Fair processing notice

We need to use information about our patients and population to enable us to commission services which meet their needs. 

In undertaking our role HIOW ICB holds some information about you and this document outlines how that information is used, who we may share that information with, how we keep it secure (confidential) and what your rights are in relation to this. Within the health sector, we follow the common law duty of confidence, which means that where identifiable information about you has been given in confidence, it should be treated as confidential and only shared for the purpose of providing direct healthcare or where there are overriding public interest factors.  

The ICB has a senior member of staff responsible for protecting the confidentiality of patient information. This person is called the Caldicott Guardian.  

The details of our Caldicott Guardian are as follows:

• Name: Sara Courtney
• Email: hiowicb-hsi.hsiow-caldicottguardian@nhs.net

They are supported by another senior member of staff who is responsible for information risk and information security, this person is called the Senior Information Risk Owner (SIRO).
The contact details of our SIRO are as follows:

• Name: Martin Sheldon
• Email: hiowicb-hsi.hsiow-siro@nhs.net

The above two roles are also supported by our Data Protection Officer (DPO).  The DPO is responsible for monitoring compliance with Data Protection legislations (GDPR & DPA 2018), Information Governance (IG) policies, providing advice and guidance, raising awareness, training and audits.  The DPO acts as a contact point for the Information Commissioner’s Office (ICO), employees and the public.  They co-operate with the ICO and will consult on any other matter relevant to Data Protection. 

The contact details of our DPO are as follows:

• Name: Rebecca Willis 
• Email: hiowicb-hsi.hsiow-dpo@nhs.net

HIOW ICB is a Data Controller and are registered with the ICO to collect data for a variety of purposes. Our registration number is: ZB370396 and a copy of the registration is available through the ICO website.

We do not routinely hold or have access to your medical records. However, we may need to hold some personal information about you, for example: 

Your name, address, your date of birth, contact details and your NHS number which in some circumstances we may use as your single identifying number with no other information about you attached. Your NHS number is present in all of your health records and therefore we are able to use that number to link information to you or about you without revealing any personal or confidential data, where we are lawfully allowed to do this. There are limited times where we will need to hold information about your health and treatment and these are set out below.

We use the following types of information/data:

• Personal Data – means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. 
• Special Categories of Personal Data – this term describes personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation.  
• Confidential Patient Information – this term describes information or data relating to their health and other matters disclosed to another (e.g. patient to clinician) in circumstances where it is reasonable to expect that the information will be held in confidence.  Including both information ‘given in confidence’ and ‘that which is owed a duty of confidence’. As described in the Confidentiality: NHS code of Practice: Department of Health guidance on confidentiality 2003.
• Pseudonymised - The process of distinguishing individuals in a dataset by using a unique identifier which does not reveal their ‘real world’ identity.
• Anonymised – Data in a form that does not identify individuals and where identification through its combination with other data is not likely to take place.
• Aggregated - Statistical data about several individuals that has been combined to show general trends or values without identifying individuals within the data.

There are some limited exceptions where we may hold and use sensitive personal information about you (also referred to as special category data). For example, the ICB is required by law to perform certain services that involve the processing of sensitive personal information.

The areas where we regularly use sensitive personal information include:

• assessments for continuing healthcare and appeals
• responding to your queries, compliments or concerns
• assessment and evaluation of safeguarding concerns
• where there is a provision permitting the use of sensitive personal information under specific conditions, for example to:

1. understand the local population needs in order to plan and commission services
2. ensure that the ICB is billed accurately for the treatment of its patients, which is known as “invoice validation”
    

We use pseudonymised, anonymised and aggregated data to plan health care services. Specifically, we use it to:

• check the quality and value for money of the health services we commission
• prepare performance reports on the services we commission
• work out what illnesses people may have in the future, so we can plan and prioritise new or changed services to ensure that these services will meet the needs of our population in the future

We commission NHS funded health services for you from a number of organisations, both within and outside the NHS (see Appendix A of the full Fair Processing Notice document for details). We may also share anonymised statistical information for the purpose of improving local services, for example understanding how our populations health and how the services provided compare with similar services in other geographical areas e.g. to share good practice. We do not share information outside of the European Economic Area (EEA) without taking appropriate steps to safeguard that information.  

We would not share information that identifies you unless we have a fair and lawful basis such as:

• You have given us permission;
• We need to act to protect children and vulnerable adults;
• When a formal court order has been served upon us;
• When we are lawfully required to report certain information to the appropriate authorities e.g. to prevent fraud or a serious crime;
• We are complying with our legal obligations or public tasks;
• Where we are pursuing a legitimate interest;
• Emergency Planning reasons such as for protecting the health and safety of others;
• When permission is given by the Secretary of State or the Health Research Authority on the advice of the Confidentiality Advisory Group to process confidential information without the explicit consent of individuals

The law enables some NHS bodies, particularly NHS England, (formally NHS Digital) to collect and use anonymised patient data (e.g. that cannot identify a person) to support Commissioners to design and procure the combination of services that best suit the population they serve.

There are times where the ICB will need to share personal data with third parties, including but not limited to organisations such as the Police, the Care Quality Commission, the GMC or other professional regulators.  The ICB may also need to share information with its lawyers or others in the legal system where it relates to seeking legal advice or responding to claims.

Data may be anonymised and linked with other data so that it can be used to improve health care and development and monitor NHS performance. Where data is used for these statistical purposes, stringent measures are taken to ensure individual patients cannot be identified.

When analysing current health services and proposals for developing future services it is sometimes necessary to link separate individual datasets to be able to produce a comprehensive evaluation. This may involve linking primary care data from your Doctor (GP) with other data such as hospital inpatient stays, outpatient appointments and A&E attendances. This type of data is called secondary uses service (SUS) data.  In some cases, there may also be a need to link local datasets with other services such as radiology, physiotherapy, audiology, mental health and community-based clinics and services. When carrying out this analysis, the linkage of these datasets is always done using a unique identifier that does not reveal a person’s identity.

We may also contract with other organisations to process data, some of which could identify a person. These organisations are known as Data Processors. We ensure external data processors that support us are legally and contractually bound to operate and are required to prove that robust security arrangements are in place. 

A full list of details, including the legal basis and purposes for processing information can be found in Appendix A of our full Fair Processing Notice.

The NHS England Code of Practice on Confidential Information applies to all of our staff and anyone acting on behalf of the ICB. Each are required to protect your information, inform you of how your information will be used, and allow you to decide if and how your information can be shared. Each are expected to make sure information is kept confidential and undertake annual training on how to do this. This is monitored by the ICB and can be enforced through disciplinary procedures.

We also ensure the information we hold is kept in secure locations, restrict access to information to authorised personnel only, protect personal and confidential information held on equipment such as laptops with encryption (which codes data so that unauthorised users cannot see or make sense of it). 
 

All records held by the ICB will be kept for the duration specified by national guidance from NHSX Records Management CoP Once information that we hold has been identified for destruction it will be disposed of in the most appropriate way for the type of information it is. Personal confidential and commercially sensitive information will be disposed of by approved and secure confidential waste procedures. We keep a record of retention schedules within our information asset registers, in line with the NHSX Records Management Code of Practice 2021.

The NHS Constitution states: ‘You have a right to request that your personal and confidential information is not used beyond your own care and treatment and to have your objections considered’. For further information please visit: The NHS Constitution 

Information not directly collected by the ICB but collected by organisations that provide NHS services.

These are known as Type 1 and national data opt-outs and are described below:

National data opt-out. The national data opt-out was introduced on 25 May 2018, enabling patients to opt-out from the use of their data for research or planning purposes, in line with the recommendations of the National Data Guardian in her Review of Data Security, Consent and Opt-Outs. 

Since 31 July 2022, all health and care organisations are required to apply national data opt-outs where confidential patient information is used for research and planning purposes. NHS England has been applying national data opt-outs since 25 May 2018. Public Health England has been applying national data opt-outs since September 2018. 

The national data opt-out replaces the previous ‘type 2’ opt-out, which required NHS England not to share a patient’s confidential patient information for purposes beyond their individual care. Any patient that had a type 2 opt-out recorded on or before 11 October 2018 has had it automatically converted to a national data opt-out. Those aged 13 or over were sent a letter giving them more information and a leaflet explaining the national data opt-out.  For more information go to National data opt out programme.

The use of personal confidential data by ICBs for invoice validation under approval reference (CAG 7-07)(a-c)/2013) has been recently extended to the end of September 2023 NHS England Invoice Validation and as part of that review, it has been agreed that NO opt out will be applied to invoice validation due to the importance of accurately allocating NHS resources and the lack of evidence of public concern in relation to the use of data for this specific purpose. This effectively means that data which includes an identifier (usually NHS number) which is flowing from NHS England to commissioners for invoice validation/challenge purposes will be provided for all patients to ensure that providers receive the correct funding for the health and care services they provide.

The Right of Access is set out in Article 15 of the UK GDPR, as shown below:

Article 15 UK GDPR

The data subject shall have the right to obtain from the controller confirmation as to whether or not personal data concerning him or her are being processed, and where that is the case, access to the personal data and the following information:

a)    the purpose of the processing;
b)    the categories of personal data concerned;
c)    the recipients or categories of recipient to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organisations;
d)    where possible, the envisaged period for which the personal data will be stored or, if not possible, the criteria used to determine that period;
e)    the existence of the right to request from the controller ratification or erasure of personal data or restriction of processing of personal data concerning the data subject or to object to such processing;
f)    the right to lodge a complaint with a supervisory authority;
g)    where the personal data are not collected from the data subject, any available information as to their source;
h)    the existence of automated decision-making, including profiling, referred to in Article 22 (1) and (4) and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequence of such processing for the data subject.

Automated individual decision-making is defined as making a decision solely by automated means without any human involvement. The ICB does not use any process of this type in relation to patient identifiable data.

Everybody has the right to see, or have a copy, of data we hold that can identify you. If you want to access your data you must make the request verbally or in writing. Under special circumstances, some information may be withheld.  If you want to access your data you can do this by contacting us at:

Email: hiowicb-hsi.hsiow-dpo@nhs.net

Postal Address: 

NHS Hampshire and Isle of Wight ICB
Omega House
112 Southampton Road
Eastleigh
Hampshire
SO50 5PB

The Freedom of Information Act 2000 (FOIA) gives people a general right of access to information held by or on behalf of public authorities, promoting a culture of openness and accountability across the public sector. You can request any information that the ICB holds, that does not fall under an exemption. You may not ask for information that is covered by the Data Protection Legislation under FOIA. However, you can request this under a right of access request – see section above ‘Gaining access to the data we hold about you’.

Your request must be in writing and can be either posted or emailed to:

Email: hsiccg.foi@nhs.net

Post:  
Freedom of Information enquiries
Omega House
112 Southampton Road
Eastleigh
Hampshire
SO50 5BP

Freedom of Information (FOI) requests are managed by South, Central and West (SCW) Commissioning Support Unit.

For independent advice about data protection, privacy, data sharing issues and your rights you can contact:

Information Commissioner’s Office
Wycliffe House, Water Lane
Wilmslow
Cheshire
SK9 5AF

Telephone: 0303 123 1113 (local rate) or 01625 545 745

Email: casework@ico.org.uk

Visit the ICO website. 

We try to meet the highest standards when collecting and using personal information. For this reason, we take any complaints we receive about this very seriously. We encourage people to bring concerns to our attention if they think that our collection or use of information is unfair, misleading or inappropriate. Please contact: 

Telephone: 0300 561 2561
Email: hiowicb-hsi.patientexperience@nhs.net