What is a Fair Processing or Privacy Notice?
The purpose of this notice / leaflet is to inform you of how the CCG uses information including personal confidential data, pseudonymised data and anonymised data. We will inform you how the different types of information are used, who we may share that information with and how we keep it secure and confidential.
Personal confidential data (PCD) is a term which was introduced in July 2013 from the Caldicott Information Governance Review and describes personal information such as name, address, date of birth, NHS Number and sensitive information such as health information about individuals which must be kept private or secret and includes deceased people’s information as well as living people.
The review interpreted ‘personal’ as including the Data Protection Act 1998 definition of personal data, but included data relating to the deceased as well as living people, and ‘confidential’ includes both information ‘given in confidence’ and ‘that which is owed a duty of confidence’ and is adapted to include ‘sensitive’ as defined in the Data Protection Act 1998. HMR CCG has a duty to ensure this is kept confidential, secure and used appropriately.
Pseudonymised data or pseudonymisation is a technical process that replaces identifiable information such as a NHS number, postcode, date of birth with a unique identifier, which obscures the 'real world' identity of the individual patient to those working with the data. It is used to preserve the patient's privacy and data confidentiality.
Anonymised data or anonymisation means that we cannot identify any individuals from information as a process has been put in place to remove all identifiers.
Who are we and what do we do?
Clinical Commissioning Groups (CCGs) were created following the Health and Social Care Act in 2012, and replaced Primary Care Trusts on 1 April 2013. NHS Heywood, Middleton & Rochdale CCG is therefore a commissioning organisation, our purpose is not to provide care and so we do not routinely hold or receive information about patients and service users in a format from which they can be identified.
NHS Heywood, Middleton & Rochdale CCG is responsible for buying (also known as commissioning) health services from healthcare providers such as Hospitals and GP Practices for our local population. Our role includes the following:
- Ensuring and monitoring contracts in place with local health service providers
- Ensuring routine and emergency NHS services are available to patients;
- Ensuring commissioned services provide high quality care and value for money
- paying for services for the care and treatment they have provided
- Performance monitoring of commissioned services
- Responding to any concerns / complaints from our patients regarding the health and care services they receive and / or referring them to NHS England as appropriate
For more information about Heywood, Middleton and Rochdale CCG, please visit our website at the link below: http://www.hmr.nhs.uk/
Accurate, timely and relevant information is essential for our work to help us to design and plan current and future health and care services, evidence and review our decisions and manage budgets. The CCG are committed to protecting your rights to confidentiality.
Why we collect information about you
We are very careful when we need to use information about you to support the functions we perform as a CCG. The types of information we use are explained below:
Secondary Uses Services Data (SUS)
We use information collected by hospitals, community services and NHS Digital. The type of information we use is called Secondary Uses Services data (SUS data). SUS data gives us information about the services we commission. It does not include your name or home address but may include information such as your ethnicity and gender. It also contains coded information about hospital attendances and treatment.
We use the SUS data for a number of purposes:
- To understand the health needs of the population
- To plan, redesign and improve services
- To ensure providers are using resources effectively
- To pay services for the care they provide
- To audit NHS accounts and services
In order to ensure that the NHS continues to function lawfully and efficiently, the Secretary of State for Health has given permission for CCGs to use certain personal information from SUS without consent, but only when it is absolutely necessary for certain specified purposes. This approval is given upon the strict advice of the Health Research Authority’s Confidentiality Advisory Group (CAG) under conditions set out in section 251 of the NHS Act 2006. The specific terms and conditions that we are obliged to follow when using SUS data can be found on the NHS Digital website (http://digital.nhs.uk/).
Section 251 of the NHS Act 2006
The Secretary of State for Health gives limited permission for the CCG (and other NHS commissioners) to use certain confidential patient information when it is necessary for our work purposes other than direct care such as information from NHS Digital for commissioning, Risk Stratification and Invoice Validation.
This allows the Secretary of State for Health to make regulations to set aside the common law duty of confidentiality for defined medical purposes. Section 251 came about because it was recognised that there were essential activities of the NHS, and important medical research, that required the use of identifiable patient information – but, because patient consent had not been obtained to use people’s personal and confidential information for these other purposes, there was no secure basis in law for these uses.
Section 251 was established to enable the common law duty of confidentiality to be overridden to enable disclosure of confidential patient information for medical purposes, where it was not possible to use anonymised information and where seeking consent was not practical, having regard to the cost and technology available.
To find out more about Section 251 and the work of the Health Research Authority (HRA), please visit:http://www.hra.nhs.uk/about-the-hra/our-committees/section-251/what-is-section-251/#sthash.JL1s6ACl.dpuf
We use information collected by NHS Digital from healthcare providers such as hospitals, community services and GP’s, which includes information about the patients who have received care and treatment from the services that we fund.
The data we receive does not include patients’ names or home addresses, but it may include information such as your NHS number, postcode, date of birth, ethnicity and gender as well as coded information about your visits to clinics, Emergency Department, hospital admissions and other NHS services.
In order to use this data, we have to meet strict conditions that we are legally required to follow, this includes making a written commitment to NHS Digital that we will not use information in any way that would reveal your identity. These terms and conditions can be found on the NHS Digital website.
If you do not want your personal information to be shared outside of NHS Digital, for purposes other than for your direct care you can register a “Type 2” opt-out with your GP practice.
For more information about NHS Digital please visit: http://digital.nhs.uk/dataflowstransitionmanual
Risk Stratification (Pro-Active Care Management)
Risk stratification is a process GP’s use to help them to identify and support patients with long-term conditions and to help prevent un-planned hospital admissions or reduce the risk of certain diseases developing such as type 2 diabetes. This is called risk stratification for case-finding.
The CCG also uses risk stratified data to understand the health needs of the local population in order to plan and commission the right services. This is called risk stratification for commissioning. The CCG does not have access to your personal data. The information is de-identified / pseudonymised.
NHS England encourages CCG’s and GPs to use risk stratification tools as part of their local strategies for supporting patients with long-term conditions and to help and prevent avoidable admissions. Knowledge of the risk profile of our population will help the CCG to commission appropriate preventative services and to promote quality improvement in collaboration with our GP practices.
Risk stratification tools use various combinations of historic information about patients, for example, age, gender, diagnoses and patterns of hospital attendance and admission (secondary care data). The CCG will use anonymised information to understand the local population needs, whereas GP’s will be able to identify which of their patients are at risk in order to offer a preventative service to them.
We are committed to conducting risk stratification effectively, in ways that are consistent with the laws that protect your confidentiality. The use of personal data by GPs and pseudonymised data for CCG’s to undertake risk stratification activities has been approved by the Confidentiality Advisory Group (CAG) of the Health Research Authority. Pseudonymisation is a technical process that replaces identifiable information such as a NHS number, postcode, date of birth with a unique identifier, which obscures the ‘real world’ identity of the individual patient to those working with the data. It is used to preserve the patient's privacy and data confidentiality. It allows for the same patient from different sources to be linked to create a complete longitudinal record which is comprehensive clinical summary of that patient’s condition, history and care. To undertake this process to assist with risk stratification, the CCG uses the North West Data Services for Commissioners Regional Office (DSCRO) who are hosted by NHS Arden and Greater East Midlands (GEM) Commissioning Support Unit (CSU) so that the CCG cannot identify patients and the CCG also use a system called Qlikview provided by Caci Ltd to undertake anonymous / pseudonymised analysis.
The CCG also uses MSD Healthcare to assist with risk stratification specifically related to the Long Term Conditions Project detailed below. MSD Healthcare will work with pseudonymised data to combine data analytics with the goal of helping reduce the risks of Long Term Conditions for HMR residents. The project seeks to develop a tool combining data analytics with a telehealth service for managing patients at risk of developing Long Term Conditions and is designed to help medical professionals better predict who may be at risk and therefore monitor and/or take preventative action where appropriate.
MSD are an NHS England approved risk stratification supplier on behalf of HMR CCG. For the full list of registered risk stratification suppliers, please visit: https://www.england.nhs.uk/wp-content/uploads/2017/03/risk-stratification-approved-orgs-290317.pdf
Data Services for Commissioners Regional Office (DSCRO)
NHS Digital's responsibilities as set out in the Health and Social Care Act 2015 include the collection, analysis and presentation of national health and social care data. The Act also gave NHS Digital the powers to act as a safe haven and collect, hold and process personal confidential data (PCD) for purposes beyond direct patient care.
Commissioners of healthcare services need to plan and commission healthcare services in their local area through analysis of actual and projected use of services across all parts of the care economy. This modelling requires access to information about care provided to patients, their hospital stays and patient journeys but without accessing personal confidential patient data. In general, commissioners do not provide direct patient care, and therefore they have no legal basis on which to access personal confidential patient information.
Therefore commissioners require an intermediary service that specialises in processing, analysing and packaging patient information into a format they can legally use this is completed by Data Services for Commissioners Regional Offices (DSCROs). All the data CCG’s receive will be pseudonymised and / or anonymised.
DSCROs work with data from NHS Hospital Trusts in the regional processing centres. Staff follow strict rules on accessing, analysing and processing data. The powers granted to the organisation by the Health and Social Care Act 2015 which means that staff are operating within the approved legal framework.
The service allows clinical commissioning groups (CCGs), local authority public health teams and specialised commissioners to plan and commission those healthcare services in their local area and nationally using the services provided through the DSCROs.
Technical and organisational measures are in place to ensure the security and protection of personal confidential data. Robust access controls are in place to ensure only GPs are able to re-identify information about their individual patients with their consent when it is necessary for the provision of their care.
Long Term Conditions Project
The NHS in Heywood, Middleton and Rochdale is testing a new project to improve care for people who have, or may develop, long term health conditions. Through analysis of patient data, we aim to identify more quickly those people most at risk from chronic ill health, such as diabetes and heart and lung diseases. As well as offering more timely and personalised care to people with existing conditions, we hope to identify those who have not yet even been diagnosed. That means we can treat them earlier and keep them healthier longer.
GP’s will be able to identify patients who are at greatest risk of developing long term illnesses and to intervene earlier, preventing ill health or delaying its onset. For those patients who have already been diagnosed with a long term condition, GP’s will be alerted to those at greatest risk of a further deterioration in their health and help them avoid the need for emergency care.
The project is a partnership between:
- NHS Heywood, Middleton and Rochdale Clinical Commissioning Group
- HMR GP’s
- MSD Informatics
- Verily Life Sciences
The project is part of a national programme to pilot the impact of new technologies in the NHS to develop better care for patients as well as better value for taxpayers. It aims to find innovative new ways to improve health. The national programme is overseen by NHS England.
The role of each testbed partner is:
NHS HMR CCG
Provide a pseudonymised SUS dataset to use during risk stratification
HMR GP Member Practices
Provide a pseudonymised GP dataset to use during risk stratification
Develop risk stratification software that can be used in GP Practices to identify patients with or at risk of developing Long Term Conditions.
MSD will develop a combined pseudonymised dataset that can enhance the risk stratification process
Verily Life Sciences (formerly Google Life Sciences)
Develop risk stratification algorithms in partnership with MSD Healthcare using population and environmental data, localised to HMR, to enhance the MSD software product above.
Verily will build the algorithms using the combined pseudonymised dataset created by MSD Healthcare
University of Manchester
Evaluate the healthcare outcomes of the Long Term Condition project following the application of the tools and interventions developed. The evaluation will use anonymised data provided by MSD Healthcare
You can find out more about this project online at: www.hmr.nhs.uk.
Patients have a right to opt out of their information being used during this programme. GP practices must make patients aware that their information is being used during this purpose and that they have a right to opt-out. This information is required for compliance with Principle 1 of the Data Protection Act. NHS England guidance is that GP practices should provide information to patients explaining how their data will be used and what to do if they have any concerns or objections.
If you wish to opt out of this project please contact your own GP Practice or the Test Bed Team as above for more information on how to do this.
CCGs and NHS England, which includes Commissioning Support Units, do not have a legal right to access personal confidential data (PCD) for the purpose of validating invoices. On 22 November 2013, the Secretary of State for Health approved applications from NHS England for section 251 support for PCD to be used to validate invoices lawfully, without the need to obtain explicit consent from the individual patient at a local level via the process outlined below.
Invoice validation is an important process which involves using your NHS number to establish which CCG is responsible for paying for your treatment. The process also ensures that those who provide you with care are reimbursed correctly for the care and treatment they have provided. The invoice validation process is undertaken by Greater Manchester Shared Service (GMSS) hosted by NHS Oldham CCG who are registered as a Controlled Environment for Finance (CEfF). This ensures that procedures and systems for managing invoices on behalf of the CCG are in line with national requirements as set out in the “Who Pays? – Determining responsibility for payments to providers” issued by NHS England (August 2013).
Personal Confidential Data
As a commissioning organisation we do not routinely hold medical records or patient confidential data. There are some specific areas, however, because of our assigned responsibilities, where we do hold and use personal confidential data. In order to process that information we have met a legal requirement and have complied with one of the following:
- The information is necessary for direct healthcare for patients
- We have received consent from individuals to be able to use their information for a specific purpose
- There is an overriding public interest in using the information e.g. in order to safeguard an individual, or to prevent a serious crime, fraud or to report infectious diseases
- There is a legal requirement that will allow us to use or provide information (e.g. a formal court order).
The areas where we use personal information are:
- Individual Funding Requests – a process where patients and their GP’s can request special treatments not routinely funded by the NHS. This is carried out by Greater Manchester Shared Service (hosted by NHS Oldham CCG) Effective Use of Resources Team on behalf of the CCG.
- Assessments for Continuing Healthcare (a package of care for those with complex medical needs). With your consent, the CCG have a team who process these requests.
- Responding to your queries, concerns or complaints – The CCG IG Team will act (with your consent) to investigate any issues or complaints regarding the way the CCG handles your information. Any complaints or queries regarding CCG services should be directed to the Patient Services Team at Greater Manchester Shared Services.
- Safeguarding - Assessment and evaluation of safeguarding concerns for individuals old and young. The CCG has a safeguarding team who deal with this and they disclose to other safeguarding partners when this is required.
- Medicines Optimisation Services - The CCG has a team who is responsible for the clinical and cost effective use of medicines. The team works with GP Practices to review drugs.
- Patient Participation Group - if you are a member of any of our patient participation groups, have asked us to keep you up to date about our work and are involved in our engagement and public consultations, the CCG keeps this data about you.
- Mental Health Individual Funding Requests (IFR) – a process where patients and their GP’s can request special treatments not routinely funded by the NHS. With your consent, this is carried out by the CCG.
For information that can identify you (known as personal confidential data) we only use in accordance with the:
- Data Protection Act 1998 - This requires us to have a legal basis if we wish to process any personal and or sensitive information.
- NHS Care Record Guarantee – sets out high level commitments for protecting and safeguarding your information, particularly in regard to your rights to access your information, how information will be shared, how decisions on sharing information will be made and investigating and managing inappropriate access (audit trails)
- NHS Constitution for England – this states that you have the right to privacy and confidentiality and to expect the NHS to keep your confidential information safe and secure.
We also have to honour any duty of confidence attached to information and apply the Common Law Duty of Confidentiality. This will mean where a legal basis does not exist to use your personal or confidential information we will not do so.
We keep your information in written form and / or on a computer securely and confidentially.
The records include basic personal details about you, such as your name and address. They may also contain more sensitive information about your health and also information such as outcomes of needs assessments. We will only use the minimum amount of information necessary about you.
Your information will not be sent outside of the United Kingdom where the laws do not protect your privacy to the same extent as the law in the UK. We will never sell information about you.
The CCG will use the services of the additional data processors, which will provide additional expertise to support the work of the CCG, who are as follows:
|Data Processors||Sharing Pseudonymised data with other CCGs for collaborative working|
Data Processor 1
NHS Arden and Greater East Midlands (GEM)
Commissioning Support Unit (CSU)
St John’s House, East Street, Leicester, LE1 1NB
DSCRO hosted by NHS Arden GEM are processing data on behalf of the CCG for risk stratification purposes
Data Processor 2
NHS Oldham CCG hosting:
Greater Manchester Shared Services
Ellen House, Waddington Street, Oldham, OL9 6EE
To provide the following services to the CCG: IT Services / Effective Use of Resources / Complaints / Information Governance / Invoice Validation (via the Controlled Environment for Finance)
Salford Royal NHS Foundation Trust hosting:
Advancing Quality Alliance (AQuA), 3rd Floor, Gate House, Cross St, Sale, M33 7FT
No personal data is transferred to this Data Processor or received.
Data Processor 4
Salford Royal NHS Foundation Trust hosting:
Salford Royal NHS Foundation Trust Data Centre, Stott Lane, Salford, M6 8HD
No personal data is transferred to this Data Processor or received.
Data Processor 5
Shred Station UK (Head Office)
(Disposal of Confidential Waste contract is via Rochdale Borough Council)
Data Processor 6
MSD Healthcare Services
Hertford Road, Hoddesdon, Herts,EN11 9BU
MSD Healthcare Services are processing data related to the Long Term Conditions Project on behalf of the CCG for risk stratification purposes
Only pseudonymised patient data is transferred or received to this Data Processor.
Sharing and Disclosing Information
We contract with other organisations to provide a range of services to us (as detailed in the table above). In these instances, we ensure that our partner agencies have contracts / information sharing agreements which outline that your information is processed under strict conditions and in line with the law.
We share anonymised information with other NHS and social care partner agencies for the purpose of improving local services, research, audit and public health. We would not share personal confidential data about you unless:
- You have asked us to and given us permission
- We are lawfully required to report certain information to the appropriate authorities e.g. for the prevention or detection of a serious crime and / or fraud
- To protect / safeguard children and vulnerable adults
- When a formal court order has been served upon us
- To protect the health and safety of others, for example to report an infectious disease like meningitis or measles
In the event that we are obligated to release information as described above, this will only be undertaken with the approval of our Caldicott Guardian.
Keeping information secure and confidential
All staff have contractual obligations of confidentiality, enforceable through disciplinary procedures. All staff will receive appropriate training on confidentiality of information and staff who have regular access to personal confidential data (as part of their role) receive additional specialist training.
We take relevant organisational and technical measures to ensure the information we hold is secure – such as storing information in secure locations, restricting access to information to authorised personnel, protecting personal and confidential information held on equipment such as laptops with encryption.
Each NHS organisation has a senior person responsible for protecting the confidentiality of patient information and enabling appropriate information sharing.
This person is called the Caldicott Guardian, in NHS Heywood, Middleton and Rochdale CCG this is Dr Chris Duffy. To contact the Caldicott Guardian, please refer to the “Contacts” section below.
The CCG will approach the management of its business records in line with the Records Management NHS Code of Practice for Health and Social Care 2016 which sets the required standards of practice in the management of records for those who work within or under contract to NHS organisations in England, based on current legal requirements and professional best practice.
To read the Code of Practice, please click on the link below: http://systems.digital.nhs.uk/infogov/iga/resources/rmcop/index_html
The CCG’s records shall not be retained indefinitely and at the end of the retention period, records shall be disposed securely.
Opting Out of Data being Shared beyond care purposes
The NHS Constitution states "You have the right to request that your confidential information is not used beyond your own care and treatment and to have your objections considered".
There are several forms of opt- outs available at different levels. These include for example:
A. Information directly collected by the CCG:
Your choices can be exercised by withdrawing your consent for the sharing of information that identifies you, unless there is an overriding legal obligation as detailed above.
B. Information not directly collected by the CCG, but collected by organisations that provide NHS services.
Type 1 opt-out
If you do not want personal confidential data information that identifies you to be shared outside your GP practice, for purposes beyond your direct care you can register a type 1 opt-out with your GP practice. This prevents your personal confidential information from being used other than in particular circumstances required by law, such as a public health emergency like an outbreak of a pandemic disease.
Patients are only able to register the opt-out at their GP practice.
Records for patients who have registered a type 1 opt-out will be identified using a particular code that will be applied to your medical records that will stop your records from being shared outside of your GP Practice.
Type 2 opt - out
NHS Digital collects information from a range of places where people receive care, such as hospitals and community services.
To support those NHS constitutional rights, patients within England are able to opt out of their personal confidential data being shared by NHS Digital for purposes other than their own direct care, this is known as the 'Type 2 opt-out'
If you do not want your personal confidential information to be shared outside of NHS Digital, for purposes other than for your direct care you can register a type 2 opt-out with your GP practice.
For further information and support relating to opt-outs, please contact NHS Digital at:
- Telephone: 0300 303 5678
- Via the website: http://digital.nhs.uk/article/7092/Information-on-type-2-opt-outs
How can you get access to information held about you at the CCG (Subject Access Requests)?
The Data Protection Act 1998 gives you the right to request to view or have a copy of your records held by the CCG. You do not need to give a reason, but you may be charged a fee.
The NHS Care Record Guarantee states that you can be provided audit trail information regarding those staff who have accessed your health record.
If you want to request access to your information held by the CCG and / or request audit trail information, you need to make a written request to:
NHS Heywood, Middleton & Rochdale CCG
PO Box 100
The CCG holds limited health information about you where it can use this for direct care purposes, so you may also have to contact the NHS organisation(s) where you are being, or have been treated.
You should also be aware that in certain circumstances, your right to see some details in your health records may be limited in your own interest or for other reasons for example a safeguarding issue.
Data Protection Register / ICO Notification
The CCG is a Data Controller. This means that they exercise overall control over the purpose for which, and the manner in which, personal data are processed. For example, they may process personal information themselves or ask a data processor to do this for them on their behalf. Under the terms of the Data Protection Act 1998 are legally responsible for ensuring that all personal information we process is in compliance with the law. All data controllers must notify with the Information Commissioners Office (ICO) who is the UKs independent body set up to uphold information rights, of all personal information processing activities.
HMR CCG has dutifully notified and our ICO Notification number is ZA003479 you can access this notification via the ICO website at www.ico.org.uk.
If you have any questions or concerns regarding the information we hold on you or the use of your information, please contact us at:
Information Governance Team
NHS Heywood, Middleton & Rochdale CCG
3rd Floor Number One Riverside
To contact the CCG’s Caldicott Guardian, please contact:
Or you can use the “Contact Us” page on the HMR CCG website at the link below:
(Please note this email account is accessed by a number of personnel therefore consider the information provided when contacting and please state that the email is for the Caldicott Guardian of HMR CCG).
For independent advice about data protection, privacy and data-sharing issues, you can contact the Information Commissioners Office (ICO) on the details below:
Information Commissioner Office (ICO)
Useful Resources and Information
- HMR CCG Contact Us link - http://www.hmr.nhs.uk/index.php/get-in-touch/contact-us
- Information Commissioner’s Office - https://ico.org.uk/
- HRA - http://www.hra.nhs.uk/
- NHS Digital – Guide to Confidentiality in Health and Social Care - http://digital.nhs.uk/media/12822/Guide-to-confidentiality-in-health-and-social-care/pdf/HSCIC-guide-to-confidentiality.pdf
- Information Governance Alliance - http://systems.digital.nhs.uk/infogov/iga
- NHS Care Record Guarantee - http://systems.digital.nhs.uk/rasmartcards/documents/crg.pdf
- The NHS Constitution - https://www.gov.uk/government/publications/the-nhs-constitution-for-england/the-nhs-constitution-for-england
- Records Management Code of Practice for Health and Social Care 2016 - http://systems.digital.nhs.uk/infogov/iga/rmcop16718.pdf