Our uses of information
These are the key scenarios when we might use your data and information, the reason we do so and some information about how we go about using it.
Complaints
What we do
When we receive a complaint from somebody we make up a file containing the details of the complaint. This normally contains the identity of the complainant and any other individuals involved in the complaint.
We will only use the personal information we collect to process the complaint and to check on the level of service being provided. We usually have to disclose the complainant’s identity to whoever the complaint is about. This is inevitable where, for example, the accuracy of a person’s record is in dispute.
If a complainant doesn’t want information identifying him or her to be disclosed, we will try to respect that. However, in some cases it might not be possible to handle a complaint on an anonymous basis.
We will keep personal information contained in complaint files in line with NHS retention policy. It will be retained in a secure environment and access to it will be restricted according to the ‘need to know’ principle.
What we use
Data Type
Personal Confidential Data – may include Primary and Secondary Care Data.
Legal Basis
We will rely on our public duty to process your personal data for the purpose of managing a complaint you make to us.
Funding treatments
What we do
We will collect and process your personal information where we are required to fund specific treatment for you for a particular condition that is not already covered in our contracts. This might be called an Exceptional Funding Request (EFR).
What we use
Data Type
Personal Confidential Data – may include Primary and Secondary Care Data.
Legal Basis
The clinical professional who first identifies that you may need the treatment will explain to you the information that we need to collect and process. They’ll tell you what we need in order for us to assess your needs and commission your care, and will gain your agreement to engage in the process. We rely on our public task, GDPR Article 6(1)(e) and Article 9(2)(h) – management of health and social care services as our legal basis for processing your information where an application is made for treatment.
Continuing Healthcare (CHC)
What we do
We will collect and process your identifiable information where you have asked us to undertake assessments for Continuing Healthcare (a package of care for those with complex medical needs) and commission resulting care packages. This is also relevant for Funded Nursing Care (FNC) which follows a similar process.
What we use
Data Type
Personal Confidential Data – may include Primary and Secondary Care Data.
Legal Basis
The clinical professional who first sees you to discuss your needs will explain to you the information that they need to collect and process in order for us to assess your needs and commission your care and gain your agreement to engage with the process. In relation to processing of your personal data, we rely on the public task of the ICB to commission the Continuing Healthcare function for the population of Bristol, North Somerset and South Gloucestershire. GDPR Article 6(1)(e) and 9(2)(h) – management of health and social care services.
The Funded Care Team have commissioned Midlands and Lancashire Commissioning Support Unit to undertake new assessments for the ICB.
Safeguarding
What we do
We collect and process identifiable information where we need to assess and evaluate any safeguarding concerns.
Data Type
Personal Confidential Data – may include Primary and Secondary Care Data.
Legal Basis
The ICB has a statutory duty to undertake safeguarding activity for example, to protect the safety and welfare of vulnerable children and adults. We will rely on the public task legal basis to process personal data for this purpose. GDPR Article 6(1)(e) and 9(2)(h) – management of health and social care.
Summary Care Records
What we do
The NHS uses an electronic record called the Summary Care Record (SCR) to support patient care. The SCR is a copy of important information from your GP record. It provides authorised care professionals with faster, secure access to essential information about you when you need care. A log is updated whenever a care professional accesses your SCR.
What we use
Data Type
Personal Confidential Data – Primary Care Data
Legal Basis
ICB staff will only access Summary Care Records in very limited circumstances, the legal basis for access to information for these functions is public task, GDPR Article 6(1)(e) and 9(2)(h) – management of health and social care services.
Risk Stratification
What we do
Risk stratification is a process for identifying and managing patients who are at high risk of emergency hospital admission. Typically, this is because patients have a long term condition such as Chronic Obstructive Pulmonary Disease.
What we use
Data Type
Personal Confidential Data and Pseudonymised – may include Primary and Secondary Care Data
Legal Basis
We are committed to conducting risk stratification effectively, in ways that are consistent with the laws that protect your confidentiality.
The use of identifiable data by ICBs and GPs for risk stratification has been approved by the Secretary of State, through the Confidentiality Advisory Group of the Health Research Authority and this approval has been extended to September 2020.
The GDPR legal basis for this activity is public task of the ICB, Article 6(1)(e) and 9(2)(h) – management of health and social care services.
Commissioning Benefits
NHS England encourages ICBs and GPs to use risk stratification tools as part of their local strategies for supporting patients with long-term conditions and to help and prevent avoidable admissions.
Knowledge of the risk profile of our population will help us to commission appropriate preventative services and to support quality improvement in partnership with our GP practices.
Data Processing activities for Risk Stratification
Risk stratification tools use various combinations of historic information about patients, for example, age, gender, diagnoses and patterns of hospital attendance and admission.
We will use pseudonymised information to understand the local population needs. GPs will be able to identify which of their patients are at risk in order to offer a preventative service to them.
Risk Stratification involves profiling, but there is no automated decision making, no decision is taken about any individual without a ‘human view’ of the information.
We have commissioned South, Central & West Commissioning Support Unit (SCWCSU) to conduct risk stratification on behalf of itself and its GP practices.
We use the South, Central and West Commissioning Support Unit as our data processors for risk stratification. They use the following steps:
- we ask NHS Digital to provide data identifiable by your NHS Number about your Acute Hospital attendances for risk stratification purposes and sign an NHS Digital data-sharing contract for the SUS (secondary care/hospital) data.
- South, Central and West Commissioning Support Unit uses a nationally validated formula to analyse the data in pseudonymised form to produce a risk score for each patient. This information is available to South, Central and West Commissioning Support Unit.
- the risk scores are only made available to authorised users within the GP Practice where you are registered via a secure portal.
- this portal allows only the GPs to view the risk scores for the individual patients registered in their practice in identifiable form.
The ICB also commissions third party analytic partners (Prescribing Services Ltd and One Care) to conduct risk stratification on behalf of itself and its GP practices. Data is extracted from your GP’s clinical computer system, automatically processed and only your GP is able to view the outcome, matching results against patients on their system. The ICB has implemented strict security controls to protect your confidentiality.
If you do not wish for information about you to be included in our risk stratification programme, please contact your GP Practice. They can add a code to your records that will stop your information from being used for this purpose.
Invoice processing
What we do
A small amount of information that could identify you is used within a secure area, known as a Controlled Environment for Finance (CEfF). This is so that the organisations that have provided you with care or treatment are reimbursed correctly – known as Invoice Validation. This controlled area is within the ICB.
What we use
Data Type
Personal Confidential Data – may include Primary and Secondary Care Data
Legal Basis
A Section 251 exemption enables us to process patient identifiable information without patient consent for the purposes of invoice validation.
Section 251 applications are approved by the Secretary of State for Health, who imposes tight conditions on what information can be processed and by whom.
On behalf of ICBs, NHS England made a Section 251 application, which was approved by the Secretary of Health for invoice validation, and extended until September 2025 to allow time for systems to be established to ensure that personal confidential data is processed lawfully.
Section 251 approval means we rely on the GDPR public task legal basis for this processing activity. Articles 6(1)(e) and 9(2)(h) – management of health and social care services.
Commissioning Benefits
Where we pay for care we may ask for evidence before paying. In such instances, we may use your personal confidential data to ensure that we are paying the right organisation the right amount for the right service(s) to the right people.
Processing Activities
We take relevant organisational and technical measures to ensure the information we hold is secure, restricting access to information to authorised personnel and protecting personal/confidential information held on equipment such as computers with passwords/encryption. We use the minimum amount of information about you and we’ll only use personal identifiable information when absolutely necessary.
NHS Shared Business Services (SBS), based in Wakefield, are involved in the processing of the majority of our invoices on a daily basis.
You can find out more about them at Shared Business Services.
SBS provide this service via a contract with NHS England, which requires them to meet information governance standards.
SBS receive invoices from suppliers of goods and services to process on behalf of the ICB. They do not need and should not receive any patient confidential data to do this.
For other invoices, the invoice validation process may currently involve us occasionally using your name or initials.
Where possible, we use GP Practice codes (each GP Practice has one and use of this confirms services are being provided to our patients) and/or another agreed identifier which does not include personal confidential data.
Commissioners, like us, have a duty to detect, report and investigate any incidents where there has been a breach of confidentiality. If we receive any invoices which include personal confidential data we have a responsibility to work with suppliers to ensure that the invoices do not breach patient confidentiality.
NHS England has published guidance on how invoices must be processed.
Patient and public involvement
What we do
If you have asked us to keep you informed and up to date about our work or if you are actively involved in our engagement and consultation activities or patient participation groups, we will collect and process personal confidential data which you share with us. We will only use your information for involvement purposes. You can opt out at any time by contacting us.
In situations where the ICB uses the SurveyMonkey survey platform to involve people and communities in its work, data will be temporarily stored in the United States (US). This is a result of the SurveyMonkey platform being based in the US. A Data Processing Agreement (DPA) is in place between the ICB and SurveyMonkey.
What we use
Data Type
Personal Confidential Data – may minimal include Primary and Secondary Care Data that you have provided to us.
Legal Basis
We will rely on your consent for this purpose.
The Referral Service
What we do
The Referral Service is a team of local clinicians and administrators who support your GP in finding the best care available for you. The Service will process information about patients in order to advise GPs, makes referrals and suggest treatments.
What we use
Data Type
Personal Confidential Data – may include Primary and Secondary Care Data.
Legal Basis
Our legal basis for processing information for this purpose is public task as it is directly linked to the provision of care, wherever possible the clinical professional who first sees you to discuss your needs will explain to you the information that they need to collect and process in order for us to provide this service.
The GDPR Article 6(1)(e) and 9(2)(h) – management of health and social care services is relied upon to cover this activity.
Connecting Care
What we do
Connecting Care is a local, electronic record allowing health and social care professionals who are directly involved in your care to share a summary of information about you. It enables them to coordinate your care more efficiently.
Connecting Care contains Personal Confidential Data which only available in health settings across Bristol, North Somerset and South Gloucestershire. It can only be accessed by authorised staff with a legitimate legal basis.
Connecting Care only shares:
- who is involved in your care
- any allergies you have
- your medications
- recent appointments you have attended
- diagnoses
Connecting Care has been established in order to share important health and social care information to support the care of the wider Bristol population. Your contact with local Connecting Care NHS Partner Organisations may result in them seeking your consent to participate in a research study. Where you have consented to participate in such a study, the research team may access the information held by GPs and Hospital Trusts through Connecting Care to ensure that your participation (or those that you are responsible for) will not put you at risk of increased harm, and is suitable for the aims of the study. If you later choose to withdraw from the study, the research team will discuss the use of your information with you. As part of the consent process, the research team will inform you of the information they would seek access to.
Connecting Care will also be used to carry out the ICB obligation to carry out Disease and Infection Control surveillance.
Further information is available on the Connecting Care Website
What we use
Data Type
Personal Confidential Data – may include Primary and Secondary Care Data.
Legal Basis
Within the ICB we will only access information on Connecting Care for direct care, disease, surveillance and safeguarding purposes or for the management of health services. Therefore we will rely on a statutory basis rather or consent to process information for this use. The GDPR Article 6(1)(e) and 9(2)(h) – management of health and social care services is relied upon to cover this activity.
Commissioning
What we do
We collect NHS data about service users that we are responsible for to inform what we commission. Hospitals and community organisations that provide NHS-funded care must submit certain information to NHS England about services provided to our service users.
This information is generally known as commissioning datasets. The ICB obtains these datasets from NHS England and they relate to service users registered with GP Practices that are members of the ICB. See also Population Health Management below.
What we use
Data Type
Personal Confidential Data, Pseudonymised Data, Anonymous Data – may include Primary and Secondary Care Data.
Legal Basis
Our legal basis for collecting and processing information for this purpose is having a statutory duty. We rely on our public task UK GDPR Article 6(1)(e) and 9(2)(h) – management of health and social care services.
Processing Activities
These datasets are used in a format that does not directly identify you. They’re used for wider NHS purposes such as managing and funding the NHS, monitoring activity to understand and plan the health needs of the population, and to gain evidence that will improve health and care through research.
They include information about the service users who have received care and treatment from those services that we are responsible for funding. They do not include your name, home address, NHS number, post code or date of birth. Information such as your age, ethnicity and gender, as well as coded information about any clinic or accident and emergency attendances, hospital admissions and treatment will be included. This includes GP Data for Pandemic Planning and Research which is received from NHS Digital.
The specific terms and conditions and security controls that we are obliged to follow when using these commissioning datasets can also be found at NHS Digital.
We also receive similar information from primary care providers (e.g. GP Practices, out of hours GP services) within our ICB membership that does not identify you. We use these datasets for a number of purposes such as:
- performance managing contracts
- reviewing the care delivered by providers to ensure quality and cost effective care
- to prepare statistics on NHS performance to understand health needs and support service redesign, modernisation and improvement
- to help us plan and evaluate future services to ensure they meet our local population needs
- to reconcile claims for payments for services received in your GP Practice
- to audit NHS accounts and services.
For specific pieces of commissioning focussed work, pseudonymised data may also be shared with University of Bristol, University of Bath and University West of England, this data will not identify you and will only be used for purposes agreed with and determined by the ICB.
If you do not wish your information to be included in these datasets – even though it does not directly identify you – please contact your GP Practice and they can apply a code to your records that will stop your information from being included.
Population Health Management
What we do
Linked to our commissioning activities is population health management, which is an approach aimed at improving the health of an entire population. It is about improving the physical and mental health outcomes and wellbeing of people, whilst reducing health inequalities within and across a defined population. It helps to reduce the occurrence of ill-health, including addressing wider determinants of health, and requires working with communities and partner agencies.
What we use
Population health management links data from primary, secondary, community and social care to understand population health more effectively. This only uses pseudonymised data i.e. where information that identifies you has been removed and replaced with a pseudonym. This will only ever be reidentified if we discover that you may benefit from a particular health intervention, in which case only the relevant staff within your practice will be able to see your personal information in order to offer this service to you.
In order to carry out this data linkage, your pseudonymised data will be passed to the ICB, who will link this to other local and national data sources to be able to carry out appropriate analyses. These linked datasets will also be securely shared with Optum Healthcare Ltd. (contracted by NHS England), to carry out any further analysis needed to support improvements to the local populations health and to target health and social care resources effectively.
Only a small number of staff based within these UK based organisations will be able to access this data and as this will be pseudonymised in accordance with the ICO Code of Practice, no one will be able to identify you within these organisations.
You have a choice about whether you want your confidential patient information to be used in this way. If you are happy with this use of information you do not need to do anything. If you do choose to opt out your confidential patient information will still be used to support your individual care.
For specific pieces of work pseudonymised data will also be shared with Universities and OneCare (GP Federation), only the minimum information necessary will be shared and this data will not identify you and will only be used for purposes agreed with and determined by the ICB.
Find out more about population health management or register your choice to opt out.
Legal basis
Our GDPR legal basis for this activity is Article 6(1)(e) and 9(2)(h) – management of health and social care services.
When other organisations provide support services
What we do
We have entered into contracts with other NHS organisations to provide some services for us or on our behalf. These organisations are known as “data processors”. Below are details of our data processors and the function that they carry out on our behalf:
- NHS South, Central and West Commissioning Support Unit: Risk Stratification, Invoice Validation, Commissioning Intelligence analysis (add value to the analyses of data that does not directly identify individuals), HR and IT services
- Grant Thornton: Audit our accounts and services (add value to the analyses of data that does not directly identify individuals)
- NHS Litigation Authority: Claims Management (we rely on your consent)
- NHS Property Services / ShredIt: Confidential Waste Disposal Company used by the ICB to shred information in a secure environment
- NHS Shared Business Service: Invoice Validation (see page 10)
- Bristol City Council, North Somerset Council and South Gloucestershire Council: Jointly commission services, safeguarding (individuals not identified).
- North Bristol Trust: Payroll
- Medigold: Occupational Health Services
- CHS Healthcare: Use of their software Caretrac – NHS Continuing Healthcare (CHC)
What we use
Data Type
Personal Confidential Data, Pseudonymised Data, Anonymous Data – may include Primary and Secondary Care Data.
Legal Basis
Before awarding any contract, we ensure that organisations will look after your information to the same high standards that we do. These organisations can only use your information for the service we have contracted them for. They cannot use it for any other purpose. We rely on our public task duties as our GDPR legal basis for the activities described below. Articles 6(1)(e) and 9(2)(h) – management of health and social care.
National registries
What we do
National Registries (such as the Learning Disabilities Register) have statutory permission under Section 251 of the NHS Act 2006, to collect and hold service user identifiable information without the need to seek informed consent from each individual service user.
What we use
Data Type
Personal Confidential Data – may include Primary and Secondary Care Data.
Legal Basis
Our GDPR legal basis for this activity is Article 6(1)(e) and 9(2)(h) – management of health and social care services.
Research
What we do
Sometimes crucial research projects use information about patients to help inform studies. This information would never reveal who you are. Researchers provide direct benefit to individuals who take part in medical trials and indirect benefit to the population as a whole.
Service user records can also be used to identify people to invite them to take part in clinical trials, other interventional studies or studies purely using information from medical records.
Data Type
Personal Confidential Data, Pseudonymised Data, Anonymous Data – may include Primary and Secondary Care Data.
Legal Basis
Your consent will be obtained by the organisation holding your records before identifiable information about you is disclosed for any research.
Sometimes research can be undertaken using information that does not identify you. The law does not require us to seek your consent in this case, but the organisation holding your information will make notices available on the premises and on the website about any research projects that are undertaken.
Processing Activities
Where identifiable data is needed for research, service users will be approached by the organisation where treatment was received, to see if they wish to participate in research studies.
If you do not wish your information to be used for research, whether identifiable or non-identifiable, please let your GP Practice know. They will add a code to your records that will stop your information from being used for research.
Employment (People working for Bristol, North Somerset and South Gloucestershire ICB)
Data Type
Personal confidential data including special categories of personal data.
Legal Basis
Bristol, North Somerset and South Gloucestershire ICB relies upon the contractual relationship between employer and employee as its legal basis to process the personal data of its employees.
The GDPR legal basis is covered by Article 6(1)(b) – performance of a contract and Article 9(2)(b) – obligations and rights of the controller in the field of employment. Article 6 (1) (e) gives the ICB a lawful basis for processing where: processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller for the specific requirement to undertake Fit and Proper test for all Board members.
Processing Activities
Personal data as described above is processed for the purpose of fulfilment of employment contracts between employees and the ICB. This includes, but is not limited to activity covering payroll, publication of employee declarations of interest, publication of employee gift, hospitality and sponsorship declarations, performance, workforce reporting, business continuity and planning.
Information may be disclosed to NHS England, the Care Quality Commission, prospective workers, and professional organisations as necessary for the specific requirement to conduct Fit and Proper tests.
Find out more or register your choice to opt out
Legal basis
Our GDPR legal basis for this activity is Article 6(1)(e) and 9(2)(h) – management of health and social care services.
Recording Telephone Conversations
What we do
Within certain departments telephone call recording is operational. This is in order to monitor the quality of call handling and customer service; facilitate staff training and may be used to verify what was said in case of a dispute or complaint. Where the facility is live, incoming callers will be made aware by a message that will be played at the start of the call.
What we use
Data Type
Personal Confidential Data – may include any information discussed.
Legal Basis
Our GDPR legal basis for this activity is Article 6(1)(e) and 9(2)(h) – management of health and social care services.
National Fraud Initiative (NFI)
What we do
NHS Bristol, North Somerset and South Gloucestershire ICB is required by law to protect the public funds it administers. It may share information provided to it with other bodies responsible for auditing or administering public funds, in order to prevent and detect fraud.
The Cabinet Office conducts data matching exercises to assist in the prevention and detection of fraud as part of its responsibility for public sector efficiency and reform. Part 6 of the Local Audit and Accountability Act 2014 enables the Cabinet Office to process data as part of the National Fraud Initiative (NFI).
Bristol, North Somerset and South Gloucestershire ICB is a mandatory participant of the NFI which is a data matching exercise undertaken by the Cabinet Office to assist in the prevention and detection of fraud. We are required to provide particular sets of data to the Cabinet Office for each exercise, and these are set out in the Cabinets Office guidance, which can be found at https://www.gov.uk/guidance/taking-part-in-national-fraud-initiative.
Data matching involves comparing sets of data, such as payroll of a body against other records held by the same or another body to see how far they match. This is usually personal information, NHS Pensions and ICB creditors’ data. The data matching allows potentially fraudulent claims and payments to be identified. Where a match is found it may indicate that there is an inconsistency which requires further investigation. No assumption can be made as to whether there is fraud, error or other explanation until an investigation is carried out.
Further information on the NFI privacy notice can be found at
National Fraud Initiative privacy notice – GOV.UK (www.gov.uk)
For further information on data matching at NHS Bristol, North Somerset and South Gloucestershire ICB contact Sarah Smith, Local Counter Fraud Specialist:
Telephone: 07467 685 609
Email: sarah.smith337@nhs.net
Legal Basis
Bristol, North Somerset and South Gloucestershire ICB’s legal basis to process this data is set out in Article 6 (c) of the General
Data Protection Regulation (GDPR) “processing is necessary for compliance with a
legal obligation to which the controller is subject”.
Pharmacy, Opticians and Dental (POD)
What we do
From 1 April 2023, the ICB has taken on delegated responsibility for pharmaceutical, general ophthalmic and dental (POD) services. In carrying out these responsibilities we will process personal information about contractors, clinicians and in certain cases patients (e.g. complaints). This information is also commercial.
We require this information to perform a number of activities including Contract management, recruitments, complaints handling and financial management.
Up until 1st July 2023 we will be working with NHS England (our Data Processor) to provide services on our behalf.
What we use
Data Type:
Personal Confidential Data – may include Primary Care Data.
Legal Basis
We will rely on our public duty to process your personal data for the purpose of delegated responsibility for POD.
Disease surveillance/Infection Control
What we Do
The ICB has an obligation to carry out Disease and Infection Control surveillance. The surveillance reports produce actions and lessons learnt that support direct improved care of patients and continuously improves the safety of patients and focus on clinical learning. This will require personal confidential patient information to be processed with health and care organisations and other bodies engaged in disease surveillance for the purposes of protecting public health, providing healthcare services to the public and monitoring and managing any outbreaks.
What we use
Data Type
Personal Confidential Data – may include Primary and Secondary Care Data.
Legal Basis
We reply on our public task, article 6(1) e and Article 9(2)(h) – management of health and social care services as our legal basis for processing your information.
As well as The Health Service (Control of Patient Information) Regulations 2002 (Paragraph 3) enables the lawful processing of patient information in relation to diagnosing, recognising trends, controlling, preventing, monitoring and managing communicable diseases and other risks to public health and Mandatory healthcare associated infection surveillance: data quality statement – GOV.UK (www.gov.uk).
This information was last updated in October 2023.