Details of information collected and used for specific purposes

Although this is not an exhaustive detailed listing, the following table lists key examples of the purposes and rationale for why we collect and process information.  For each purpose we have provided information for you on the purpose, including benefits to you as a patient;  the type of information used (see ‘Definitions’);  the legal basis identified for the collection and use of information;  how we collect and use the information required;  data processing activities – listing any third parties we may use for each purpose and information on how to opt out of your information being used for each purpose. 

  • Complaints
  • Commissioning
  • Funding Treatments
  • Continuing Healthcare
  • Safeguarding
  • Risk Stratification
  • Patient and Public Involvement
  • National Registries
  • Research
  • Serious Incident Reports
  • Clinical audit

COMPLAINTS

Purpose

A complaint may relate to a service which the CCG is directly responsible for providing or it may relate to a service which we have commissioned for the patients who we are responsible for, for example hospital services.  The CCG require this information in order to manage and help to resolve complaints which is then used to prevent such complaints arising in future.

Type of Information Used

Identifiable

Legal Basis

Explicit consent

How We Collect and Use Information in relation to Complaints

When the CCG receive a complaint from a person we make up a file containing the details of the complaint which will normal contain the identity of the complainant and any other individuals involved.

The CCG will only use the identifiable information we collect to process the complaint and to check the level of service we provide.

The CCG usually have to disclose the complainant’s identity to whoever the complaint is about.  This is inevitable where, for example, the accuracy of a person’s record is in dispute

The CCG will publish service user stories, following upheld complaints, anonymously via our governing body.  The service user stories will provide a summary of the concern, service improvements identified and how well the complaints procedure has been applied.  Consent will always be sought from the service user and carer or both before we publish the service user story.

Data Processing Activities

All data processing in relation to complaints is carried out within Warwickshire North CCG and if there is a requirement to forward the complaint to a provider then explicit consent is sought from the complainant.

Opt out details

If you do not want information identifying you to be disclosed we will try to respect that.  However, it may not be possible to handle a complaint on an anonymous basis. 

FUNDING TREATMENTS

Purpose

To fund specific treatment for you for a particular condition that is not covered in our contracts.  This may be called an ‘Individual Funding Request (IFR)’ which provides you with the payments required to receive specialist treatment.

Type of Information Used

Identifiable – to make payments

Anonymous – to provide reports for analysis of payments made

Legal Basis

Explicit Consent to use identifiable information to make payments

How We Collect and Use Information in relation to Funding Treatments

Information required to make payments in relation to Funding Treatments is provided by you, along with relevant information from primary and secondary care with regard to the referral for specialist treatment.

Data Processing Activities

The CCG has engaged the services of NHS Arden and Greater East Midlands Commissioning Support Unit to provide this service on our behalf. 

Opt out details

Payments will not be able to be made if you choose not to provide identifiable information.  Alternative arrangements will need to be considered. 

CONTINUING HEALTHCARE

Purpose

To undertake assessments where you have asked us to undertake assessments for Continuing Healthcare – a package of care for those with complex medical needs.  We use your information in order to be able to make the appropriate arrangements for resulting care packages.

Type of Information Used

Identifiable

Legal Basis

Explicit Consent

How We Collect and Use Information in relation to Continuing Healthcare

The assessment team will collect, use, share and securely store information from / with the Local Authority (Social Services) and other organisations or individuals that are either directly or indirectly involved in the assessment, decision making process, the arranging of care, the funding and payment of care and appropriate monitoring of and audit of the safety and quality of care.

Data Processing Activities

The CCG shares information with  NHS Arden and Greater East Midlands Commissioning Support Unit who process the information on our behalf. 

Opt out details

A Continuing Healthcare Assessment will not be able to be carried out if you choose not to provide identifiable information.  Alternative arrangements will need to be considered.

SAFEGUARDING

Purpose

To assess and evaluate any safeguarding concerns to ensure all patients / service users are effectively protected. 

Type of Information Used

Identifiable

Legal Basis

Legal requirement to use and share information relating to Safeguarding concerns with Safeguarding Boards and Multi-Agency Safeguarding Hubs where all members sign confidentiality agreements. 

How We Collect and Use Information in relation to Safeguarding

The CCG may receive information relating to Safeguarding concerns from yourself directly or relatives or through notification of concerns from other Health and Social Care organisations.  All Health and Social Care professionals have a legal requirement to share information with appropriate agencies where Safeguarding concerns about children or adults have been received.  Where it is appropriate to do so the sharing organisations will keep you informed of when information is required to be shared to provide with assurance regarding the security of that sharing and the benefit to you or the person you are raising Safeguarding concerns about. Access to this information is strictly controlled and where there is a requirement to share information e.g with police or social services, all information will be transferred safely and securely ensuring that only those with a requirement to know of any concerns are appropriately informed.

Data Processing Activities

We will collect and process identifiable information where we have a statutory obligation to assess and evaluate any safeguarding concerns.

Opt out details

We have a legal requirement to provide information where there are Safeguarding concerns due to public interest issues, e.g. to protect the safety and welfare of vulnerable children and adults. 

RISK STRATIFICATION

Purpose

Risk stratification is a process for identifying and caring for patients with long term health conditions and patients who are at high risk of emergency hospital admission.  NHS England encourages CCGs and GPs to use risk stratification tools as part of their local strategies for supporting patients with long-term conditions, such as chronic obstructive pulmonary disease (COPD) and diabetes, to help prevent hospital admissions that could have been avoided.  As well as helping GP Practices to provide Direct Care support, risk stratification is used by the CCG to support planning and commissioning, for example, understanding the numbers of patients in the region who require services to support COPD will enable us to commission the right services to better manage periods of ill health and to improve the quality of the services we are able to offer you.  

Type of Information Used

Different types of data are legally allowed to be used by different organisations within, or contracted to, the NHS.

Identifiable – when disclosed from GP Practices and NHS Digital to a Risk Stratification supplier (see below, Data Processing Activities)

Aggregated – the CCG can only receive this information in format which cannot identify you.

Pseudonymised – GPs are provided with pseudonymised data for risk stratification planning purposes, however, where a direct care impact is identified on a patient through the process the GP will be able to re-identify the patient concerned.

Legal Basis

The use of identifiable data for risk stratification has been approved by the Secretary of State, through the Confidentiality Advisory Group of the Health Research Authority (known as Section 251 approval).  Further information on Section 251 can be obtained by clicking here.  The reference number for the risk stratification approval is CAG7-04(a)/2013.  This approval allows your GP or staff within your GP Practice who are responsible for providing your care, to see information that identifies you, but the CCG staff will only be able to see information in a format that does not reveal your identity. 

How We Collect and Use Information in relation to Risk Stratification

Risk stratification tools use a mix of historic information about patients such as age, gender, diagnoses and patterns of hospital attendance and admission as well as data collected in GP practices.

NHS Digital provides information, identifiable by your NHS Number only, about hospital attendances.  GP Practices provide information from GP records also identifiable by your NHS Number only.  Both sets of information are sent via secure transfer to the risk stratification system where they are immediately pseudonymised and linked to each other.  The risk stratification system uses a formula to analyse the pseudonyonmised data to produce a risk score.  These risk scores are available to the GP practice you are registered with where authorised staff who are responsible for providing direct care for you are able to see these scores in a format that identifies you.  This will help the clinical team make better decisions about your future care, for example you may be invited in for a review or if they think you may benefit from a referral to a new service they will discuss this with you.  The CCG is provided with reports containing aggregate information, which do not identify you, to ensure we are commissioning and planning for these services as required by the population we serve. 

Data Processing Activities

On behalf of its GP Practices, the CCG has entered into a contract with NHS Arden and GEM CSU as their Risk Stratification Supplier to produce the analysis as above. 

Opt out details

Type 1 and Type 2 opt-outs apply.

Additionally, your GP practice can apply a code which will stop your identifiable information being used for this purpose.

Additional information is also available from the NHS England website: https://www.england.nhs.uk/ourwork/tsd/ig/risk-stratification/

INVOICE VALIDATION

Purpose

Where we pay for care, particularly where different providers are caring for the same person, we may ask for evidence before paying, or we may commission a service where the payment is all or partly based on the providers ensuring the service user has a healthy outcome. We need to ensure that we are paying the right amount of money for the right services to the right people.

These invoices are validated within a special secure area known as a Controlled Environment for Finance (CEfF) to ensure that the right amount of money is paid, by the right organisation, for the treatment provided.  

A small amount of information that could identify an individual is used within this secure area (such as NHS number or date of birth and postcode).  The process followed ensures that only the minimum amount of information about individuals is used by a very limited number of people.  The process is designed to protect confidentiality.   

Type of Information Used

Identifiable - within the Controlled Environment for Finance, for invoice validation. 

Pseudonymised, anonymised or aggregated - within the CCG, for commissioning purposes such as financial planning, management and contract monitoring. 

Legal Basis

A Section 251 approval from the Secretary of State, through the Confidentiality Advisory Group of the Health Research Authority enables the Arden and GEM CSU CEfF (see below) to process identifiable information without consent for the purposes of invoice validation within a Controlled Environment for Finance – CAG 7-07(a)(b)(c)/2013.  

How We Collect and Use Information in relation to Invoice Validation

Organisations that provide treatment submit their invoices to the CCG for payment.  The secure area (Controlled Environment for Finance, provided by AGEM CSU) receives additional information, including the NHS Number, or occasionally the date of birth and postcode, from the organisation that provided treatment.

NHS Digital sends information into the secure area, including the NHS number and details of the treatment received.  The information is then validated ensuring that any discrepancies are investigated and resolved between the Controlled Environment for Finance and the organisation that submitted the invoices.  The invoices will be paid when the validation is completed.

The CCG does not receive any identifiable information for purposes of Invoice Validation however they will receive reports to help us manage our finances.

Data Processing Activities

The CCG uses the services of the Arden and GEM CSU Controlled Environment for Finance and has a contract in place with them.  Only authorised staff are able to access this information. 

Opt out details

Type 2 opt-out applies

Additionally, your GP practice can apply a code which will stop your identifiable information being used for this purpose.

Additional information is also available from the NHS England website: https://www.england.nhs.uk/ourwork/tsd/ig/in-val/invoice-validation-faqs/

PATIENT AND PUBLIC INVOLVEMENT

Purpose

If you have asked us to keep you regularly informed and up to date about the work of the CCG or if you are actively involved in our engagement and consultation activities or patient participation groups, we will collect and use information which you share with us.  Where you submit your details to us for involvement purposes, we will only use your information for this purpose. 

Type of Information Used

Identifiable

Legal Basis

Explicit Consent

How We Collect and Use Information in relation to Patient and Public Involvement

We will be collecting and using your information to enable us to keep you informed of any news, consultation activities or patient participant groups.  

Data Processing Activities

The CCG shares information with  NHS Arden and Greater East Midlands Commissioning Support Unit who process the information on our behalf.  

Opt out details

You can opt out at any time by contacting us. 

COMMISSIONING

Purpose

Hospitals and community setting organisation that provide NHS-funded care must by law submit certain information to NHS Digital about services provided to you and the population we serve.  This information is known as commissioning datasets.  The CCG obtains these datasets from NHS Digital which relate to patients registered with our GP practices.  This enables us to plan, design, purchase and pay for the best possible care available for you. 

Type of Information Used

Different types of commissioning data are legally allowed to be used by different organisations within, or contracted to, the NHS.

Identifiable – when disclosed from Primary and Secondary Care Services to NHS Digital

Aggregated – the CCG can only receive this information in aggregated format which does not identify individuals

Legal Basis

Statutory requirement for NHS Digital to collect identifiable information.

·     The Health and Social Care Action 2012 enables NHS Digital to provide the CCG with  pseudonymised information about any attendances that you have made with NHS healthcare providers.

There is no requirement for a legal basis for use of the aggregated information which is available to the CCG as this does not identify individuals. 

How We Collect and Use Information in relation to Commissioning

The datasets we receive from NHS Digital have been linked and are in a format that does not directly identify you.  Information such as your age, ethnicity and gender as well as coded information about any clinic or accident and emergency attendances, hospital admissions and treatment will be included.

We also receive similar information from the GP Practices within our CCG membership that also does not identify you.

We use these datasets for a number of purposes such as:

  • Performance managing contracts (the CCG only receive this information in aggregated format which does not identify individuals).  In terms of commissioning datasets, there are 3 main activity types and these cover, Outpatients, Admitted patients, Accident and Emergency attendances which is received in pseudonymised form;
  • Reviewing the care delivered by providers to ensure service users are receiving quality and cost effective care; 
  • To prepare statistics on NHS performance to understand health needs and support service re-design, modernisation and improvement;
  • To help us plan future services to ensure they continue to meet our local population needs;
  • To reconcile claims for payments for services received in your GP Practice;
  • To audit NHS accounts and services;

Data Processing Activities

The CCG has engaged the services of NHS Arden and Greater East Midlands Commissioning Support Unit (CSU) to support us in processing and analyse the commissioning data.  Some of the CCG’s own staff and a limited number of staff from the CSU will undertake these data processing activities and will be given access to pseudonymised information (that does not reveal your ‘real world identity’) on behalf of the CCG.   The CCG will then be provided with reports to help us with our responsibilities as listed above.

Sharing commissioning data with other CCGs

 

Coventry and Rugby CCG works collaboratively with South Warwickshire CCG and Warwickshire North CCG to commission services, manage commissioning contracts on each other’s behalf.  This helps us all fulfil our commissioning objectives more effectively and efficiently.  This means that we need to share our pseudonymised commissioning information (which does not reveal your real world identity) with each of the CCGs.  This will also help us avoid duplication and make the best use of resources available to us.

Opt out details

Type 1 and Type 2 opt-outs apply.

Additionally, your GP practice can apply a code which will stop your identifiable information being used for this purpose.

The specific terms and conditions and security controls that we are obliged to follow when using those commissioning datasets can also be found on NHS Digital website.  

More information about how this data is collected and used by NHS Digital is available on their website http://www.hscic.gov.uk/patientconf 

NATIONAL REGISTRIES

Purpose

National Registries are used in the NHS to provide support to particular groups of patients to ensure they are receiving the care and support they require, for example, the Learning Disabilities Register.  NHS Digital are responsible for the information collected and used in the Registers who will ensure your information is kept securely and confidentially.  

Type of Information Used

Identifiable and pseudonymised – dependant on purpose.

Legal Basis

A Section 251 approval from the Secretary of State, through the Confidentiality Advisory Group of the Health Research Authority enables NHS Digital to process identifiable information without consent for the purposes of approved National Registries.

How We Collect and Use Information in relation to National Registries

The GP Practices within our CCG membership provide this information to NHS Digital using a secure transfer method. 

Data Processing Activities

The CCG shares information with  NHS Arden and Greater East Midlands Commissioning Support Unit who process the information on our behalf.  

Opt out details

Type 1 and Type 2 opt-outs apply.

Additionally, your GP practice can apply a code which will stop your identifiable information being used for this purpose. 

RESEARCH

Purpose

Research can provide direct benefit to patients who take part in medical trials and indirect benefits to the population as a whole.

Your information can be used to identify people to invite them to take part in clinical trials, other interventional studies or studies purely using information from medical records. 

Type of Information Used

Identifiable and anonymised – dependant on the purpose.

Legal Basis

Where identifiable information is being used your explicit consent will be gained.  Where gaining consent from all patients is not appropriate, e.g. for large-scale, nationwide projects, a Section 251 approval from the Secretary of State, through the Confidentiality Advisory Group of the Health Research Authority is required.  The approval ensures that the appropriate security processes are in place to protect your information and ensuring only the minimum information is used for the purpose specified. Research activities using anonymised information does not require your consent.

How We Collect and Use Information in relation to Research

Where identifiable information is needed for research, you will be approached by the organisation where the treatment was received, to see if you wish to participate in the particular research study.  You will be provided with information about the research and the way in which your identifiable information will be used and kept safe and secure before being asked to provide explicit consent to take part.  Where a Section 251 approval has been granted you will be informed of the project and will be able to make a decision as to whether you wish to opt out.  Information related to research projects will be kept safe and secure with access limited to authorised research team members only.

Data Processing Activities

The CCG Is not currently engaged in any research activity.

Opt out details

Where consent is required to take part in a research project you will also be provided with details by the organisation holding your records on how to opt out at any time.

Where s251 approval has been granted you can request that your identifiable information is not included.  The Register of current s251 approval across England and Wales can be found here:

The organisation holding your records will provide notices on their premises and websites about any research projects being undertaken which will provide opt out details.

Your GP practice can apply a code which will stop your identifiable information being used for this purpose. 

SERIOUS INCIDENT REPORTS

Purpose

The CCG collects and uses information from Serious Incident Reports from Primary and Secondary Care Providers to ensure incidents are dealt with appropriately with lessons learnt. 

Type of Information Used

Identifiable

Legal Basis

Explicit consent

How We Collect and Use Information in relation to Serious Incident Reports

We are statutorily required to fully investigate and review incidents.  Where there is a requirement to provide incident reports externally the information will be anonymised unless there is a legal requirement to provide your details.  You will be kept informed of the requirements we are required to meet and asked for consent where information is to be shared externally.

Data Processing Activities

The CCG shares information with  NHS Arden and Greater East Midlands Commissioning Support Unit who process the information on our behalf. 

Opt out details

If you do not want information identifying you to be disclosed we will try to respect that.  However, it may not be possible to fully investigate serious incidents on an anonymous basis.  If the incident involved a breach of law or regulations there may be a legal duty to provide identifiable information.  You will be fully informed of this throughout the process.

CLINICAL AUDIT

Purpose

Effective clinical audit can provide direct benefit to you as a patient and to the population the CCG serves to ensure that the services we plan and commission offer high quality and effective care.

Type of Information Used

Identifiable – where clinical audit is undertaken by the GP practice who you are registered with.  The GPs and clinicians involved in your Direct Care are said to have a ‘legitimate relationship’ with you and any outcomes will directly improve patient’s health and wellbeing.

Anonymous – where clinical audit is being undertaken by GPs and health professionals with whom you do not have a ‘legitimate relationship’ with. 

Legal Basis

For clinical audit undertaken by the GPs and clinicians directly involved in your care we will rely on implied consent to collect and use your information where the outcomes cannot be achieved using anonymous information.

Where clinical audit is undertaken by GPs and health professionals with whom you do not have a ‘legitimate relationship’ with your explicit consent will be required where identifiable information is being used or another statutory basis identified.

Using anonymous data for the purposes of clinical audit does not require a legal basis.

How We Collect and Use Information in relation to clinical audits.

Information required for clinical audit will be collected from your records held by the organisation where you have received treatment.  Authorised healthcare professionals will review the records held ensuring that only the minimum information required for the purpose is used.  Where consent is required to use identifiable information you will be contacted by the organisation who has provided your treatment.

Data Processing Activities

The CCG shares information with  NHS Arden and Greater East Midlands Commissioning Support Unit who process the information on our behalf. 

Opt out details

Where you have provided explicit consent to take part in a clinical audit you can opt out at any time by contacting the organisation who provided your treatment.

Your GP practice can apply a code which will stop your identifiable information being used for this purpose. 

DATA PROCESSORS

Below are details of our data processors and the function that they carry out on our behalf:

  • Arden&GEM CSU – Risk Stratification, Invoice Validation, Commissioning Intelligence analysis, Continuing Healthcare, Individual Funding Requests, Medicines Optimisation, HR
  • Iron Mountain – Archiving of Records
  • 360 Assurance – Internal Audit related purposes
  • NHSLA – Claims Management
  • Data Shred  - The CCG’s Confidential Waste Disposal Company
  • Shared Business Service –Staff Payroll
  • NHS South Warwickshire Clinical Commissioning Group – Adult Safeguarding Service
  • Warwickshire Multi-Agency Safeguarding Hub - a partnership between Warwickshire County Council, Warwickshire Police, National Health Service (NHS) and other key partner agencies working together to safeguard children, young people and adults.

 

Send feedback about this page
© NHS Warwickshire North Clinical Commissioning Group
Facebook
Second Floor, Heron House, Newdegate Street, Nuneaton CV11 4EL