What information do we collect?

On this page:

What information do we collect about you?

We only collect and use your information for the lawful purposes of administering the business of NHS South Sefton CCG.

We process personal information to enable us to support the provision of healthcare services to patients, maintain our own accounts and records, promote our services, and to support and manage our employees. In order to so effectively we are often required to process personal data i.e. that which identifies a living individual.

We also process special category data. This is personal data which the Data Protection Act 2018 (DPA) says is more sensitive, and so needs more protection:

  • racial and ethnic origin
  • offences (including alleged offences), criminal proceedings, outcomes and sentences
  • trade union membership
  • religious or similar beliefs
  • employment tribunal applications, complaints, accidents, and incident details

This information will generally relate to our staff, covered by the Privacy Notice for Staff.

In terms of patient information, the special category data we process includes:

  • physical or mental health details
  • racial and ethnic origin
  • sexual life

Back to top of page

How the NHS and care services use your information

Whenever you use a health or care service, such as attending Accident & Emergency or using Community Care services, important information about you is collected to help ensure you get the best possible care and treatment.

The information collected about you when you use these services can also be provided to other approved organisations, where there is a legal basis, to help with planning services, improving care provided, research into developing new treatments and preventing illness. All of these help to provide better health and care for you, your family and future generations. Confidential personal information about your health and care is only used in this way where allowed by law and would never be used for insurance or marketing purposes without your explicit consent.

You have a choice about whether you want your confidential patient information to be used in this way.

To find out more about the wider use of confidential personal information and to register your choice to opt out if you do not want your data to be used in this way, visit www.nhs.uk/my-data-choice. If you do choose to opt out you can still consent to your data being used for specific purposes.

If you are happy with this use of information you do not need to do anything. You can change your choice at any time.

Back to top of page

How will NHS South Sefton CCG use information about you?

There are various ways we use information about you, which have been broken down into the following sections:

NHS Continuing Healthcare

Purpose and legal basis for processing

NHS Continuing Healthcare (CHC) is explained by NHS Choices here.

To determine if someone is eligible for CHC and to then arrange a care and support package that meets their assessed needs, information about the individual will need to be collected, reviewed and shared with care providers such as care homes. As the CCG has a duty to provide CHC services, this allows for the collection of information about individuals for this purpose, the use of that information and the sharing of it with third parties who need to be involved in the process; we will make sure that we keep the individual concerned informed at all times of who will be providing or receiving data about them and why.

The National Health Service Commissioning Board and Clinical Commissioning Groups (Responsibilities and Standing Rules) Regulations 2012, Part 6 places a duty on CCGs to make provision for, i.e. provide, CHC services. As such, NHS South Sefton CCG’s legal basis for processing this personal data under GDPR is Article 6(1)(e) ‘…exercise of official authority…’. For special categories (health) data the basis is Article 9(2)(h) ‘…health or social care…’

Sources of the data

The personal data are submitted by the CCG and the applicant for review.

Categories of personal data

The information CCGs use to assess eligibility, and which may be submitted to an Independent Review Panel, fall under the following headings:

  • behaviour
  • cognition (understanding)
  • communication
  • psychological/emotional needs
  • mobility
  • nutrition (food and drink)
  • continence
  • skin (including wounds and ulcers)
  • breathing
  • symptom control through drug therapies and medication
  • altered states of consciousness
  • other significant needs

The obtained records that relate to these areas may include Care Home records, Health Records (for example GP, Hospital, Mental Health, District Nursing) and Social Care Records.

Recipients of personal data

Categories of recipient’s Personal data relating to the application is received by Midlands and Lancashire Commissioning Support Unit Continuing Healthcare teams and the members of the review panel. An Independent Review Panel is made up of:

  • an independent chair
  • a representative nominated by a Clinical Commissioning Group (not involved in the case);
  • a representative nominated by a Local Authority (not involved in the case); and
  • at times there is also a clinical advisor in attendance.

Back to top of page

Complaints and Enquiries

Purpose and Legal basis for processing

Most NHS care and treatment goes well but sometimes things can go wrong. If you are unhappy with your care or the service you have received, it is important to let us know so we can improve.  When NHS South Sefton CCG receive a complaint, to allow it to be fairly and thoroughly managed, in most cases personal information will be required. CCGs have statutory duties (Section 6 of the Local Authority Social Services and National Health Service Complaints [England] Regulations (2009) (under section 113 “Complaints about Healthcare” of the Health and Social Care (Community Health and Standards) Act 2003)) which allow the processing of personal data in relation to complaints.

The legal basis we rely on to process your personal data is article 6(1)(e) of the GDPR, which allows us to process personal data when this is necessary to perform our public tasks as a CCG.

If the information you provide us in relation to your complaint contains special category data, such as health, religious or ethnic information the legal basis we rely on to process it is article 9(2)(g) of the GDPR, which also relates to our public task and the safeguarding of your fundamental rights. And Schedule 1 part 2(6) of the DPA 2018 which relates to statutory and government purposes.

Sources of personal data

NHS South Sefton CCG will generally collect/receive information when members of the public, their representatives, or members of Parliament, contact us with concerns or enquiries. In order to process a complaint NHS South Sefton CCG will collect the relevant information at the point of contact to enable the team to provide a sufficient response to the request.

Categories of personal data

Information relating to complaints would generally include the following categories of personal data:

  • Patient’s name
  • Patient’s address
  • Patient’s contact number
  • GP Surgery
  • Patient’s NHS number
  • Patient’s date of birth
  • Representative details (if applicable)
  • Representative address (if applicable)
  • The nature of the complaint

Recipients of personal data

The recipients of personal data relating to complaints include:

  • Any team within the CCG that may receive an enquiry or complaint
  • Midlands and Lancashire Commissioning Support Unit who manage complaints on behalf of the CCG under contract
  • Relevant providers (with the consent of the data subject) in order to fully investigate the complaint being made

Do we use any processors?

Yes - NHS South Sefton CCG commission Midlands and Lancashire Commissioning Support Unit to provide these services on their behalf.

Back to top of page

Communications and Engagement

Purpose and legal basis for processing

NHS South Sefton CCG offers various services to the public giving them the opportunity to engage with us. This could be providing people with the latest news and information from the CCG, opportunities, events and details on how to get involved.

We have to hold the details of the people who have requested the service in order to provide it. However, we only use these details to provide the service the person has requested and for other closely related purposes. For example, we might use information about people who have requested a publication to carry out a survey to find out if they are happy with the level of service they received or if the information is useful to them. We will never ask you to provide any personal data in response to a survey. Any personal data received in responses is removed before responses are collated, analysed or disseminated.

When people do subscribe to our services, they can cancel their subscription at any time and are given an easy way of doing this. Personal data collected for the above purposes is only processed with the explicit consent of the data subject unless it becomes apparent that we are required to process the personal data due to statutory obligations such as investigating a complaint.

Source of personal data

The personal data is provided by data subjects when signing up to receive one of our newsletters either via our website or by completing one of our sign-up forms at one of our stakeholder events we hold from time to time.

Categories of Personal data

We only require you to provide us with your name and email address so that we can send you our publications. Information regarding your gender, sexual orientation, marital status and disabilities is collected so that we can ensure that our patient involvement groups are representative of our population we serve. We may also use it to send you targeted information or news. However, it is not mandatory to provide this information.

Recipients of personal data

The information you provide as a member of one of our patient involvement groups is never shared outside of NHS South Sefton CCG.

Do we use any processors

No

Back to top of page

Individual Funding Requests

Purpose and Legal basis for processing

The NHS has a duty to spend the money it receives from the Government in a fair way, taking into account the health needs of the whole community. The CCGs role is to ensure it gets best value for this money by spending it wisely on behalf of the public.

CCGs pay for local NHS health services and NHS England pays for highly specialised health services. The CCGs have a legal duty to provide health services for patients in the county with the fixed amount of money they have received from the Government. They have a legal duty not to spend more than this. This means that some hard choices have to be made. Not all treatments can be provided by the NHS. Treatments that are limited by CCGs are shown in their Clinical Commissioning Policies.

However, the CCGs know that there will always be times when a patient would benefit from a particular treatment not usually given by the NHS. To apply for this treatment, an Individual Funding Request is made. To allow the CCG to consider these requests, access to both personal and health information regarding the individual to whom the request relates is required.  As the National Health Service Commissioning Board and Clinical Commissioning Groups (Responsibilities and Standing Rules) Regulations 2012, Part 7, Regulation 34 places a duty on CCGs in respect of the funding and commissioning of drugs and other treatments, this provides the CCG with a legal basis to use personal data as part of this process.

NHS South Sefton CCG commission Midlands and Lancashire Commissioning Support Unit (MLCSU) to provide these services on their behalf.

Source of personal data

The information may be provided by a clinician who submits an IFR application form on behalf of a patient.  

Categories of personal data

The IFR application form includes NHS number, name and address, date of birth, GP details, diagnosis, requested intervention and other information relevant to the request. Gender and ethnicity are also collected and held in anonymous form for equality monitoring.

Categories of recipients

Applications are considered by an independent panel who have not been involved in your treatment. The panel is made up of doctors, nurses, public health experts, pharmacists, NHS England representatives and lay members and is led by a lay chair.

Back to top of page

Invoice validation

Purpose and Legal basis for processing

Invoice validation is an important process. It involves using your NHS number to check that we are the CCG that is responsible for paying for your treatment.

There are situations where identifiable patient personal data is required to ensure that the correct service provider is paid.

In such cases, service providers are required to send identifiable patient personal data such as the NHS Number to a Controlled Environment for Finance (CEfF). NHS South Sefton CCG is an accredited Controlled Environment for Finance (CEfF) which enables them to process patient identifiable information without consent for the purposes of invoice validation. We will also use your NHS number to check whether your care has been funded through specialist commissioning, which NHS England will pay for. The process makes sure that the organisations providing your care are paid correctly.

NHS England has published guidance on how invoices must be processed and Commissioners have a duty to detect report and investigate any incidents of where a breach of confidentiality has been made.

Under the NHS Act 2006, provision is made for the sharing of patient information that is in the interests of improving patient care or deemed to be in the public interest. This is commonly referred to as a Section 251 exemption that allows the common law duty of confidentiality to be bypassed in order to fulfil a task in the interests of improving patient care or in the public interest. The specific reference for this exemption is: CAG 7-07(a)(b)(c)/2013. As such, our legal basis under GDPR is Article 6(1)(e) ‘…exercise of official authority…’. For special categories (health) data the basis is Article 9(2)(h) ‘…health or social care…’.

Sources of the data

The sources of data are providers who submit invoices to NHS Shared Business Services for payment.

Categories of Personal data

The data required for effective invoice validations can be found in appendix B. of “Who Pays? Information Governance Advice for Invoice Validation” which you can find here:

https://www.england.nhs.uk/wp-content/uploads/2013/12/who-pays-advice.pdf

Recipients of personal data

NHS South Sefton CCG is the only organisation that will have receive personal data relating to invoice validation as an accredited Controlled Environment for Finance.

Back to top of page

Risk stratification

Purpose and legal basis for processing

Health care commissioners need information about the treatment of patients to review and plan current and future health care services. To do this they need to be able to see information about the health care provided to patients which can include patient level data.

The law says commissioners are not allowed to access Personal Confidential Data (PCD) because they are not providing direct patient care. So they need an intermediary service called Data Services for Commissioners Regional Office (DSRCO), that specialise in processing, analysing and packaging patient information within a secure environment into a format commissioners can legally use; anonymised patient level data. You can find more comprehensive information about this on the NHS Digital Website.

NHS Digital is able to disseminate data to commissioners under the Health and Social Care Act (2012). The act provides the powers for NHS Digital to collect, analyse and disseminate national data and statistical information. To access this data organisations must submit an application and demonstrate that they meet the appropriate governance and security requirements. For GDPR purposes NHS South Sefton CCGs lawful basis for processing is Article 6(1)(e) ‘…exercise of official authority…’. For special categories (health) data the basis is Article 9(2)(h) ‘…health or social care…’

NHS Digital, through its Data Services for Commissioners Regional Offices (DSCROs), is permitted to collect, hold and process Personal Confidential Data (PCD). This is for purposes beyond direct patient care to support NHS commissioning organisations and the commissioning functions within local authorities.

GPs are able to identify individual patients from the risk stratified data when it is necessary to discuss the outcome and consider preventative care, however the CCG can never identify an individual from the risk stratified data that we see. Where the risk stratification process has linked GP data to health data obtained from other sources i.e. NHS Digital or other health care provider, the GP will ask for your permission to access the details of that information.

Back to top of page

Safeguarding

Purposes and basis for processing 

NHS South Sefton CCG is dedicated in ensuring that the principles and duties of safeguarding adults and children are holistically, consistently and conscientiously applied with the wellbeing of all and at the heart of what we do. 

Our Legal basis for processing For the General Data Protection Regulation (GDPR) purposes is Article 6(1)(e) ‘…exercise of official authority…’. For the processing of special categories data, the basis is Article 9(2)(b) – ‘processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment and social security and social protection law…’

Categories of personal data

The data collected by NHS South Sefton CCG staff including its hosted bodies in the event of a safeguarding situation will be as much personal information as is necessary or possible to obtain in order to adequately deal with the situation. In addition to some basic demographics and contact details, we will also process details of what the safeguarding concern is. This is likely to be special category information (such as health information).

Sources of the data

NHS South Sefton CCG will either receive or collect information when someone contacts the organisation with safeguarding concerns or we believe there may be safeguarding concerns and make enquiries to relevant providers.

Recipients of personal data

The information is used by NHS South Sefton CCG when handling a safeguarding incident or concern. We may share information accordingly to ensure duty of care and investigation as required with other partners such as Local Authorities, the Police, healthcare professional (i.e. their GP or mental health team).

Back to top of page

Medicines Management

Purpose and legal basis for processing

NHS South Sefton CCG has a duty to commission services, and secure continuous improvement in the quality of services, for the prevention, diagnosis or treatment of illness.  Commissioning services means securing, planning, designing and paying for NHS service e.g. the ‘Care at the Chemist Scheme’.  The medicines management team work with other local healthcare providers (including GP practices) to help patients get the best health outcomes from their medicines.  The medicines management team (pharmacists and pharmacy technicians) access both personal and health information to:

  • Review individual patient’s medication to improve medicines safety, reduce waste, to make sure patients have the right choice of medicine and take their medicines in the right way
  • Do clinical audits that let healthcare providers and patients know where their service is doing well, and where there could be improvements
  • Support commissioning of services relating to medicines to improve health outcomes for patients, medicines safety and local healthcare capacity

The legal basis we rely on to process personal information is article 6(1)(e) of the GPDR, which allows us to process personal information when this is necessary to perform our public tasks as a CCG.

The legal basis we rely on to process health information (a special category under the GDPR) is article 9(2)(h), which allows us to process special categories of personal information when this is necessary to perform our public task as a CCG and is also part of the ‘preventative medicine’ and ‘provision of care and treatment’ elements of Schedule 1 paragraph 2 of the Data Protection Bill.

Under the NHS Act 2006 we can share patient information without consent, where it is in the interests of improving patient care or deemed to be in the public interest, called a ‘Section 251 exemption’.

Source of Data

The personal and health information we process comes from your GP health record, which also contains information from other healthcare providers, such as hospitals, community services.

We also get personal and health information directly from other healthcare providers such as hospitals, care homes, community pharmacies.

Categories of Data

We access your GP health record to support our purpose as described above, this includes your NHS number, diagnoses, medication, test results.

Recipients of Personal Data

We may also share your information, to support our purpose as described above, with local health and social care providers and services such as:

  • NHS Trusts
  • Specialist Trusts
  • GP practices and federations
  • Independent Contractors such as dentists, opticians, pharmacists
  • Private Sector Providers
  • Voluntary Sector Providers
  • Social Care Services
  • Local Authorities
  • Education Services
  • Emergency services – police, fire and rescue, ambulance trust

Back to top of page

Quality

Purpose and basis for processing

NHS South Sefton CCG has a duty to the improvement of quality and delivery of services and uses incident events, investigation, evidence and reports relating to incidents under various policy and procedural structures.

An incident requiring investigation is defined as an incident that occurred in relation to NHS funded services and care resulting in unexpected or avoidable death, harm or injury to patient, carer, staff or visitor. In order to promote quality and compliance, NHS South Sefton CCG has several reporting protocols for incidents and provides investigation and learning to improve systems and services they commission.

Categories of personal data

NHS Number and other personal details, including relevant healthcare records and information about the incident, including others involved or impacted by the event are used by the CCG to facilitate incident investigations.

Sources of the data

Data received in order to fulfil the duties relating to incident investigation will be received directly from the reporting organisation, such as a GP practice or provider.

Recipient of personal data

Information relating to outcomes will be sent back to the relevant providers. 

Back to top of page

Commissioning – Assuring Transformation

Purpose and Legal Basis for Processing

The Department of Health published 'Transforming Care: A national response to Winterbourne View Hospital and the Concordat: Programme of Action' in December 2012. The purpose of this data collection is to ensure that the public awareness of the NHS commitments in the Winterbourne View Concordat is transparent and robust. By collecting this data, the CCG is able to achieve the most appropriate outcomes for ‘people with a learning disability or autism, who may also have mental health needs or behaviour that challenges’

Under the NHS Act 2006, provision is made for the sharing of patient information that is in the interests of improving patient care or deemed to be in the public interest. This is also referred to as a Section 251 exemption. A Section 251 exemption has been granted for the delivery of Assuring Transformation work programmes. Therefore, the lawful basis for processing is Article 6(1)(e) ‘…exercise of official authority…’. For special categories (health) data the basis is Article 9(2)(h) ‘…health or social care…’

Source of data

Data is received by NHS South Sefton CCG from local providers who are providing care to any patient who has ‘any status under the Mental Health Act (informal or detained).’

Categories of Personal Data

The Assuring Transformation Programme relies upon collecting healthcare information such as NHS number and information relating to a patients current treatment; such as how long they have been in hospital for, when their care and treatment is checked and what kind of hospital they are in. Additional information such as any levels of security assigned to an individual (general/low/medium/high) currently in care as well as their status under the Mental Health Act (informal or detained) is also collected.

Recipients of Personal Data

Data collected for this purpose is then shared with NHS Digital.

Back to top of page

How we use information provided by NHS Digital

We use information collected by NHS Digital from healthcare providers such as hospitals, community services and GPs, which includes information about the patients who have received care and treatment from the services that we fund. 

The data we receive does not include patients’ names or home addresses, but it will usually include information such as your NHS number, postcode, date of birth, ethnicity and gender as well as coded information about your visits to clinics, Emergency Department, hospital admissions and other NHS services. 

The Secretary of State for Health has given limited permission for us (and other NHS commissioners) to use certain confidential patient information when it is necessary for our work and unless we have a legal basis to use identifiable data, de-identified information is used for all purposes other than direct care. This approval is given under Regulations made under Section 251 of the NHS Act 2006 and is based on the advice of the Health Research Authority’s Confidentiality and Advisory Group.

In order to use this data, we have to meet strict conditions that we are legally required to follow, which includes making a written commitment to NHS Digital that we will not use information in any way that would reveal your identity.

Back to top of page

Children’s Information

We do not provide services directly to children or proactively collect their personal information. However, we are sometimes given information about children while handling a complaint or conducting an investigation. The information in the relevant parts of this notice applies to children as well as adults.

Back to top of page

Automated Decision Making

NHS South Sefton CCG does not use automated individual decision-making (making a decision solely by automated means without any human involvement).

Back to top of page

Retaining information

Information in the CCG is held for a specific length of time depending on the type of information it is.  The length of time we retain your information for is defined by the NHS retention schedule which can be viewed online here: NHS Digital Records Management Code of Practice for Health and Social Care 2016

Once information has been reviewed and is no longer required to be kept by a retention period the information will be securely destroyed. 

Back to top of page

Security of your information

NHS South Sefton CCG take our duty to protect your personal information and confidentiality seriously. We are committed to taking all reasonable measures to ensure the confidentiality and security of personal data for which we are responsible, whether computerised or on paper.

Alongside the Data Protection Officer (DPO), we have appointed a Senior Information Risk Owner (SIRO) who is accountable for the management of all information assets and any associated risks and incidents, and a ‘Caldicott Guardian’ who is responsible for the management of patient information and patient confidentiality.

All staff are required to undertake annual information governance training and are provided with an information governance handbook that they are required to read and agree to adhere to. The handbook ensures that staff are aware of their information governance responsibilities and follow best practice guidelines ensuring the necessary safeguards and appropriate use of person-identifiable and confidential information.

Under the NHS Confidentiality Code of Conduct, all our staff are also required to protect your information and inform you of how your information will be used. This includes, in most circumstances, allowing you to decide if and how your information can be shared.

Everyone working for the NHS is subject to the common law duty of confidentiality.  Information provided in confidence will only be used for the purposes advised and consented to by the service user, unless it is required or permitted by the law.

Back to top of page