What is a Fair Processing or Privacy Notice?

The purpose of this notice is to inform you of the type of information including *personal confidential data that Salford CCG processes about you, how that information is used, who we may share that information with, and how we keep it secure and confidential.

NHS England who lead the National Health Service in England have a Fair Processing Notice which can be found on: https://www.england.nhs.uk/contact-us/privacy-notice/

However Salford as a Data Controller determines how the data will be processed and used within the CCG and with others who we share data with.  We are legally responsible for ensuring that all personal data that we hold and use is done so in a way that meets the data protection principles under the General Data Protection Regulation (GDPR) and Data Protection Act 2018.  This notice also explains how we handle that data and keep it safe.

Salford CCG has a duty to ensure this is kept confidential, secure and used appropriately. 

Who are we and what do we do?

Salford CCG is an NHS commissioning organisation, our purpose is not to provide care and so we do not routinely hold or receive information about patients and service users in a format from which they can be identified.

Salford CCG has various roles and responsibilities, but a major part of our work involves making sure that:

•  Contracts are in place with local health service providers;

•  routine and emergency NHS services are available to patients;

•  those services provide high quality care and value for money; and

•  paying those services for the care and treatment they have provided.

This is called “commissioning” and is explained in more detail on our website at:

http://www.salfordccg.nhs.uk/salford-ccg-about-us

Accurate, timely and relevant information is essential for our work to help us to design and plan current and future health and care services, evidence and review our decisions and manage budgets.

The following information explains why we use information, who we share it with, how we protect your confidentiality and your legal rights and choices.

We are committed to protecting your rights to confidentiality

We want patients to understand:

•  How the CCGs use and share information

•  How GPs use and share your information

•  Your health record, what it contains and how you can access it

•  When you can choose to opt-out of your personal information being collected or shared and what this will mean to you

Definitions of data types processed at the CCG

We use the following types of information / data:

Personal Data

This contains details that identify individuals even from one data item or a combination of data items. The following are demographic data items that are considered identifiable such as name, address, NHS Number, full postcode, date of birth. Under GDPR, this now includes location data and online identifiers.

Special Categories of Personal Data (previously known as Sensitive Data)

This is personal data consisting of information as to: race, ethnic origin, political opinions, health, religious beliefs, trade union membership, sexual life and previous criminal convictions. Under GDPR, this now includes biometric data and genetic data.

Personal Confidential Data

This term came from the Caldicott review undertaken in 2013 and describes personal information about identified or identifiable individuals, which should be kept private or secret. It includes personal data and special categories of data but it is adapted to include dead as well as living people and ‘confidential’ includes both information ‘given in confidence’ and ‘that which is owed a duty of confidence’.

Pseudonymised Data or Coded Data

Individual-level information where individuals can be distinguished by using a coded reference, which does not reveal their ‘real world’ identity. When data has been pseudonymised it still retains a level of detail in the replaced data by use of a key / code or pseudonym that should allow tracking back of the data to its original state.

Anonymised Data

This is data about individuals but with all identifying details removed. Data can be considered anonymised when it does not allow identification of the individuals to whom it relates, and it is not possible that any individual could be identified from the data by any further processing of that data or by processing it together with other information which is available or likely to be available.

Aggregated Data

This is statistical information about multiple individuals that has been combined to show general trends or values without identifying individuals within the data

The CCG receives the following datasets from providers:

Primary Care Data

As many people's first point of contact with the NHS, around 90 per cent of patient interaction is with primary care services. In addition to GP practices, primary care covers dental practices, community pharmacies and high street optometrists. Primary Care Data relates to information which has been sourced from these types of services.

Secondary Care Data

Secondary Care means treatment and care of a specialised medical service by clinicians, for example, specialist doctors and nurses, within a health facility or hospital on referral by a primary care clinician such as your GP.  Secondary Care data relates to information which has been sourced from these types of services. 

Secondary Uses Service (SUS) Data

The Secondary Uses Service (SUS) is the single, comprehensive repository for healthcare data in England which enables a range of reporting and analyses to support the NHS in the delivery of healthcare services. When a patient or service user is treated or cared for, information is collected which supports their treatment. SUS data is useful to commissioners and providers of NHS-funded care for 'secondary' purposes – this is use of data other than for direct or 'primary' clinical care.

For further information about SUS, please visit:
https://digital.nhs.uk/services/secondary-uses-service-sus

Community Care / Social Care Data

Community care data includes data from social care services covering both adults and children.

Why we collect information about you

Secondary Uses Services Data

We use information collected by hospitals, GPs, community services and NHS Digital. The type of information we use is called Secondary Uses Services data (SUS data). SUS data gives us information about the services we commission. It does not include your name or home address but may include information such as your NHS number, ethnicity and gender. It also contains coded information about hospital attendances and treatment.

We use the SUS data for a number of purposes:

 •To understand the health needs of the population

 •To plan, redesign and improve services

 •To ensure providers are using resources effectively

 •To pay services for the care they provide

 •To audit NHS accounts and services.

We will use anonymised data that cannot be linked back to your identity (de-identified data) wherever possible. In order to ensure that the NHS continues to function lawfully and efficiently, the Secretary of State for Health has given permission for CCGs to use certain personal information from SUS without consent, but only when it is absolutely necessary for certain specified purposes. This approval is given upon the strict advice of the Health Research Authority’s Confidentiality and Advisory Group (CAG) under conditions set out in section 251 of the NHS Act 2006. The specific terms and conditions that we are obliged to follow when using SUS data can be found on the NHS Digital website.

The dataset collected from secondary care providers, for example hospitals, by NHS Digital is referred to the Secondary Uses Service (SUS) is the single, comprehensive repository for healthcare data in England which enables a range of reporting and analyses to support the NHS in the delivery of healthcare services. When a patient or service user is treated or cared for, information is collected which supports their treatment. For further information, please visit NHS Digital’s website: http://digital.nhs.uk/sus.

The following are the types of organisations NHS Digital receives data from, and then forwards on to our data processor in an anonymised format or a de-identified format with NHS Number in order to link and analyse the data. 

Where data is used for these statistical purposes, stringent measures are taken to ensure individuals cannot be identified.

Types of organisations and types of information we receive:

Acute Trusts (Hospitals) - we receive anonymised acute data such as A&E attendances, waiting times, diagnosis, treatments, and follow ups, length of stay, discharge information and next steps.

Community trusts or community organisations - we receive anonymised community data such as outpatient information, waiting times, diagnosis and treatments, referrals and next steps, domiciliary and district nursing (which includes home visits) and community rehabilitation units.  

Mental Health Trusts or Mental Health organisations - we receive anonymised mental health data such as rehabilitation and outpatient attendances, waiting times, diagnosis, treatment, length of stay, discharge, referrals and next steps. 

Primary Care organisations, for example your local GP practice. We receive anonymised primary care data such as attendances, diagnosis, treatment, GP or GP practice visits, referrals, medication/prescriptions information and follow-ups. 

We may also contract with other organisations to process this data. We ensure external data processors that support us are legally and contractually bound to operate this process. They have security arrangements to maintain confidentiality where data that could or does identify a person is processed. The external data processors we work with to do this is NHS Arden and GEM Commissioning Support Unit (CSU).

The types of secondary use processing we do in the CCG are:

Risk Stratification

Types of data Pseudonymised / Anonymised / Aggregate Data
Source of data Primary Care, Secondary Care and Community Care
Legal basis for processing Personal Data and Special Category  of data under GDPR

Article 6 (1)(c) - Processing is necessary for compliance with a legal obligation

Article 9(2)(h) - Processing is necessary for the purposes of preventative or occupational medicine for the assessment of the working capacity of the employee, medical diagnosis, the provision of health and social care or treatment or the management of health and social care systems

Section 251 NHS Act 2006

NHS England encourages CCG’s and GPs to use risk stratification tools as part of their local strategies for supporting patients with long-term conditions and to help and prevent avoidable admissions. Knowledge of the risk profile of our population helps the CCG to commission appropriate preventative services and to promote quality improvement in collaboration with our GP practices.

Risk stratification tools use various combinations of historic information about patients, for example, age, gender, diagnoses and patterns of hospital attendance and admission and primary care data collected in GP practice systems.

Risk stratification is a process which applies computer based algorithms, or calculations to identify those patients who are most at risk from certain medical conditions and who will benefit from clinical care to help prevent or better treat their condition. To identify those patients individually from the patient community would be a lengthy and time-consuming process which would by its nature potentially not identify individuals quickly and increase the time to improve care.  A GP / health professional at your GP Practice review this information before a decision is made.

There are two types of risk stratification:

  • Risk Stratification for case-finding identifies/ manages patients who are at high risk of emergency hospital admission or to reduce the risk of certain diseases developing. This is called Risk Stratification for case-finding.
  • Risk Stratification for Commissioning allows the CCG to understand the health needs of the local population in order to plan and commission the right services.

For risk stratification, there is a Section 251 approval in place which allows NHS Digital to receive personal confidential data.  They process this via DSCRO who then send pseudonymised data to the CCG. This is detailed in the flow chart below.

Data image.png

Who are DSCRO and What do they do?

NHS Digital's responsibilities as set out in the Health and Social Care Act 2012 include the collection, analysis and presentation of national health and social care data. The Act also gave NHS Digital the powers to act as a safe haven and collect, hold and process personal confidential data (PCD) for purposes beyond direct patient care.

Commissioners of healthcare services need to plan and commission healthcare services in their local area through analysis of actual and projected use of services across all parts of the care economy. This modelling requires access to information about care provided to patients, their hospitals stays and patient journeys but without accessing personal confidential patient data. Care commissioners do not provide direct patient care, and therefore they have no legal basis on which to access personal confidential patient information.

Therefore commissioners require an intermediary service that specialises in processing, analysing and packaging patient information into a format they can legally use this is completed by Data Services for Commissioners Regional Offices (DSCROs)

DSCROs work with data from GP Practices and NHS Hospital Trusts in the regional processing centres. Staff follow strict rules on accessing, analysing and processing data.  The powers granted to the organisation by the Health and Social Care Act 2012 which means that staff are operating within the approved legal framework.

The service allows clinical commissioning groups (CCGs), local authority public health teams and specialised commissioners to plan and commission those healthcare services in their local area and nationally using the services provided through the DSCROs.

There is a data sharing agreement with DSCRO & the following CCG’s to provide assurance regarding the security processes for pseudonymisation and for sharing such data as part of collaborative working with the following CCG’s in Greater Manchester.

  • NHS Bury Clinical Commissioning Group
  • NHS Oldham Clinical Commissioning Group
  • NHS Manchester Clinical Commissioning Group
  • NHS Stockport Clinical Commissioning Group
  • NHS Trafford Clinical Commissioning Group
  • NHS Tameside & Glossop Clinical Commissioning Group
  • NHS Wigan Clinical Commissioning Group
  • NHS Salford CCG
  • NHS Bolton CCG

Technical and organisational measures are in place to ensure the security and protection of personal confidential data.  Robust access controls are in place to ensure only GPs are able to re-identify information about their individual patients with their consent when it is necessary for the provision of their care.

As a commissioning organisation we do not routinely hold medical records or patient confidential data. There are some specific areas, however, because of our assigned responsibilities where we do hold and use personal information. In order to process that information we will have met a legal requirement, in general this is where we have complied with one of the following:

The information is necessary for direct healthcare for patients

We have received consent from individuals to be able to use their information for a specific purpose

There is an overriding public interest in using the information e.g. in order to safeguard an individual, or to prevent a serious crime

There is a legal requirement that will allow us to use or provide information (e.g. a formal court order, statutory returns)

The areas where we use personal information and the legal basis and conditions use to do this are outlined below:

NHS Continuing Healthcare (CHC) applications

Type of data Personal data – demographics
Special category of data – health data
Source of data Primary Care and Secondary Care
Legal basis for processing Personal Data and Special Category  of data under GDPR

Article 6 (1)(e) - Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority

Article 9(2)(h) - Processing is necessary for the purposes of preventative or occupational medicine for the assessment of the working capacity of the employee, medical diagnosis, the provision of health and social care or treatment or the management of health and social care systems
Common Law Duty of Confidentiality basis Implied Consent

 

If you make an application for NHS Continuing Healthcare (CHC) funding we will use the information you provide and where needed request further information from care providers to identify eligibility for funding.  If agreed, arrangements will be put in place to provide and pay for the agreed funding packages with appointed care providers.

This process is nationally defined; we follow a standard process and use standard information collection tools when assessing eligibility for CHC applications.

Individual Funding Requests

Types of data Personal data – demographics
Special category of data – health data
Source of data Primary and Secondary Care
Legal basis for processing Personal Data and Special Category  of data under GDPR

Article 6 (1)(e) - Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority

Article 9(2)(h) - Processing is necessary for the purposes of preventative or occupational medicine for the assessment of the working capacity of the employee, medical diagnosis, the provision of health and social care or treatment or the management of health and social care systems
Common Law Duty of Confidentiality basis Implied Consent

 

You or your doctor on your behalf can make an Individual Funding Request (IFR) for a treatment not routinely commissioned.  We use the information you provide and if necessary request further information from care primary and secondary care providers to identify eligibility for funding. This process is carried out by a data processor who acts on our behalf. The Data Processor for this purpose is Greater Manchester Shared Services - Effective Use of Resources Team.  Please note this does not include IFR’s for mental health, these are processed by the CCG directly.

For further information about Individual Funding Requests processed by the GMSS EUR, please email: gmifr.gmcsu@nhs.net.

For further information about Individual Funding Requests for Mental Health, please contact the CCG.

Safeguarding

Types of data Personal Data – demographics
Special category of data – health Data
Source of Data Primary Care, Secondary Care and Community Care
Legal basis for processing Personal Data and Special Category  of data under GDPR

Article 6 (1)(e) - Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority

Article 9 (2)(b) - Processing is necessary for the purposes of carrying out the obligations and exercising the specific rights of the controller or the data subject in the field of …social protection law
Common Law Duty of Confidentiality basis Overriding Public Interest / Statutory legalisation for adult and children safeguarding

 

Information is provided to care providers to ensure that adult and children's safeguarding matters are managed appropriately. Access to personal confidential data will be shared in some limited circumstances where it's legally required for the safety of the individuals concerned.

For the purposes of safeguarding children and vulnerable adults, personal and healthcare data is disclosed under the provisions of the Children’s Act 2014 and Care Act 2014.

Incident Management – Serious Incidents

Types of data Personal Data – demographics
Special category of data – health data
Source of data Primary Care, Secondary Care and Community Care
Legal basis for processing Personal Data and Special Category  of data under GDPR

Article 6 (1)(e) - Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority

Article 9(2)(h) - Processing is necessary for the purposes of preventative or occupational medicine for the assessment of the working capacity of the employee, medical diagnosis, the provision of health and social care or treatment or the management of health and social care systems
Common Law Duty of Confidentiality basis Statutory – Serious Incident Framework 2015

 

Salford CCG is accountable for effective governance and learning following all Serious Incidents (SI’s). We work closely with all provider organisations as well as commissioning staff members to ensure all SI’s are reported and managed appropriately.

The Francis Report (February 2013) emphasised that commissioners should have a primary responsibility for ensuring quality, as well as providers.

Supporting Medicines Optimisation

Type of data Personal Data – demographics
Special category of data – health data
Source of Data Primary Care
Legal basis for processing Personal Data and Special Category  of data under GDPR Article 6 (1)(e) - Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority

Article 9 (2)(h) - Processing is necessary for the purposes of preventative or occupational medicine for the assessment of the working capacity of the employee, medical diagnosis, the provision of health and social care or treatment or the management of health and social care systems
Common Law Duty of Confidentiality basis Implied Consent

 

The Medicines Optimisation Team work with GP practices to provide advice on medicines / prescribing queries and review prescribing of medicines to ensure that it is safe. In some cases, to ensure clinical safety, this may require the use of personal confidential data.

In cases where personal confidential data is required, this is done with the practice agreement.  No data is removed from the practice’s clinical system and no changes are made to patient's records without permission from the GP. Patient records may sometimes be viewed remotely via secure encrypted laptops from the CCG's premises.

Where specialist support is required, for example, to advise community pharmacists to order a drug that comes in solid form, in gas or liquid form; CCG medicines optimisation pharmacists will provide advice on behalf of a GP to support your care. Personal confidential data is used for this purpose.

Personal confidential data is also used by our medicines optimisation team to review and authorise (if appropriate) requests for high cost drugs which are not routinely funded. In cases where personal confidential data is used, this is done with permission from the GP.

For information that may identify you (known as personal confidential data) we would only use in accordance with the:

The General Data Protection Regulation and the Data Protection Act 2018 requires us to have a legal basis if we wish to process any personal information.

NHS Care Record Guarantee – sets out high level commitments for protecting and safeguarding your information, particularly in regard to your rights to access your information, how information will be shared, how decisions on sharing information will be made and investigating and managing inappropriate access (audit trails)

NHS Constitution for England – this states that you have the right to privacy and confidentiality and to expect the NHS to keep your confidential information safe and secure

We also have to honour any duty of confidence attached to information and apply Common Law Duty of Confidentiality requirements. This will mean where a legal basis does not exist to use your personal or confidential information we will not do so.

We keep your information in written form and / or on a computer securely and confidentially.

The information held within these records depend on what is required in order to complete the process for which it is intended and will include basic personal details about you, such as your name and address. They may also contain more sensitive information about your health and also information such as outcomes of needs assessments.

The CCG will use the services of the additional data processors, who will provide additional expertise to support the work of the CCG by adding value to the analyses of data that does not directly identify patients, as follows:

Other Partner Organisations

Data Processor 2


NHS Oldham CCG hosting:

Greater Manchester Shared Services

Ellen House, Waddington Street, Oldham, OL9 6EE

IT Services / Personal data for the purposes of the Effective Use of Resources process.


Data Processor 3


Salford Royal NHS Foundation Trust hosting:

Advancing Quality Alliance (AQuA), 3rd Floor, Gate House, Cross St, Sale, M33 7FT

No personal data is transferred to this Data Processor or received.

 

Data Processor 4


Salford Royal NHS Foundation Trust hosting:
Academic Health Sciences Network (Utilisation Management Team)

Salford Royal NHS Foundation Trust Data Centre, Stott Lane, Salford, M6 8HD

No personal data is transferred to this data processor or received

 

Invoice Validation

Types of data Personal Data – demographics
 Pseudonymised – coded health care data
Source of data GP Practice and other care providers
Legal basis for processing Personal Data and Special Category  of data under GDPR

Article 6 (1)(c) - Processing is necessary for compliance with a legal obligation

 Article 9(2)(h) - Processing is necessary for the purposes of  preventative or occupational medicine for the assessment of the working capacity of the employee, medical diagnosis, the provision of health and social care or treatment or the management of health and social care systems

Section 251 NHS Act 2006, NHS Constitution (Health and Social Care Act 2012)

 

Invoice validation is an important process which the CCG requests that NHS Oldham CCG hosting: Greater Manchester Shared Services carries out on their behalf. This involves using your NHS number to establish which CCG is responsible for paying for your treatment. The process also ensures that those who provide you with care are reimbursed correctly for the care and treatment they have provided. Greater Manchester Shared Services are registered as a Controlled financial environment which ensures that procedures and systems for managing invoices on behalf of the CCG is in line with national requirements.

NHS Shared Business Services – Finance and Accounting Services

Some provider invoices for patient care submitted to Clinical Commissioning Groups for payment are processed via NHS Shared Business Services. They provide support services for the NHS, providing finance and accounting solutions.   NHS SBS also use offshore service provider called Sopra Steria who are based in India.  Both NHS SBS and Sopra Steria have met the necessary information governance standards to process data overseas.

Purposes where consent is required

There are also other areas of processing undertaken where consent is required from you. Under GDPR, consent must be freely given, specific, you must be informed and a record must be made that you have given your consent, to confirm you have understood. 

Patient and public involvement

Types of data Personal data - demographics
Source of data Data subject
Legal basis for processing Personal Data under GDPR

Article 6 (1)(a) – Explicit Consent

 

If you have asked us to keep you regularly informed and up to date about the work of the CCG or if you are actively involved in our engagement and consultation activities or patient participation groups, we will collect and process personal confidential data which you consent to and share with us.

Where you submit or publish your details to us for involvement purposes, we will only use your information for this purpose and only with your written consent.  You can contact us at any point to withdraw your consent for us to use your photograph, film and words for any new purposes.

Please remember that once an article is published and in circulation it may be copied and used by others (especially online). If you ask us to stop using your photo, film or words in the future we will comply with your request, but we cannot guarantee that other parties will do so.

To opt out of receiving updates or to withdraw your consent please contacting salccg.communications@nhs.net

Subject Access Requests 

Types of data Personal data - demographics
Source of data Data subject
Legal basis for processing personal data  under GDPR Article 6 (1)(a) – Explicit Consent

 

If you have asked us for a copy of your data we will need your explicit, written consent (or your legal representative) before we proceed.

Complaints relating to the CCG

Types of data Personal data – demographics
Source of data Data subject
Legal basis for processing Personal Data under GDPR

Article 6 (1)(a) – Explicit Consent

 

Complaints relating to CCG commissioned services

Type of data Personal Data – demographics
Special category of data – Health data
Source of data Data Subject, Primary Care and Secondary Care and Community Care
Legal basis for processing Personal Data and Special Category  of data under GDPR

Article 6 (1)(a) – Explicit Consent

Article 9 (2)(h) - Processing is necessary for the purposes of preventative or occupational medicine for the assessment of the working capacity of the employee, medical diagnosis, the provision of health and social care or treatment or the management of health and social care systems

Common law duty of confidentiality – explicit consent

 

When we receive a complaint from a person about a commissioned service, we hold information about the complaint in our electronic files. This normally includes the identity of the complainant and any other individuals involved in the complaint. It may include special category data about individuals’ heath care.

We usually have to disclose the complainant’s identity to whoever the complaint is about. This is inevitable where, for example, the accuracy of a person’s record is in dispute. If a complainant doesn’t want information identifying him or her to be disclosed, we will try to respect that. However, it may not be possible to handle a complaint on an anonymous basis.

Before we proceed with handling a complaint we will obtain the explicit, written consent of the patient involved. We ensure they are aware of how and with whom their data may be shared by us, including if they have a representative they wish us to deal with on their behalf.

Data Sharing

Sharing your information with other organisations

 We share anonymised information with other NHS and social care partner agencies for the purpose of improving local services, research, audit and public health. We would not share information about you unless:

 •you have asked us to and given us permission;

 •we are lawfully required to report certain information to the appropriate authorities e.g. to prevent fraud or a serious crime;

 •to protect children and vulnerable adults;

 •when a formal court order has been served upon us; and/or

 •the health and safety of others, for example to report an infectious disease like meningitis or measles

Sharing and linking data

NHS patients and social care service users may receive care and treatment from a number of different places. It is necessary to link this information together to provide the full picture needed to support the activities listed above. In effect, sharing information enables the NHS to improve its understanding of the most important health needs and the quality of the treatment and care we provide to you

We have entered into contracts with other NHS organisations to provide some services to us, which includes processing data on our behalf, including patient information and to provide Human Resources services for our staff. In these instances, we ensure that our partner agencies have contracts which outline that your information is processed under strict conditions and in line with the law. These services are subject to the same legal rules and conditions for keeping personal information confidential and secure and the CCG is responsible for ensuring their staff are appropriately trained and that technical and operational procedures are in place to keep information secure and protect privacy.

Disclosure of Information

We will not disclose your information to organisations/individuals that are not involved in your care, without your permission, unless there are exceptional circumstances or a legal obligation such as;

 •there is a risk of harm to someone or the wider community,

 •the prevention or detection of a serious crime,

 •where we are required to do so by law,

 •reporting some infectious diseases.

In the event that we are obligated to release information as described above, this will only be done with the approval of our Caldicott Guardian.

Information Security

.Keeping information secure and confidential

All staff have contractual obligations of confidentiality, enforceable through disciplinary procedures. All staff will receive appropriate training on confidentiality of information and staff who have regular access to personal confidential data will have received additional specialist training.

We take relevant organisational and technical measures to ensure the information we hold is secure – such as holding information in secure locations, restricting access to information to authorised personnel, protecting personal and confidential information held on equipment such as laptops with encryption.

Unless required to do so by law, we will not share, sell or distribute any of the information you provide to us with any third party organisations/individuals without your explicit consent.

Each NHS organisation has a senior person responsible for protecting the confidentiality of patient information and enabling appropriate information sharing.

This person is called the *Caldicott Guardian, in NHS Salford CCG this is Francine Thorpe.

Where is your data processed and how is it held and destroyed

Your data is processed within the CCG and by other third parties as stated above who are UK based. 

Processing outside of the UK

As detailed in the invoice validation section, NHS Shared Business Services use an offshore service provider called Sopra Steria who is based in India.  NHS SBS have confirmed that Sopra Steria have met the necessary information governance standards to process data overseas.

We will not disclose any health information without an appropriate lawful principle, unless there are exceptional circumstances such as when the health or safety of others is at risk, where the law requires it, or to carry out a statutory functions i.e. reporting to external bodies to meet legal obligations.

Data Retention

The CCG hold data in accordance to the retention schedule in the Records Management Code of Practice 2016.

Please see:

https://digital.nhs.uk/article/1202/Records-Management-Code-of-Practice-for-Health-and-Social-Care-2016

Destruction

Destruction of data will only happen following a “review” of the information at the end of its retention period. Where data has been identified for disposal we have the following responsibilities:

  • To ensure that information held in manual form (regardless of whether originally or printed from the IT systems) is destroyed using a cross cut shredder or subcontracted to a reputable confidential waste company (as identified in the table below) that complies with European Standard EN15713.
  • To ensure that electronic storage media used to hold or process information are destroyed or overwritten to current national cyber security standards.
  • To ensure that any arrangement made to sub-contract secure disposal services from another provider, complies with the NHS Standard Contract and with assurance that the sub-contractor's organisational and technical security measures comply with the General Data Protection Regulations (GDPR) and the Data Protection Act 2018.

What are your rights over your personal data?

You have the following rights over your data we hold.

Right of Access

You are entitled you to view/ ask for a copy of the information the CCG hold about you this is known as a Subject Access Request. We request that you provide this in writing / email to us with identification and provide adequate information to help us process your request.  If we need further information, we will ask you to provide this.

There is no charge (subject to exemptions) to have a copy of the information held about you.

The CCG hold a limited amount of healthcare data as detailed above.  To request access to GP records, please contact your GP practice and to request access to hospital records, please contact the hospital you attended for treatment / care.

You should also be aware that in certain circumstances, your right to see some details in your health records held by the CCG may be withheld.  This may be because releasing the information could cause serious harm to your physical or mental health or if there is 3rd party information that cannot be released.

To request a copy of or request access to information we hold about you and / or to request information to be corrected if it is inaccurate, please contact:


NHS Salford Clinical Commissioning Group
St James House
Pendleton Way
Salford
M6 5FW

Requests are handled in line with our Subject Access Requests (SAR) Procedure.

If posted, please ensure it is marked to the private and confidential and addressed to the CCG SAR Lead.

Right to Rectification

The correction of personal data when incorrect, out of date or incomplete which must be acted upon within 1 calendar month of receipt of such request.  Please ensure the CCG has the correct contact details for you. 

Right to Erasure (‘forgotten’)

Only if we have your explicit consent for any processing we do, you have the right to withdraw that consent at any time and have the right to request this data to be deleted / erased.  Please note this will not apply where healthcare data is processed.

Right to Data Portability

Only if we have your explicit consent for any processing we do, you have the right to have data provided to you in a format you have requested such as an excel spreadsheet, csv file.

Right not to be subject to a decision based solely on automated processing

The CCG do not process data using this method, so this right will not apply to our data processing activities.

Right to object to processing

You have the right to object to processing. However please note if we can demonstrate compelling legitimate grounds which outweighs the interest of you then processing can continue.  If we didn’t process any information about you and your health care (where the CCG process health data) it would be very difficult for us to care and treat you.

Objections to processing for secondary care purposes

The NHS Constitution states that "You have the right to request that your confidential information is not used beyond your own care and treatment and to have your objections considered".

In line with this there are choices you can make about how your information is used, and you can choose to opt out of your information being shared or used for any purpose beyond providing your care. Please note that choosing not to share your information may have an impact on your care and by sharing your information you can help to improve NHS services and the experience of treatment and care for all patients.

How to opt out

If you do not want your personal information being shared and used for purposes other than your care and treatment, then you should contact.

More information can be found on the link: https://www.nhs.uk/your-nhs-data-matters/

This should not affect the care and treatment you receive.

Information directly collected by the CCG

If you wish for the CCG to stop processing information about you (in any of the ways detailed above) please contact the CCG on:

Email: salccg.involve@nhs.net

(Please note this email account is accessed by a number of personnel therefore consider the information provided when contacting)

Data Protection Register / ICO Notification

The CCG is a Data Controller and under the terms of Data Protection Regulation and are legally responsible for ensuring that all personal information we process is in compliance with the law. All data controllers must notify with the Information Commissioners Office (ICO) who is the UKs independent body set up to uphold information rights, of all personal information processing activities.

Salford CCG has dutifully notified and our ICO Notification number is ZA008141 you can access this notification via the ICO website at www.ico.org.uk.

Complaints / Contacting the Regulator

If you feel that your personal data we hold at the CCG has not been handled correctly or you are unhappy with our response to any requests you have made to us regarding the use of personal data, please contact our Data Protection Officer at the following contact details.  Under GDPR all public bodies must nominate a Data Protection Officer.  The DPO is responsible for advising on compliance, training and awareness is the main point of contact with the Information Commissioner.

Data Protection Officer

Head of Business Information and Information Technology
Email: salccg.dpo.salfordccg@nhs.net
Salford CCG

St James House

Salford

M6 5FW

Questions or Concerns

If you have any questions or concerns regarding the information we hold on you or the use of your information, please contact us at:

Senior Corporate Services Officer
NHS Salford Clinical Commissioning Group
St James House
Pendleton Way
Salford
M6 5FW

Email: SALCCG.PatientServices@nhs.net

To contact the Caldicott Guardian, please contact us at: salccg.involve@nhs.net

(Please note this email account is accessed by a number of personnel therefore consider the information provided when contacting and please state that the email is for the Caldicott Guardian of Salford CCG).

For independent advice about data protection, privacy and data-sharing issues, you

can contact the Information Commissioners Office (ICO)

 
Information Commissioner Office (ICO)
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF

Definitions

Personal Confidential Data

Personal confidential data is a term used in the Caldicott Information Governance Review and describes personal information about identified or identifiable individuals, which should be kept private or secret and includes dead as well as living people.

The review interpreted 'personal' as including the Data Protection Legislation definition of personal data, but included data relating to the deceased as well as living people, and 'confidential' includes both information 'given in confidence' and 'that which is owed a duty of confidence' and is adapted to include 'sensitive' as defined in the Data Protection Legislation.
Pseudonymisation Pseudonymisation is a technical process that replaces identifiable information such as a NHS number, postcode, date of birth with a unique identifier, which obscures the ‘real world’ identity of the individual patient to those working with the data. It allows records for the same patient from different sources to be linked to create a complete longitudinal record of that patient’s condition, history and care.
Caldicott Guardian Each NHS organisation has a senior person responsible for protecting the confidentiality of patient information and enabling appropriate information sharing. This person is called the Caldicott Guardian. The Caldicott Guardian is the senior person in the CCG responsible for protecting the confidentiality of patient and service user information and enabling appropriate and lawful information-sharing. There are specific processes which are followed to ensure the continuing security and confidentiality of the information and we are obliged to tell you that we have shared your information in all but very exceptional circumstances. 

 

Useful resources and information