How we use your information
Who we are and what we do
We use patient information to enable us to understand how patients use services and the care and treatment required so we can ensure we commission high-quality safe care that is both clinically and cost-effective.
This Privacy Notice sets out how we use this information in the best possible way. For specific uses, data sources and the legal basis for data processing, see our uses of information.
This notice summarises how we use your information.
It is part of how we ensure we are open and transparent how we collect and use information about you. It covers information we collect directly from you or receive from other individuals or organisations.
We will keep our privacy notice under regular review. This privacy notice was last reviewed in June 2023.
You can contact us if you have any questions or concerns about how we use your information.
Personal information we collect and hold
We do not routinely hold or have access to your medical records. However, we may need to hold some personal information about you, for example:
- if you have made a complaint to us about healthcare that you have received, and we need to investigate
- if you ask us to provide funding for Continuing Healthcare services
- if you are using our referral support service
- if you ask us for our help or involvement with your healthcare, or where we are required to fund specific specialised treatment for a particular condition that is not already covered in our contracts with organisations that provide NHS care
- if you ask us to keep you regularly informed and up-to-date about the work of the ICB, or if you are actively involved in our engagement and consultation activities or service user groups.
Our records may include relevant information that you have told us, or information provided on your behalf by relatives or those who care for you, or from health professionals and other staff directly involved in your care and treatment.
The data may relate to Primary or Secondary care. Primary Care data relates to primary care services such as GPs, pharmacists and dentists, including military health services and some specialised services. Secondary care services include planned hospital care, rehabilitative care, urgent and emergency care community health services, mental health services and learning disability services.
Our records may be held on paper or in a computer system. The types of information that we collect and use include:
- Personal data: is defined in Data Protection Legislation as data or information about a living person, which also identifies that person or allows that person to be identified when combined with other information held by the organisation. Identifying information includes name, address, date of birth, postcode and NHS number.
- Special Category Data: is defined in Data Protection Legislation as information about an identifiable individual’s: race, ethnic origin. Politics, religion, trade union membership, genetics, biometrics, health, sex life, sexual orientation. Criminal offence data will also be included.
- Confidential Information: including both information ‘given in confidence’ and ‘that which is owed a duty of confidence’ this also includes ‘special category data’ as defined in the Data Protection Legislation.
- Pseudonymised Information: this is data that has undergone a technical process that replaces your identifiable information such as NHS number, postcode, date of birth with a unique identifier, which obscures the ‘real world’ identity of the individual patient to those working with the data.
- Anonymised Information: This is data rendered into a form which does not identify individuals and where there is little or no risk of identification.
For specific uses, data sources and the legal basis for data processing, see our uses of information.
How do we use your information and what safeguards are in place?
We are committed to protecting your privacy and will only process personal confidential data in accordance with the UK General Data Protection Regulation and Data Protection Act 2018 (Data Protection Legislation).
Bristol, North Somerset and South Gloucestershire ICB is a Data Controller under the terms of the Data Protection Legislation. We are legally responsible for ensuring that all personal information that we process i.e. hold, obtain, record, use or share about you, is processed in compliance with the Data Protection Principles.
All data controllers must notify the Information Commissioner’s Office (ICO) of all personal information processing activities. Our ICO Data Protection Register entry can be found in the Data Protection Register on the Information Commissioner’s Office website.
Everyone working for the NHS has a legal duty to keep information about you confidential.
The NHS Care Record Guarantee and NHS Constitution provide a commitment that all NHS organisations and those providing care on behalf of the NHS will use records about you in ways that respect your rights and support your health and wellbeing.
If you are receiving services from the NHS, we share information that does not identify you (anonymised) with other NHS and social care partner agencies for the purpose of improving local services, research, audit and public health.
We only share information that identifies you when we have a fair and lawful basis.
This includes:
- for the purposes of the provision of health or social care or treatment or the management of health or social care systems
- when we are lawfully able to for example in order to carry out our official functions as an ICB and in the public interest
- when we are lawfully required to report certain information to the appropriate authorities e.g. to prevent fraud or a serious crime
- to protect children and vulnerable adults
- you have given us permission
- when a formal court order has been served
- emergency planning reasons such as for protecting the health and safety of others
- when permission is given by the Secretary of State or the Health Research Authority to process confidential information without the explicit consent of individuals.
Where we have a legal basis for sharing and using data without consent we will do so, this notice informs individuals about their information is shared.
We will only share and use the minimum amount of information necessary is perform our duties. All information that we hold about you will be held securely and confidentially. We use administrative and technical controls to keep information secure including procedures and encryption. Only a limited number of authorised staff have access to information that identifies you where it is appropriate to their role and is strictly on a need-to-know basis.
All of our staff, contractors and committee members receive appropriate and on-going training to ensure they are aware of their personal responsibilities. Our staff have contractual obligations to uphold confidentiality, enforceable through disciplinary procedures.
We will only keep information in accordance with the schedules set out in the Records Management Code of Practice 2021. When appropriate we will confidentially and securely dispose of information in accordance with the Code of Practice.
Overseas transfers
Your information will not be sent outside of the United Kingdom where the laws do not protect your privacy to the same extent as the law in the UK. We will never sell any information about you.
What are your rights?
You have the right to privacy and to expect the NHS to keep your information confidential and secure. Under UK GDPR you have specific legal rights. These rights are:
- The right to be informed
- The right of access
- The right to rectification
- The right to erasure
- The right to restrict processing
- The right to data portability
- The right to object
- Rights in relation to automated decision making and profiling
Your right to opt out of data sharing and processing
The NHS Constitution states ‘You have a right to request that your personal confidential information is not used beyond your own care and treatment and to have your objections considered’.
Type 1 opt-out
If you do not want personal confidential information that identifies you to be shared outside your GP practice, you can register a ‘Type 1 opt-out’ with your GP practice. This prevents your personal confidential information from being used except for your direct health care needs and in particular circumstances required by law, such as a public health emergency like an outbreak of a pandemic disease. Patients are only able to register the opt-out at their GP practice and your records will be identified using a particular code that will stop your records from being shared outside of your GP Practice.
National data opt-out
The National data opt-out enables individuals to opt-out from the use of their data for research or planning purposes. Your national data opt-out choice can be viewed or changed at any time by using an online service.
There are some circumstances where there is a legal obligation for us to process your personal confidential information and you will not be able to opt-out. These include:
- to protect children and vulnerable adults
- when a formal court order has been served upon us
- when we are lawfully required to report certain information to the appropriate authorities e.g., to prevent fraud or a serious crime
- emergency planning reasons such as for protecting the health and safety of others
- when permission is given by the Secretary of State or the Health Research Authority to process confidential information without the explicit consent of individuals
Your Right of Access: Subject access requests
Individuals can find out if we hold any personal information by making a subject access request under the Data Protection legislation. If we do hold information about you, we will:
- confirm that we are processing your personal data
- provide a copy of your personal information
- provide additional information, such as the reason why we hold your information, who we may have shared information with, how long we hold information.
If you would like to receive a copy of information, we hold about you your please contact us:
Post: NHS Bristol, North Somerset and South Gloucestershire ICB, Floor 2, North Wing, 100 Temple Street, Bristol, BS1 6AG
Email: bnssg.foi@nhs.net
Confidentiality advice and support
We have a Caldicott Guardian who is a senior member of staff responsible for protecting the confidentiality of service users and their information, as well as enabling appropriate and lawful information-sharing. If you need advice or support about data protection please contact us.
Data Protection Impact Assessments
We routinely completed Data Protection Impact Assessments (DPIAs) which helps us to identify, assess and mitigate or minimise privacy risks with our data processing activities. DPIAs particularly relevant when a new data processing process, system or technology is being introduced. Details of our DPIAs are available on request from our Data Protection Officer (bnssg.data.protection@nhs.net).
Complaints and suggestions
We try to meet the highest standards when collecting and using personal information. We encourage people to bring concerns to our attention if they think that our collection or use of information is unfair, misleading or inappropriate. We also welcome any suggestions for improving our procedures. Please see our Customer Services page for more information.
The Bristol, North Somerset and South Gloucestershire ICB Data Protection Officer is Chris Waller who can be contacted by email at bnssg.data.protection@nhs.net
You can contact the Information Commissioner’s Office (ICO) for independent advice about data protection, privacy and data-sharing issues.
Post: Information Commissioner, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF
Phone: 08456 30 60 60 or 01625 54 57 45
Please contact us if you have any questions or concerns about how we use your information.
For independent advice about data protection, privacy and data-sharing issues, you can contact the Information Commissioner’s Office (ICO). You can also complain directly to the ICO.
Further information
You can find further information about how the NHS uses personal confidential data and your rights in:
- The NHS Care Record Guarantee
- The NHS Constitution for England
- An independent review of information about service users is shared across the health and care system led by Dame Fiona Caldicott was conducted in 2012. The report is called Information: To share or not to share?
- The Information Governance Review
- Please visit the NHS Digital website for further information about their work. The Guide to Confidentiality provides a useful overview of the subject.
- The Information Commissioner’s Office is the Regulator for the UK General Data Protection Regulation and Data Protection Act 2018.
- The NHS Health Research Authority (HRA) protects and promotes the interests of patients and the public in health and social care research.
You have the right to be informed of to be informed of automated decision making and profiling. Please see details of Risk Stratification below which explains any profiling that may take place, there is no automated decision making, no decision is taken about any individual without human intervention of the information.