withdraw consent to information sharing. Please contact the Governance & Corporate Manager on the details provided in the ‘Contact Us’ section at the bottom of the page.
  • In the event that we are obligated to release information as described above, this will usually only be done with the approval of our Caldicott Guardian.

 

YOUR RIGHT TO WITHDRAW CONSENT?

At any time you have the right to refuse/withdraw consent to information held about you by the CCG being shared with other organisations You have the right, in law and additionally in the NHS Constitution, to request that your confidential information is not used beyond your own care and treatment and to have your objections considered, and where your wishes cannot be followed, to be told the reasons including the legal basis.   Sometimes there may be exceptional circumstances or overriding legal obligation to share information about such as where there is a risk of harm to someone.

If you wish to exercise your right to withdraw consent to information held about you by the CCG being shared, or speak to someone at the CCG who can help explain what impact this may have for you such as delays in receiving care, please contact us at the following address:

Governance and Corporate Manager

NHS Greater Huddersfield Clinical Commissioning Group Bradley Business Park Dyson Wood Way Bradley Huddersfield HD2 1GZ

Telephone; (01484) 464000 Email: ContactUs@greaterhuddersfieldccg.nhs.uk

 

KEEPING INFORMATION SECURE AND CONFIDENTIAL

All our staff contracts include strict conditions about handling personal information and confidentiality and each individual gets training so that they understand what they should and should not do. Staff members who need to use personal data regularly as part of the job get extra training.

We take relevant organisational and technical measures to make sure that the information we hold is secure – such as holding information in secure locations, restricting access to information to authorised personnel, protecting personal and confidential information held on equipment such as laptops with encryption and information is transferred safely and securely. The CCG does not transfer personal confidential information overseas.

The Data Protection Act Under the Data Protection Act 1998 the CCG is required to register with the Information Commissioners Office detailing all purposes for which personal identifiable data is collected, held and processed.

The CCG has a legal duty to protect any information we collect from you. We use leading technologies and encryption software to safeguard your data and keep strict security standards to prevent any unauthorised access to it.

The CCG will not pass on your details to any third party or other government department unless you consent to this or when it is necessary and we are allowed or required to by law.

The Information Commissioners Office maintains a public register of organisations that process personal identifiable data. The NHS Greater Huddersfield Clinical Commissioning Group’s registration number is Z3621177

View the CCG’s Notification online: http://www.ico.org.uk/esdwebpages/search

Caldicott Guardian

Each NHS organisation has a senior person responsible for protecting the confidentiality of patient information and enabling appropriate information sharing. This person is called the Caldicott Guardian. Angela Monaghan, Governing Body member is Caldicott Guardian for NHS Greater Huddersfield CCG. You can contact the CCG’s Caldicott Guardian by writing to:

Caldicott Guardian

NHS Greater Huddersfield Clinical Commissioning Group Bradley Business Park Dyson Wood Way Bradley Huddersfield HD2 1GZ

Telephone; (01484) 464000 Email: ContactUs@greaterhuddersfieldccg.nhs.uk

 

HOW LONG DO WE KEEP YOUR INFORMATION?

We will only retain information for as long as necessary. Records are maintained in line with the NHS Records Management Code of Practice retention schedule which determines the length of time records should be kept.

There are different retention schedules for different types of information and types of record. In the NHS, all commissioners and providers apply retention schedules in accordance with the Information Governance Alliance’s Records Management Code of Practice for Health and Social Care which determines the length of time records should be kept.

NHS data are subject to legal retention periods and should not be destroyed unless specific instructions to do so has been determined and received from the Data Controller. Where data has been identified for disposal:

  • Information held in manual form is destroyed using a cross cut shredder or is subcontracted to a reputable confidential waste company that complies with European Standard EN15713.
  • Electronic storage media used to hold or process information is destroyed or overwritten to current industry best practice standards.
  • It retains copies of all relevant certificates of secure destruction of information.

How can you gain access to information held about you at the CCG?

Everybody has the right to see, or have a copy, of data we hold that can identify you, with some exceptions. You do not need to give a reason to see your data but you may be charged a fee. If we do hold any information about you we will:

  • Give you a description of that information
  • Tell you why we are holding it
  • Tell you who it could be disclosed to
  • Let you have a copy

The NHS Care Record Guarantee states that you can be provided with audit trail information of those staff who have access your record.

If you want to access your data you must make the request in writing. As noted above, the CCG holds limited health information about you where it can use this for direct care purposes. You may also need to contact the NHS organisation(s) where you are being, or have been treated.

You should also be aware that in certain circumstances, your right to see some details in your health records may be limited in your own interest or for other reasons.

To make a request to NHS Greater Huddersfield CCG for any personal information we may hold, you will need to put the request in writing and send it to Governance & Corporate Manager at the address detailed in the ‘contact us’ section.

Further information on Subject Access Requests can be found via the Information Commissioners Office (ICO): https://ico.org.uk/for-the-public/personal-information/
YOUR PERSONAL HEALTHCARE RECORDS

Health and social care information is used in a number of ways to support your personal care and to improve health and social care services for everyone.

When you attend a health or social care provider in England the clinicians and administrators you see will record information about your care. You can decide with your clinician on how your data will be used for your direct care.

There are choices you can make about how information is used, and you can choose to opt out of your information being shared or used for any purpose beyond providing your care.

At any time you have the right to refuse/withdraw consent to information sharing. You have the right, in law and additionally in the NHS Constitution, to request that your confidential information is not used beyond your own care and treatment and to have your objections considered, and where your wishes cannot be followed, to be told the reasons including the legal basis.

If you do not want your information to be used for any purpose beyond providing your care you can choose to opt-out. If you wish to do so, please inform your GP practice and they will mark your choice in your medical record. There are two types of opt-out. You can withdraw either opt-out at any time by informing your GP practice.

Type 1 opt-out

If you do not want information that identifies you to be shared outside your GP practice, for purposes beyond your direct care you can register a type 1 opt-out with your GP practice. This prevents your personal confidential information from being used other than in particular circumstances required by law, such as a public health emergency like an outbreak of a pandemic disease.

Type 2 opt-outs

NHS Digital (formally known as Health and Social Care Information Centre) is the national provider of information, data and IT systems for commissioners, analysts and clinicians in health and social care. NHS Digital collects information from a range of places where people receive care, such as hospitals and community services. If you do not want your personal confidential information to be shared outside of NHS Digital, for purposes other than for your direct care you can register a type 2 opt-out with your GP practice.

direction from Secretary of State set out the Department of Health policy as to how type 2 opt-outs must be applied and instructed NHS Digital to apply type 2 opt-outs from 29 April 2016.

NHS Digital collect information about your type 2 opt out from your GP Practice and then create a record of all current type 2 opt outs to check against any set of data that is to be made available by NHS Digital to another organisation. They remove all of your personal confidential information if it is in that data set, before that data are made available.

The direction from the Secretary of State set out the scope of when your type 2 opt-out does not apply such as when there is a legal requirement to release information, or where you have given your consent to a specific release of your information.

For more information on how NHS Digital collect and use opt-out information see Applying Type 2 Opt Outs.

For more information about personal healthcare records and how to access them see NHS Choices.

If you wish to exercise your right to withdraw consent / opt-out, or to speak to somebody to understand what impact this may have, if any, please contact your GP Practice.

 

RELEVANT LINKS TO ASSOCIATED DOCUMENTS OR ORGANISATIONS:

If you would like to find out more information on the wider health and care system approach to using personal information or other useful information, please click on the following links:

CHANGES TO THIS PRIVACY NOTICE

If our privacy notice changes in any way, we will place an updated version on this page. Regularly reviewing the page ensures you are always aware of what information we collect, how we use it and under what circumstances, if any, we will share it with other parties

CONTACT US

If you have any questions about the information we hold about you or how we use it, you can get in touch with us at on the details provided below.

If you believe the CCG has not complied with the Data Protection Act 1998 in the way we have processed your personal information, you have the right to make a complaint by writing to the Governance and Corporate Manager at the following address:

NHS Greater Huddersfield Clinical Commissioning Group Bradley Business Park Dyson Wood Way Bradley Huddersfield HD2 1GZ

Telephone; (01484) 464000 Email: ContactUs@greaterhuddersfieldccg.nhs.uk

In order to investigate your complaint we will need to process the information you provide us with along with other information we may already hold about you which is relevant to your complaint. If as part of investigating your complaint we need to share some information about you with a health or social care provider, we will ask for your permission to do so.

The record of your complaint will be retained in line with the Records Management Code of Practice for Health and Social Care.

For independent advice about data protection, privacy and data-sharing issues, you can contact:

The Information Commissioner Wycliffe House Water Lane Wilmslow, Cheshire SK9 5AF

Phone: 08456 30 60 60 or 01625 54 57 45 Website: www.ico.gov.uk