Our uses of information

These are the key scenarios when we might use your data and information, the reason we do so and some information about how we go about using it.

Complaints

What we do

When we receive a complaint from somebody we make up a file containing the details of the complaint. This normally contains the identity of the complainant and any other individuals involved in the complaint.

We will only use the personal information we collect to process the complaint and to check on the level of service being provided. We usually have to disclose the complainant’s identity to whoever the complaint is about. This is inevitable where, for example, the accuracy of a person’s record is in dispute.

If a complainant doesn’t want information identifying him or her to be disclosed, we will try to respect that. However, in some cases it might not be possible to handle a complaint on an anonymous basis.

We will keep personal information contained in complaint files in line with NHS retention policy. It will be retained in a secure environment and access to it will be restricted according to the ‘need to know’ principle.

What we use

Data Type

Personal Confidential Data – may include Primary and Secondary Care Data.

Legal Basis

We will rely on our public duty to process your personal data for the purpose of managing a complaint you make to us.

Funding treatments

What we do

We will collect and process your personal information where we are required to fund specific treatment for you for a particular condition that is not already covered in our contracts. This might be called an Exceptional Funding Request (EFR).

What we use

Data Type

Personal Confidential Data – may include Primary and Secondary Care Data.

Legal Basis

The clinical professional who first identifies that you may need the treatment will explain to you the information that we need to collect and process. They’ll tell you what we need in order for us to assess your needs and commission your care, and will gain your agreement to engage in the process. We rely on our public task, GDPR Article 6(1)(e) and Article 9(2)(h) – management of health and social care services as our legal basis for processing your information where an application is made for treatment.

Continuing Healthcare (CHC)

What we do

We will collect and process your identifiable information where you have asked us to undertake assessments for Continuing Healthcare (a package of care for those with complex medical needs) and commission resulting care packages. This is also relevant for Funded Nursing Care (FNC) which follows a similar process.

What we use

Data Type

Personal Confidential Data – may include Primary and Secondary Care Data.

Legal Basis

The clinical professional who first sees you to discuss your needs will explain to you the information that they need to collect and process in order for us to assess your needs and commission your care and gain your agreement to engage with the process. In relation to processing of your personal data, we rely on the public task of the ICB to commission the Continuing Healthcare function for the population of BNSSG. GDPR Article 6(1)(e) and 9(2)(h) – management of health and social care services.

Safeguarding

What we do

We collect and process identifiable information where we need to assess and evaluate any safeguarding concerns.

Data Type

Personal Confidential Data – may include Primary and Secondary Care Data.

Legal Basis

The ICB has a statutory duty to undertake safeguarding activity for example, to protect the safety and welfare of vulnerable children and adults. We will rely on the public task legal basis to process personal data for this purpose. GDPR Article 6(1)(e) and 9(2)(h) – management of health and social care.

Summary Care Records

What we do

The NHS uses an electronic record called the Summary Care Record (SCR) to support patient care. The SCR is a copy of important information from your GP record. It provides authorised care professionals with faster, secure access to essential information about you when you need care. A log is updated whenever a care professional accesses your SCR.

What we use

Data Type

Personal Confidential Data – Primary Care Data

Legal Basis

ICB staff will only access Summary Care Records in very limited circumstances, the legal basis for access to information for these functions is public task, GDPR Article 6(1)(e) and 9(2)(h) – management of health and social care services.

Risk Stratification

What we do

Risk stratification is a process for identifying and managing patients who are at high risk of emergency hospital admission. Typically, this is because patients have a long term condition such as Chronic Obstructive Pulmonary Disease.

What we use

Data Type

Personal Confidential Data and Pseudonymised – may include Primary and Secondary Care Data

Legal Basis

We are committed to conducting risk stratification effectively, in ways that are consistent with the laws that protect your confidentiality.

The use of identifiable data by ICBs and GPs for risk stratification has been approved by the Secretary of State, through the Confidentiality Advisory Group of the Health Research Authority and this approval has been extended to September 2020.

The GDPR legal basis for this activity is public task of the ICB, Article 6(1)(e) and 9(2)(h) – management of health and social care services.

Commissioning Benefits

NHS England encourages ICBs and GPs to use risk stratification tools as part of their local strategies for supporting patients with long-term conditions and to help and prevent avoidable admissions.

Knowledge of the risk profile of our population will help us to commission appropriate preventative services and to support quality improvement in partnership with our GP practices.

Data Processing activities for Risk Stratification

Risk stratification tools use various combinations of historic information about patients, for example, age, gender, diagnoses and patterns of hospital attendance and admission.

We will use pseudonymised information to understand the local population needs. GPs will be able to identify which of their patients are at risk in order to offer a preventative service to them.

Risk Stratification involves profiling, but there is no automated decision making, no decision is taken about any individual without a ‘human view’ of the information.

We have commissioned South, Central & West Commissioning Support Unit (SCWCSU) to conduct risk stratification on behalf of itself and its GP practices.
We use the South, Central and West Commissioning Support Unit as our data processors for risk stratification. They use the following steps:

  • we ask NHS Digital to provide data identifiable by your NHS Number about your Acute Hospital attendances for risk stratification purposes and sign an NHS Digital data-sharing contract for the SUS (secondary care/hospital) data.
  • South, Central and West Commissioning Support Unit uses a nationally validated formula to analyse the data in pseudonymised form to produce a risk score for each patient. This information is available to South, Central and West Commissioning Support Unit.
  • the risk scores are only made available to authorised users within the GP Practice where you are registered via a secure portal.
  • this portal allows only the GPs to view the risk scores for the individual patients registered in their practice in identifiable form.

If you do not wish for information about you to be included in our risk stratification programme, please contact your GP Practice. They can add a code to your records that will stop your information from being used for this purpose.

Invoice processing

What we do

A small amount of information that could identify you is used within a secure area, known as a Controlled Environment for Finance (CEfF). This is so that the organisations that have provided you with care or treatment are reimbursed correctly – known as Invoice Validation. This controlled area is within the ICB.

What we use

Data Type

Personal Confidential Data – may include Primary and Secondary Care Data

Legal Basis

A Section 251 exemption enables us to process patient identifiable information without patient consent for the purposes of invoice validation.

Section 251 applications are approved by the Secretary of State for Health, who imposes tight conditions on what information can be processed and by whom.

On behalf of ICBs, NHS England made a Section 251 application, which was approved by the Secretary of Health for invoice validation, and extended until September 2020 to allow time for systems to be established to ensure that personal confidential data is processed lawfully.

Section 251 approval means we rely on the GDPR public task legal basis for this processing activity. Articles 6(1)(e) and 9(2)(h) – management of health and social care services.

Commissioning Benefits

Where we pay for care we may ask for evidence before paying. In such instances, we may use your personal confidential data to ensure that we are paying the right organisation the right amount for the right service(s) to the right people.

Processing Activities

We take relevant organisational and technical measures to ensure the information we hold is secure, restricting access to information to authorised personnel and protecting personal/confidential information held on equipment such as computers with passwords/encryption. We use the minimum amount of information about you and we’ll only use personal identifiable information when absolutely necessary.

NHS Shared Business Services (SBS), based in Wakefield, are involved in the processing of the majority of our invoices on a daily basis.

You can find out more about them at Shared Business Services.

SBS provide this service via a contract with NHS England, which requires them to meet information governance standards.

SBS receive invoices from suppliers of goods and services to process on behalf of the ICB. They do not need and should not receive any patient confidential data to do this.
For other invoices, the invoice validation process may currently involve us occasionally using your name or initials.

Where possible, we use GP Practice codes (each GP Practice has one and use of this confirms services are being provided to our patients) and/or another agreed identifier which does not include personal confidential data.

Commissioners, like us, have a duty to detect, report and investigate any incidents where there has been a breach of confidentiality. If we receive any invoices which include personal confidential data we have a responsibility to work with suppliers to ensure that the invoices do not breach patient confidentiality.

NHS England has published guidance on how invoices must be processed.

Patient and public involvement

What we do

If you have asked us to keep you informed and up to date about our work or if you are actively involved in our engagement and consultation activities or patient participation groups, we will collect and process personal confidential data which you share with us. We will only use your information for involvement purposes. You can opt out at any time by contacting us.

In situations where the ICB uses the SurveyMonkey survey platform to involve people and communities in its work, data will be temporarily stored in the United States (US). This is a result of the SurveyMonkey platform being based in the US. A Data Processing Agreement (DPA) is in place between the ICB and SurveyMonkey. SurveyMonkey are also registered with US Privacy Shield which provides adequate protection to allow personal data to be transferred to the United States.

What we use

Data Type

Personal Confidential Data – may minimal include Primary and Secondary Care Data that you have provided to us.

Legal Basis

We will rely on your consent for this purpose.

The Referral Service

What we do

The Referral Service is a team of local clinicians and administrators who support your GP in finding the best care available for you. The Service will process information about patients in order to advise GPs, makes referrals and suggest treatments.

What we use

Data Type

Personal Confidential Data – may include Primary and Secondary Care Data.

Legal Basis

Our legal basis for processing information for this purpose is public task as it is directly linked to the provision of care, wherever possible the clinical professional who first sees you to discuss your needs will explain to you the information that they need to collect and process in order for us to provide this service.

The GDPR Article 6(1)(e) and 9(2)(h) – management of health and social care services is relied upon to cover this activity.

Connecting Care

What we do

Connecting Care is a local, electronic record allowing health and social care professionals who are directly involved in your care to share a summary of information about you. It enables them to coordinate your care more efficiently.
Connecting Care contains Personal Confidential Data which only available in health settings across Bristol, North Somerset and South Gloucestershire. It can only be accessed by authorised staff with a legitimate legal basis.

Connecting Care only shares:

  • who is involved in your care
  • any allergies you have
  • your medications
  • recent appointments you have attended
  • diagnoses

Connecting Care has been established in order to share important health and social care information to support the care of the wider Bristol population. Your contact with local Connecting Care NHS Partner Organisations may result in them seeking your consent to participate in a research study. Where you have consented to participate in such a study, the research team may access the information held by GPs and Hospital Trusts through Connecting Care to ensure that your participation (or those that you are responsible for) will not put you at risk of increased harm, and is suitable for the aims of the study. If you later choose to withdraw from the study, the research team will discuss the use of your information with you. As part of the consent process, the research team will inform you of the information they would seek access to.

Further information is available on the Connecting Care Website

What we use

Data Type

Personal Confidential Data – may include Primary and Secondary Care Data.

Legal Basis

Within the ICB we will only access information on Connecting Care for direct care, safeguarding purposes or for the management of health services. Therefore we will rely on a statutory basis rather or consent to process information for this use. The GDPR Article 6(1)(e) and 9(2)(h) – management of health and social care services is relied upon to cover this activity.

Commissioning

What we do

We collect NHS data about service users that we are responsible for to inform what we commission. Hospitals and community organisations that provide NHS-funded care must submit certain information to NHS Digital about services provided to our service users.

This information is generally known as commissioning datasets. The ICB obtains these datasets from NHS Digital and they relate to service users registered with GP Practices that are members of the ICB. See also Population Health Management below.

What we use

Data Type

Personal Confidential Data, Pseudonymised Data, Anonymous Data – may include Primary and Secondary Care Data.

Legal Basis

Our legal basis for collecting and processing information for this purpose is having a statutory duty. We rely on our public task GDPR Article 6(1)(e) and 9(2)(h) – management of health and social care services.

Processing Activities

These datasets are used in a format that does not directly identify you. They’re used for wider NHS purposes such as managing and funding the NHS, monitoring activity to understand and plan the health needs of the population, and to gain evidence that will improve health and care through research.

They include information about the service users who have received care and treatment from those services that we are responsible for funding. They do not include your name, home address, NHS number, post code or date of birth. Information such as your age, ethnicity and gender, as well as coded information about any clinic or accident and emergency attendances, hospital admissions and treatment will be included. This includes GP Data for Pandemic Planning and Research which is received from NHS Digital.

The specific terms and conditions and security controls that we are obliged to follow when using these commissioning datasets can also be found at NHS Digital.

Outcomes Based Healthcare is a company that we are using to process data for these purposes. Outcomes Based Healthcare will feed this data into a dashboard to show, at population level, whether services are meeting patients’ needs.

We also receive similar information from GP Practices within our ICB membership that does not identify you. We use these datasets for a number of purposes such as:

  • performance managing contracts
  • reviewing the care delivered by providers to ensure quality and cost effective care
  • to prepare statistics on NHS performance to understand health needs and support service redesign, modernisation and improvement
  • to help us plan future services to ensure they meet our local population needs
  • to reconcile claims for payments for services received in your GP Practice
  • to audit NHS accounts and services.

For specific pieces of commissioning focussed work, pseudonymised data may also be shared with University of Bristol and University West of England, this data will not identify you and will only be used for purposes agreed with and determined by the ICB.

If you do not wish your information to be included in these datasets – even though it does not directly identify you – please contact your GP Practice and they can apply a code to your records that will stop your information from being included.

Population Health Management

What we do

Linked to our commissioning activities is population health management, which is an approach aimed at improving the health of an entire population. It is about improving the physical and mental health outcomes and wellbeing of people, whilst reducing health inequalities within and across a defined population. It helps to reduce the occurrence of ill-health, including addressing wider determinants of health, and requires working with communities and partner agencies.

What we use

Population health management links data from primary, secondary, community and social care to understand population health more effectively. This only uses pseudonymised data i.e. where information that identifies you has been removed and replaced with a pseudonym. This will only ever be reidentified if we discover that you may benefit from a particular health intervention, in which case only the relevant staff within your practice will be able to see your personal information in order to offer this service to you.

In order to carry out this data linkage, your pseudonymised data will be passed to the ICB, who will link this to other local and national data sources to be able to carry out appropriate analyses. These linked datasets will also be securely shared with Optum Healthcare Ltd. (contracted by NHS England), to carry out any further analysis needed to support improvements to the local populations health and to target health and social care resources effectively.

Only a small number of staff based within these UK based organisations will be able to access this data and as this will be pseudonymised in accordance with the ICO Code of Practice, no one will be able to identify you within these organisations.

You have a choice about whether you want your confidential patient information to be used in this way. If you are happy with this use of information you do not need to do anything. If you do choose to opt out your confidential patient information will still be used to support your individual care.

For specific pieces of work pseudonymised data will also be shared with University of Bristol and University West of England, only the minimum information necessary will be shared and this data will not identify you and will only be used for purposes agreed with and determined by the ICB.

Find out more about population health management or register your choice to opt out.

Legal basis

Our GDPR legal basis for this activity is Article 6(1)(e) and 9(2)(h) – management of health and social care services.

When other organisations provide support services

What we do

We have entered into contracts with other NHS organisations to provide some services for us or on our behalf. These organisations are known as “data processors”. Below are details of our data processors and the function that they carry out on our behalf:

What we use

Data Type

Personal Confidential Data, Pseudonymised Data, Anonymous Data – may include Primary and Secondary Care Data.

Legal Basis

Before awarding any contract, we ensure that organisations will look after your information to the same high standards that we do. These organisations can only use your information for the service we have contracted them for. They cannot use it for any other purpose. We rely on our public task duties as our GDPR legal basis for the activities described below. Articles 6(1)(e) and 9(2)(h) – management of health and social care.

National registries

What we do

National Registries (such as the Learning Disabilities Register) have statutory permission under Section 251 of the NHS Act 2006, to collect and hold service user identifiable information without the need to seek informed consent from each individual service user.

What we use

Data Type

Personal Confidential Data – may include Primary and Secondary Care Data.

Legal Basis

Our GDPR legal basis for this activity is Article 6(1)(e) and 9(2)(h) – management of health and social care services.

Research

What we do

Sometimes crucial research projects use information about patients to help inform studies. This information would never reveal who you are. Researchers provide direct benefit to individuals who take part in medical trials and indirect benefit to the population as a whole.

Service user records can also be used to identify people to invite them to take part in clinical trials, other interventional studies or studies purely using information from medical records.

Data Type

Personal Confidential Data, Pseudonymised Data, Anonymous Data – may include Primary and Secondary Care Data.

Legal Basis

Your consent will be obtained by the organisation holding your records before identifiable information about you is disclosed for any research.

Sometimes research can be undertaken using information that does not identify you. The law does not require us to seek your consent in this case, but the organisation holding your information will make notices available on the premises and on the website about any research projects that are undertaken.

Processing Activities

Where identifiable data is needed for research, service users will be approached by the organisation where treatment was received, to see if they wish to participate in research studies.

If you do not wish your information to be used for research, whether identifiable or non-identifiable, please let your GP Practice know. They will add a code to your records that will stop your information from being used for research.

Employment (People working for BNSSG ICB)

Data Type

Personal confidential data including special categories of personal data.

Legal Basis

BNSSG ICB relies upon the contractual relationship between employer and employee as its legal basis to process the personal data of its employees.
The GDPR legal basis is covered by Article 6(1)(b) – performance of a contract and Article 9(2)(b) – obligations and rights of the controller in the field of employment.

Processing Activities

Personal data as described above is processed for the purpose of fulfilment of employment contracts between employees and the ICB. This includes, but is not limited to activity covering payroll, publication of employee declarations of interest, publication of employee gift, hospitality and sponsorship declarations, performance, workforce reporting, business continuity and planning.

Find out more or register your choice to opt out

Legal basis

Our GDPR legal basis for this activity is Article 6(1)(e) and 9(2)(h) – management of health and social care services.

Recording Telephone Conversations

What we do

Within certain departments telephone call recording is operational. This is in order to monitor the quality of call handling and customer service; facilitate staff training and may be used to verify what was said in case of a dispute or complaint. Where the facility is live, incoming callers will be made aware by a message that will be played at the start of the call.

What we use

Data Type

Personal Confidential Data – may include any information discussed.

Legal Basis

Our GDPR legal basis for this activity is Article 6(1)(e) and 9(2)(h) – management of health and social care services.

National Fraud Initiative (NFI)

What we do

NHS Bristol, North Somerset and South Gloucestershire ICB is required by law to protect the public funds it administers. It may share information provided to it with other bodies responsible for auditing or administering public funds, in order to prevent and detect fraud.

The Cabinet Office conducts data matching exercises to assist in the prevention and detection of fraud as part of its responsibility for public sector efficiency and reform. Part 6 of the Local Audit and Accountability Act 2014 enables the Cabinet Office to process data as part of the National Fraud Initiative (NFI).

BNSSG is a mandatory participant of the NFI which is a data matching exercise undertaken by the Cabinet Office to assist in the prevention and detection of fraud. We are required to provide particular sets of data to the Cabinet Office for each exercise, and these are set out in the Cabinets Office guidance, which can be found at https://www.gov.uk/guidance/taking-part-in-national-fraud-initiative.

Data matching involves comparing sets of data, such as payroll of a body against other records held by the same or another body to see how far they match. This is usually personal information, NHS Pensions and ICB creditors’ data. The data matching allows potentially fraudulent claims and payments to be identified. Where a match is found it may indicate that there is an inconsistency which requires further investigation. No assumption can be made as to whether there is fraud, error or other explanation until an investigation is carried out.

Further information on the NFI privacy notice can be found at
https://www.gov.uk/government/publications/fair-processing-national-fraud initiative/fair-processing-level-3-full-text

For further information on data matching at NHS Bristol, North Somerset and South
Gloucestershire ICB contact Elias Hayes, Local Counter Fraud Specialist on 07796 813469 or elias.hayes@nhs.net

Legal Basis

BNSSG’s legal basis to process this data is set out in Article 6 (c) of the General
Data Protection Regulation (GDPR) “processing is necessary for compliance with a
legal obligation to which the controller is subject”.

 

Other pages in this section: