Privacy notice

At Herefordshire and Worcestershire Clinical Commissioning Group (the CCG) we are committed to protecting and respecting your privacy.

The CCG has various roles and responsibilities, but a major part of our work involves making sure that:

  • Contracts are in place with local health service providers;
  • Routine and emergency NHS services are available to patients; 
  • Those services provide high quality care and value for money; and 
  • Those services receive payment for the care and treatment they have provided.

This is called “commissioning” and is explained in more detail on our websites at: https://herefordshireandworcestershireccg.nhs.uk/about-us

Accurate, timely and relevant information is essential for our work to help us to design and plan current and future health and care services, evidence and review our decisions and manage budgets.

As a commissioning organisation, our purpose is not to provide direct care and so we do not routinely hold or receive information about patients and service users in relation to your care. We do however sometimes hold information from which people can be identified to enable us to fulfil our responsibilities as outlined above and this is explained in this notice.

We respect your right with regards to data privacy and data protection when you communicate with us through our websites, events, telephone and (offline) programs such as paper based communication.

 

What is a Privacy Notice?

A privacy notice is a statement that describes how the CCG collects, use, retain and disclose personal information. Different organisations sometimes use different terms and it can be referred to as a privacy statement, a fair processing notice or a privacy policy.

Being transparent and providing accessible information to individuals about how an organisation will use their personal information is a key element of data protection legislation. To ensure that we process your personal data fairly, lawfully and transparently we are required to inform you:

  • what information we collect and process about you;
  • the purpose of processing;
  • how we process your personal data;
  • recipients or categories of recipients who it will be shared with;
  • how long we retain personal information about you;
  • how we keep it secure (confidential);
  • the lawful bases for the sharing/processing;
  • your rights and
  • the identity of our Data Protection Officer.

The key laws that determine how organisations can use and share your personal information are the

  • General Data Protection Regulation (GDPR) 2016
  • Data Protection Act (DPA) 2018
  • Human Rights Act (HRA) 1998
  • Common Law Duty of Confidentiality

Within these pages we describe instances where the CCG is a “Controller” of data for the purposes of the data protection legislation, and where we direct or commission the processing of service user’s data to help deliver better healthcare, or to assist the management of healthcare services.

The CCG recognise the importance of protecting personal and confidential information in all that we do, all we direct or commission, and take care to meet our legal duties.

  pdf HWCCG Covid-19 Privacy Notice (134 KB)  

 

What information we collect and hold about you

We only collect and use your information for the lawful purposes of administering the business of the CCG. We process personal information to enable us to support the provision of healthcare services to patients, maintain our own accounts and records, promote our services, and to support and manage our employees. In order to so effectively we are often required to process personal data i.e. that which identifies a living individual.

We process the following types of information/data:

  • Personal data such as:
    • demographics – name, address, date of birth, postcode, NHS number
  • Sensitive personal/special categories of personal data such as:
    • racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data, biometric data for the purpose of uniquely identifying a natural person, medical/health data, sexual life or sexual orientation data.
    • employment tribunal applications, complaints, accidents, and incident details
  • Pseudonymised data - about individuals but with identifying details (such as name or NHS number) replaced with a unique code.
  • Anonymised data - about individuals but with identifying details removed.
  • Aggregated - anonymised information grouped together so that it doesn't identify individuals.

 

How the NHS and care services use your information

Whenever you use a health or care service, such as attending Accident and Emergency or using Community Care services, important information about you is collected to help ensure you get the best possible care and treatment.

The information collected about you when you use these services can also be provided to other approved organisations, where there is a legal basis, to help with planning services, improving care provided, research into developing new treatments and preventing illness. All of these helps to provide better health and care for you, your family and future generations. Confidential personal information about your health and care is only used in this way where allowed by law and would never be used for insurance or marketing purposes without your explicit consent.

You have a choice about whether you want your confidential patient information to be used in this way.

To find out more about the wider use of confidential personal information and to register your choice to opt out if you do not want your data to be used in this way, visit www.nhs.uk/my-data-choice. If you do choose to opt out you can still consent to your data being used for specific purposes.

If you are happy with this use of information you do not need to do anything. You can change your choice at any time.

 

How will the CCG use information about you?

1. Continuing Health Care

1. Continuing Health Care

NHS Continuing Health Care (CHC) is free care outside of hospital that is arranged and funded by the NHS to support living with complex medical conditions and on-going healthcare needs which can be delivered in the patient’s home, at their care home or in non-acute hospitals.

CHC is free, unlike support from social services for which a fee may be charged, depending on your income and savings. CHC is different from NHS Funded Nursing Care, which some people with less complex needs living in care homes receive. Further information about NHS CHC is explained by NHS Choices here.

The CCG’s CHC team NHS manages the CHC process and further information can be found at: https://herefordshireandworcestershireccg.nhs.uk/health-services/continuing-healthcare

Purpose of processing
To determine if someone is eligible for CHC and to then arrange a care and support package that meets their assessed needs, information about the individual will need to be collected, reviewed and shared with care providers such as care homes. As the CCG has a duty to provide CHC services, this allows for the collection of information about individuals for this purpose, the use of that information and the sharing of it with third parties who need to be involved in the process.

We will make sure that we keep the individual concerned informed at all times of who will be providing or receiving data about them and why.

Legal basis for processing
The processing of your personal data is permitted under the following GDPR and DPA conditions and provisions:

The processing of your special categories of personal data concerning health is permitted under the following GDPR conditions and DPA provisions:

Related Legislations:

  • Common Law of Duty of Confidentiality;
  • The National Health Service Commissioning Board and Clinical Commissioning Groups (Responsibilities and Standing Rules) Regulations 2012, Part 6 places a duty on CCG to make provision for, i.e. provide, CHC services.

Sources of the data
The personal data are submitted by the applicant to the CCG for funding assessment.

Categories of personal data
The information CCG use to assess eligibility, and which may be submitted to an Independent Review Panel, fall under the following headings:

  • Behaviour
  • Cognition (understanding)
  • Communication
  • Psychological/emotional needs
  • Mobility
  • Nutrition (food and drink)
  • Continence 
  • Skin (including wounds and ulcers)
  • Breathing
  • Symptom control through drug therapies and medication
  • Altered states of consciousness
  • Other significant needs 

The obtained records that relate to these areas may include GP medical record, Care Home records, Health Records (for example GP, Hospital, Mental Health, District Nursing) and Social Care Records.

Recipients of personal data
Categories of recipient’s Personal data relating to the application is received by health providers.

2. Complaints

2. Complaints

Purpose of processing
Most NHS care and treatment goes well but sometimes things can go wrong. If you are unhappy with your care or the service you have received, it is important to let us know so we can improve.  When the CCG receives a complaint, to allow it to be fairly and thoroughly managed, in most cases personal information will be required.

The CCG has a statutory duty which allows the processing of personal data in relation to complaints, under (Section 6 of the Local Authority Social Services and National Health Service Complaints [England] Regulations (2009) (under section 113 “Complaints about Healthcare” of the Health and Social Care (Community Health and Standards) Act 2003).

The legal basis for processing
We rely on to process on the following legal basis in order to processing your personal data relating to your complaints:

If the information you provide us in relation to your complaint contains special category data, such as health, religious or ethnic information, the legal basis we rely on to process your data:

The CCG’s Complaints Team manages the Complaints process.  Further information can be found at: https://herefordshireandworcestershireccg.nhs.uk/contact-us/compliments-and-complaints

Source of the data
The CCG will generally collect/receive information when members of the public, their representatives, or members of Parliament, contact us with concerns or enquiries. In order to process a complaint the CCG will collect the relevant information at the point of contact to enable the team to provide a sufficient response to the complaint.

Categories of personal data
Information relating to complaints would generally include the following categories of personal data:

  • Patient’s name
  • Patient’s address
  • Patient’s contact number
  • GP Surgery
  • Patient’s NHS number
  • Patient’s date of birth
  • Representative details (if applicable)
  • Representative address (if applicable)
  • The nature of the complaint

Recipients of personal data
The recipients of personal data relating to complaints include:

  • Any team within the CCG that may receive an enquiry or complaint
  • Relevant providers (with the consent of the data subject) in order to fully investigate the complaint being made.

Where you have consented to the processing of your personal data, you have the right to withdraw your consent by contacting the Complaints Team in the CCG.

3. Communication and Engagement

3. Communication and Engagement

Purpose of processing
The CCG actively seek to involve service users and the public in discussions about local service, including any changes, improvements and what is needed for future care. This can take place in a variety of ways, for example through the Herefordshire and Worcestershire Involvement Network (HWIN), via social media, voluntary community and social enterprise (VCSE) organisations, elected representatives and/or through formal consultations and meetings.

Everyone working for the NHS has a legal duty to keep information about you confidential. The NHS Care Record Guarantee and NHS Constitution provide a commitment that all NHS organisations and those providing care on behalf of the NHS, including the CCG will use records about you in ways that respect your rights and promote your health and wellbeing.

If you have requested a service from the CCG, for example you have volunteered and consented to join the Herefordshire and Worcestershire Involvement Network (HWIN) then we will hold details about you in order to provide an effective service. We only use these details to provide the service the person has requested. For example, we might use information about people who have joined the HWIN to send them information on the CCG’s current workstreams or to invite them to an event.

Another example may be where you have opted to provide your details as part of a survey, in this case the CCG may contact you to ask if you are happy with the level of service received, or if the information is useful to you. Any personal data received in responses is removed before responses are collated, analysed or disseminated.

When people do subscribe to our services, they can cancel their subscription at any time by emailing This email address is being protected from spambots. You need JavaScript enabled to view it. and asking to unsubscribe. All information that we hold about you will be held securely and confidentially.

We use administrative and technical controls to do this. We use strict controls to ensure that only a limited number of authorised staff are able to see information that identifies you where it is appropriate to their role and is strictly on a need-to-know basis. All of our staff, contractors and committee members receive role appropriate and on-going training to ensure they are aware of their personal responsibilities and have contractual obligations to uphold confidentiality, enforceable through disciplinary procedures.

Legal basis for the processing
The processing of personal data is permitted under the following GDPR ‘conditions’ and DPA ‘provisions’:

Sources of the data
The personal data is provided by data subjects when signing up to the Herefordshire and Worcestershire Involvement Network (HWIN), or if requesting one of our newsletters or expressing interest in an engagement event, either via our website or by completing one of our sign-up forms at one of the stakeholder events that we hold from time to time.

Categories of Personal data
We only require you to provide us with your name and email address or residential address so that we can send you our publications. Information regarding your gender, sexual orientation, marital status and disabilities is collected so that we can ensure that our patient involvement groups are representative of the population we serve. We may also use it to send you targeted information or news. However, it is not mandatory to provide this information.

Do we use any processors?
Yes - we use Survey Monkey to manage and populate our engagement programmes. For more information on Survey Monkey please visit their Privacy Policy.

Right to withdraw consent: Where you have consented to the processing of your personal data, you have the right to withdraw your consent by contacting the CCG.

4. Individual Funding Request

4. Individual Funding Request

Purpose of processing
An Individual Funding Request (IFR) is a procedure for individuals who require treatments, drugs or therapies that are not normally funded under the NHS. IFR can be made by the clinician treating you if they believe that because your clinical circumstances are exceptional, you may receive benefit from a treatment or service that isn’t routinely offered by the NHS.

The NHS has a duty to spend the money it receives from the Government in a fair way, taking into account the health needs of the whole community. The CCG’s role is to ensure they get best value for this money by spending it wisely on behalf of the public.

CCG pays for local NHS health services and NHS England pays for highly specialised health services. The CCG has a legal duty to provide health services for patients in the county with the fixed amount of money they have received from the Government. They have a legal duty not to spend more than this. This means that some hard choices have to be made. Not all treatments can be provided by the NHS, and some have evidence to show which patient groups most benefit from that treatment. The CCG document these in its Clinical Commissioning Policies which are available on the CCG’s website: https://herefordshireandworcestershireccg.nhs.uk/about-us/corporate/publications

However, the CCG knows that there will always be times when a patient would benefit from a particular treatment not usually given by the NHS. To apply for this treatment, an Individual Funding Request is made. To allow the CCG to consider these requests, access to both personal and health information regarding the individual to whom the request relates is required. 

Legal basis for processing
The processing of your personal data is permitted under the following GDPR and DPA conditions and provisions:

The processing of your special categories of personal data concerning health is permitted under the following GDPR conditions and DPA provisions:

Related Legislations:

  • Common Law of Duty of Confidentiality;
  • As the National Health Service Commissioning Board and Clinical Commissioning Groups (Responsibilities and Standing Rules) Regulations 2012, Part 7, Regulation 34 places a duty on CCGs in respect of the funding and commissioning of drugs and other treatments, this provides the CCG with a legal basis to use personal data as part of this process.

Sources of the data
The information is provided by a clinician who submits an IFR application form on behalf of a patient.  

Categories of personal data
The IFR application form includes NHS number, name and address, date of birth, GP details, diagnosis, requested intervention and other information relevant to the request. The details are recorded on a secure database and all information is anonymised before presented. Each IFR will have an individual case number that is used to process the request and outcome.

Categories of recipients
Applications are considered by an independent panel who have not been involved in your treatment. The panel is made up of doctors, nurses, public health experts, pharmacists, NHS England representatives and lay members and is led by a lay chair.

5. Invoice Validation

5. Invoice Validation

Purpose of processing
Invoice validation is an important process. It involves using your NHS number to check that we are the CCG responsible for paying for your treatment.

NHS Midlands and Lancashire Commissioning Support Unit (ML CSU) is an accredited Controlled Environment for Finance (CEfF) under a Section 251 exemption which enables them to process patient identifiable information on behalf of the CCG without consent for the purposes of invoice validation – Confidentiality Advisory Group - CAG 7-07(a)(c)/2013.

We will also use your NHS number to check whether your care has been funded through specialist commissioning, which NHS England will pay for. The process makes sure that the organisations providing your care are paid correctly.

In accordance with NHS England guidance on how invoices must be processed, Commissioners have a duty to detect, report and investigate any incidents of where a breach of confidentiality has been made.

Legal basis for processing
The processing of your personal data is permitted under the following GDPR and DPA conditions and provisions:

Sources of the data
The sources of data are providers who submit invoices to NHS Shared Business Services for payment.

Categories of Personal data
The data required for effective invoice validation can be found in Appendix B, of “Who Pays? Information Governance Advice for Invoice Validation” which you can find here:
www.england.nhs.uk/wp-content/uploads/2013/12/who-pays-advice.pdf

Recipients of personal data
NHS Midlands and Lancashire Commissioning Support Unit is the only organisation that will receive personal data relating to invoice validation as an accredited Controlled Environment for Finance.

Data Retention Period
All records held by the CCG will be kept for the duration specified in the Records Management Codes of Practice for Health and Social Care.

6. Risk Stratification

6. Risk Stratification

Purpose of processing
Risk stratification is a process GPs use to help them to identify and support patients with long-term conditions and to help prevent un-planned hospital admissions or reduce the risk of certain diseases developing such as diabetes and heart disease. This is called risk stratification for “case-finding” and is a type of profiling as it is the automated processing of personal data to analyse or predict health needs. However, this is not a solely automated process as whilst cases are identified through an automated process, no decisions are made automatically, they are made by the GP.

These searches are sometimes carried out by Data Processors who link the GP records to other records that they access, such as hospital attendance records. The results of these searches and assessment may then be shared with other healthcare workers, such as specialist, therapists, technicians etc. The information that is shared is to enable the other healthcare workers to provide the most appropriate advice, investigations, treatments, therapies and or care.

Risk stratification can be grouped into two purposes namely:

  • Direct Care – ‘Case Finding’ where carried out by a health professional (e.g. GPs and Provider) involved in an individual’s care or by a data processor acting under contract with such a provider, it is treated as direct care.
  • Indirect Care - understand the local population needs and plan for future requirement.

The CCG also use risk stratified data for Indirect Care purposes to understand the health needs of the local population in order to plan and commission the right services. This is called risk stratification for commissioning.

Risk stratification tools use historic information about patients, such as age, gender, diagnoses and patterns of hospital attendance and admission collected by NHS Digital from NHS hospitals and community care services.  This is linked to data collected in GP practices and analysed to produce a risk score.

GPs are able to identify individual patients from the risk stratified data when it is necessary to discuss the outcome and consider preventative care, however the CCG can never identify an individual from the risk stratified data that we see. Where the risk stratification process has linked GP data to health data obtained from other sources i.e. NHS Digital or other health care provider, the GP will ask for your permission to access the details of that information.  

The law says commissioners are not allowed to access Personal Confidential Data (PCD) because they are not providing direct patient care. So they need an intermediary service called Data Services for Commissioners Regional Office (DSRCO), that specialise in processing, analysing and packaging patient information within a secure environment into a format commissioners can legally use i.e. anonymised patient level data. You can find more comprehensive information about this on the NHS Digital Website.

NHS Digital, through its Data Services for Commissioners Regional Offices (DSCROs), is permitted to collect, hold and process Personal Confidential Data (PCD). This is for purposes beyond direct patient care to support NHS commissioning organisations and the commissioning functions within local authorities.

Legal basis for processing
The processing of your personal data is permitted under the following GDPR conditions and DPA provisions:

The processing of your special categories of personal data concerning health is permitted under the following GDPR conditions and DPA provisions:

Sources of the data
Personal data is supplied by GPs and NHS Digital commissioning data sets (CDS). Commissioning data sets are maintained and developed by NHS Digital, in accordance with the needs of the NHS and the Department of Health and Social care. Commissioning data sets form the basis of data on activity carried out by organisations reported centrally for monitoring and payment purposes. For more information about (CDS) please visit: Commissioning Data Sets Overview.

Categories of Personal data
Risk stratification tools use historic information about patients, such as age, gender, diagnoses and patterns of hospital attendance and admission collected by NHS Digital from NHS hospitals and community care services (Secondary Use Services data). This is linked to data collected in GP practices and analysed to produce a risk score.

The Secondary Uses Service (SUS) is the single, comprehensive repository for healthcare data in England which enables a range of reporting and analyses to support the NHS in the delivery of healthcare services. Information on care provided for all patients by Health Care Providers (both NHS and Independent Sector Healthcare Providers for NHS patients only) must be submitted to the Secondary Uses Service according to the Commissioning Data Set Mandated Data Flows guidelines.

Data from the GP Practice system will be obtained by using a “bulk data extract”, uploaded directly by the risk stratification tool supplier from the practice system. Prior to the upload, the supplier will obtain permission from the practice to request the data from the practice system provider and the practice will notify their system providers that this permission has been granted.

The data extract will exclude patients who have expressed a wish not to share information. Reports produced from the system, including identifiable data, are only provided back to your GP or member of your care team in an identifiable form.

Your GP can provide more information about any risk stratification programme they are using. Should you have any concerns about how your information is managed at the surgery please contact the Practice Manager at your surgery to discuss how the disclosure of your personal information can be limited.

You have a general right to raise an objection to your personal data being shared for the purpose of risk stratification for Indirect Care. If you wish to exercise any of your rights, please contact the CCG and your request will be carefully considered.

7. Safeguarding Concerns and Reviews

7. Safeguarding Concerns and Reviews

Purposes of processing 
The CCG is dedicated in ensuring that the principles and duties of safeguarding adults and children are holistically, consistently and thoroughly applied with the wellbeing of all, at the heart of what we do. 

Some members of public are recognised as needing safeguarding protection, for example children and vulnerable adults. If an individual is identified as being at risk from harm, we have a duty to do what we can to protect that individual, and we are bound ‘Safeguarding’ laws to do so.

Where there is a suspected or actual safeguarding issue we may share information that we hold about you with other relevant agencies such as local Ambulance trusts, the police, A&E departments, out of hours services, 111 or Social Services.

Legal basis for processing
The processing of your personal data is permitted under the following GDPR conditions and DPA provisions:

The processing of special categories of personal data concerning health is permitted under the following GDPR conditions and DPA provisions:

Related Legislations:

Categories of personal data
The data collected by CCG staff including hosted bodies, in the event of a safeguarding situation will be as much personal information as is necessary or possible to obtain in order to handle the situation. In addition to some basic demographics and contact details, this is likely to be special category information (such as health information).

Sources of the data
The CCG will either receive or collect information when someone contacts the organisation with safeguarding concerns or we believe there may be safeguarding concerns.

Recipients of personal data
The information is used by the CCG when handling a safeguarding incident or concern. We may share information accordingly to ensure duty of care and investigation as required with other partners such as Local Authorities, the Police, Care Homes, healthcare professional (i.e. their GP or mental health team).

This sharing is a legal and professional requirement and therefore there is no right to object.

The Children Act 1989 requires local authorities to investigate where a child is the subject of an emergency protection order, is in police protection or where there is a reasonable cause to suspect that a child is suffering or is likely to suffer harm.

The Act requires the local authority to safeguard and promote the welfare of children who are in need, within their geographical area and to request help from specified authorities including General Practices, NHS Trusts, Clinical Commissioning Groups (CCGs) and NHS England.

8. Quality

8. Quality

Purposes of processing 
The CCG has a statutory duty to the improvement of quality and delivery of services, therefore use incident events, investigations, evidence and reports relating to incidents under various policy and procedural structures.

The CCG monitor patient healthcare and the way in which their information is handled within care homes or services provided which the CCG funds; this is to assess the quality of care given to patients, and close monitoring of staff delivering these services. Where there maybe concerns identified an investigation is carried out. It is important to carry out quality assurance visits to ensure the correct processes are being adhered to, patients are getting the best service and the correct paperwork is being completed. This information is shared with Healthcare providers and Care homes so that services and care can be reviewed and maintained at a high level.

In order to promote quality and compliance, the CCG has several reporting protocols for incidents and provides investigation and learning to improve systems and services they commission.

Apart of this monitoring allows the CCG to review, hospital discharge data so that delayed transfers of care are identified and so that the CCG can assess how these can be reduced for more efficiency.

The processing of your personal data is permitted under the following GDPR conditions and DPA provisions:

The processing of your special categories of personal data concerning health is permitted under the following GDPR conditions and DPA provisions:

Categories of personal data
NHS Number and other personal details, including relevant healthcare records and information about the concerns, including others involved or impacted by the event are used by the CCG to facilitate concerns/incident investigations.

Sources of the data
Data received in order to fulfil the duties relating to concerns investigation will be received directly from the organisation in concern or the reporting organisation, such as a Care Home or Provider.

Recipient of personal data
Information relating to outcomes will be sent back to the relevant Providers.

Data Retention Period
All records held by the CCG will be kept for the duration specified in the Records Management Codes of Practice for Health and Social Care.

9. Post Infection Monitoring and Review

9. Post Infection Monitoring and Review

Purposes of processing
The CCG has a statutory duty to monitor the quality of care and services provided by the CCG and work closely with the organisation involved in providing patient care. The CCG has employed a commissioning infection prevention and control nurse to support the CCG’s , to work with organisations to identify the cause or factors which may have contributed to an infection in line with National requirements e.g Quality Premium(GNBSI).

Legal basis for processing
The processing of your personal data is permitted under the following GDPR conditions and DPA provisions:

The processing of your special categories of personal data concerning health is permitted under the following GDPR conditions and DPA provisions:

Categories of personal data
NHS Number and personal details such as name, dob, address and GP details, including relevant healthcare records and information about the infection. There may be occasions were details are required of contacts who may have been in contact with an infection or infectious individual ,so that these individuals can be followed up as required. Risk assessments are carried out on the basis of the organism as to what contact details are required.

Sources of the data
Data received in order to fulfil the investigation of the infection monitoring. This information will be directly received from the healthcare provider and care homes. The nurse working on behalf of the CCG has access to a national system called Public Health England (PHE) Data Capture system, in order to view personal level data in relation to individual’s infections and care, information is accessed in order to review and monitor the quality of care.

Recipient of personal data
Information relating to the outcomes of investigation reviews and lessons learnt from reviews will be sent back to the relevant providers for example GPs, Care Homes and Hospitals. This is necessary to do so that any local or national changes can be implemented from the learning and actions addressed from the investigations.  

How we use information provided by NHS Digital

We use information collected by NHS Digital from healthcare providers such as hospitals, community services and GPs, which includes information about the patients who have received care and treatment from the services that we fund.

The data we receive does not include patients’ names or home addresses, but it will usually include information such as your NHS number, postcode, date of birth, ethnicity and gender as well as coded information about your visits to clinics, Emergency Department, hospital admissions and other NHS services.

The Secretary of State for Health has given limited permission for us (and other NHS commissioners) to use certain confidential patient information when it is necessary for our work and unless we have a legal basis to use identifiable data, de-identified information is used for all purposes other than direct care. This approval is given under Regulations made under Section 251 of the NHS Act 2006 and is based on the advice of the Health Research Authority’s Confidentiality and Advisory Group.

In order to use this data, we have to meet strict conditions that we are legally required to follow, which includes making a written commitment to NHS Digital that we will not use information in any way that would reveal your identity.

 

Automated Decision Making

The CCG does not use automated individual decision-making (making a decision solely by automated means without any human involvement).

 

Sharing your information

We share information about you with other GPs, NHS acute or mental health Trusts, local authority, community health providers, pharmacists, commissioning organisations, medical research organisations  and some specific non NHS organisations for the purposes of direct and indirect care delivery of care.

Where the CCG holds personal information about you, sometimes we will need to share information about you with others including other Health and Social Care organisations and regulatory bodies such as GPs, NHS acute or mental health Trusts, local authorities, community health providers, pharmacists and other commissioning organisations. There are a number of reasons why we share information, this can be due to: 

  • appropriate lawfulness for sharing
  • Our obligations to comply with current legislation
  • Our duty to comply with a Court Order 
  • You have consented to disclosure

 

Retaining information

Information in the CCG is held for a specific length of time depending on the type of information it is. The length of time we retain your information for is defined by the NHS retention schedule which can be viewed online here: NHS Digital Records Management Code of Practice for Health and Social Care 2016.

Once information has been reviewed and is no longer required to be kept by a retention period the information will be securely destroyed. 

The CCG’s shredding is carried out securely on site by a professional paper shredding company.

 

Security of your information

The CCG takes our duty to protect your personal information and confidentiality seriously. We are committed to taking all reasonable measures to ensure the confidentiality and security of personal data for which we are responsible, whether computerised or on paper.

Alongside the Data Protection Officer (DPO), we have appointed a Senior Information Risk Owner (SIRO) who is accountable for the management of all information assets and any associated risks and incidents, and a ‘Caldicott Guardian’ who is responsible for the management of patient information and patient confidentiality.

All staff are required to undertake annual information governance training and are provided with an information governance handbook that they are required to read and agree to adhere to. The handbook ensures that staff are aware of their information governance responsibilities and follow best practice guidelines ensuring the necessary safeguards and appropriate use of person-identifiable and confidential information.

We are registered with the Information Commissioner’s Office (ICO) as a data controller and collects data for a variety of purposes. A copy of the registration is available through the ICO website. You can search by CCG name or ICO Data Protection Register number ZA751854.

Under the NHS Confidentiality Code of Conduct, all our staff are also required to protect your information and inform you of how your information will be used. This includes, in most circumstances, allowing you to decide if and how your information can be shared.

Everyone working for the NHS is subject to the common law duty of confidentiality. Information provided in confidence will only be used for the purposes advised and consented to by the service user, unless it is required or permitted by the law.

 

Your rights

The right to be informed and right of access

The right to be informed and right of access

You have the right to ask us for confirmation of whether we process data about you and if we do, to have access to that data so you are aware and can verify the lawfulness of the processing.

You can make your own application to see the information we hold about you, or you can authorise someone else to make an application on your behalf.  A child’s parent or guardian, a patient representative, or a person appointed by the Court may also apply. If you wish to ask us for confirmation of whether we process data about you or access your personal data, then please contact:

Herefordshire and Worcestershire Clinical Commissioning Group
Tony Ciriello
The Coach House
Perdiswell
Worcester
WR3 7NS

Tel: 01905 681999
Email: This email address is being protected from spambots. You need JavaScript enabled to view it. - quoting "Subject Access Request' in the subject line

The right of access

The right of access

You have the right to ask us for confirmation of whether we process data about you and if we do, to have access to that data so you are aware and can verify the lawfulness of the processing.

You can make your own application to see the information we hold about you, or you can authorise someone else to make an application on your behalf.  A child’s parent or guardian, a patient representative, or a person appointed by the Court may also apply. If you wish to ask us for confirmation of whether we process data about you or access your personal data, then please contact:

Herefordshire and Worcestershire Clinical Commissioning Group
Tony Ciriello
The Coach House
Perdiswell
Worcester
WR3 7NS

Tel: 01905 681999
Email: This email address is being protected from spambots. You need JavaScript enabled to view it. - quoting "Subject Access Request' in the subject line

The right to rectification

The right to rectification

You are entitled to have personal data that we hold about you rectified if it is inaccurate or incomplete. If we have passed the data concerned on to others, we will contact each recipient and inform them of the rectification - unless this proves impossible or involves disproportionate effort. If this is the case, we will explain to you why.

The right to erasure

The right to erasure

You have the right to have personal data we hold about you erased and to prevent processing in specific circumstances:

  • Where the personal data is no longer necessary in relation to the purpose for which it was originally collected/processed
  • If you withdraw your consent for us to process your data (if this was the basis on which it was collected)
  • The personal data was unlawfully processed (i.e. a breach of data protection legislation)
  • The personal data has to be erased in order to comply with a legal obligation.

However, if we have collected and are processing data about you to comply with a legal obligation, for the performance of a public interest task or exercise of official authority, i.e. because we have a legal duty to do so in our functioning as CCGs, then the right to erasure does not apply.

The right to restrict processing

The right to restrict processing

You have the right to ‘block’ or suppress processing of your personal data which means that if you exercise this right, we can still store your data but not to further process it and will retain just enough information about you to ensure that the restriction is respected in future.

You can ask us to restrict the processing of your personal data in the following circumstances:

  • If you contest the accuracy of the data we hold about you, we will restrict the processing until the accuracy of the data has been verified;
  • If we are processing your data as it is necessary for the performance of a public interest task and you have objected to the processing, we will restrict processing while we consider whether our legitimate grounds for processing are overriding.;
  • If the processing of your personal data is found to be unlawful but you oppose erasure and request restriction instead; or
  • If we no longer need the data we hold about you, but you require the data to establish, exercise or defend a legal claim.

If we have disclosed the personal data in question to others, we will contact each recipient and inform them of the restriction on the processing of the personal data - unless this proves impossible or involves disproportionate effort. If asked to, we will also inform you about these recipients.

We will inform you if we decide to lift a restriction on processing.

The right to data portability

The right to data portability

The right to data portability allows you to obtain and reuse your personal data for your own purposes across different services. It allows you to move, copy or transfer personal data easily from one IT environment to another in a safe and secure way, without hindrance to usability although it only applies where we are processing your personal data based on your consent for us to do so or for the performance of a contract and where the processing is carried out by automated means. This means that currently, the CCG does not hold any data which would be subject to the right to data portability.

The right to object

The right to object

Where the CCGs process personal data about you on the basis of being required to do so for the performance of a task in the public interest or exercise of official authority, you have a right to object to the processing.

You must have an objection on grounds relating to your particular situation.

If you raise an objection, we will no longer process the personal data unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms or the processing is for the establishment, exercise or defence of legal claims.

Rights in relation to automated decision making and profiling

Rights in relation to automated decision making and profiling

As the CCG does not make any decisions based solely on automated processing, individuals’ rights in relation to personal data processed in this way are not applicable.

The right to withdraw consent

The right to withdraw consent

If the CCGs process data about you on the basis that you have given your consent for us to do so, you have the right to withdraw that consent at any time. Where possible, we will make sure that you are able to withdraw your consent using the same method as when you gave it.

If you withdraw your consent, we will stop the processing as soon as possible. In order to do this please contact:

Herefordshire and Worcestershire Clinical Commissioning Group
Tony Ciriello
The Coach House
Perdiswell
Worcester
WR3 7NS

Tel: 01905 681999
Email: This email address is being protected from spambots. You need JavaScript enabled to view it. - quoting "Subject Access Request' in the subject line

National Data Opt-Out

The National Data Opt-Out (NDOP) applies to the disclosure of confidential patient information for purposes beyond individual care (research and planning) across the health and adult social care system in England. In broad terms the national data opt-out applies unless there is a mandatory legal requirement or an overriding public interest for the data to be shared. The opt-out does not apply when the individual has consented to the sharing of their data or where the data is anonymised.

Any person registered on the Personal Demographic Services (PDS) and who consequently has an NHS number allocated to them is able to set a national data opt-out. The opt-out is stored in a central repository against their NHS number on the Spine.

The national opt-out applies to a number of datasets including:

  • National Clinical Audit of Rheumatoid and Early Inflammatory - NHS Digital collects this data on behalf of the British Society for Rheumatology to improve the quality of care for patients with Rheumatoid and early.
  • National Adult Community Acquired Pneumonia (CAP) Audit - NHS Digital collects this data on behalf of the British Thoracic Society to assess variation in the care of patients hospitalised with pneumonia in the UK.
  • Trauma Audit & Research Network (TARN) - NHS Digital collects this Confidential Patient Information on behalf (CPI) on behalf TARN.
  • Invoice Backing Data for Contracted Activity - NHS Digital collects this data to enable Commissioners to determine if they are the responsible commissioner. It is important to point out that the national opt-out applies to contracted activity data that has not been rendered anonymous.
  • Risk Stratification data for Indirect Care - NHS Digital collects this data for data processors working on behalf of GPs and CCGs. The GP data is linked to other records that they access, such as hospital attendance records in order to enable the CCGs (commissioners) understand the local population needs and plan for future requirement.

You have the right to opt-out of having your data shared for the purposes of indirect care (research and planning). You can do so via the national opt-out website.

If you do choose to opt-out your confidential patient information will still be used to support your individual care. To find out more or to register your choice to opt out, please visit Your NHS Data Matters.

 

Our Data Protection Officer 

Haley Gidman

NHS Midlands and Lancashire Commissioning Support Unit (MLCSU)
Heron House
120 Grove Road
Fenton
ST4 4LX

Tel: 01782872648
Email: This email address is being protected from spambots. You need JavaScript enabled to view it.

Information that was held previously by NHS Herefordshire CCG, NHS Redditch and Bromsgrove CCG, NHS South Worcestershire CCG and NHS Wyre Forest CCG was transferred to NHS Herefordshire and Worcestershire CCG on 1 April 2020.

The new CCG is the the new data controller. Any questions about the use of data (including patient data) by the new CCG should be directed to mlcsu.ig@nhs.net.