Fair processing notice

We need to use information about our patients and population to enable us to commission services which meet their needs.

In undertaking our role HIOW ICB holds some information about you and this document outlines how that information is used, who we may share that information with, how we keep it secure (confidential) and what your rights are in relation to this. Within the health sector, we follow the common law duty of confidence, which means that where identifiable information about you has been given in confidence, it should be treated as confidential and only shared for the purpose of providing direct healthcare or where there are overriding public interest factors.

The ICB has a senior member of staff responsible for protecting the confidentiality of patient information. This person is called the Caldicott Guardian.  

The details of our Caldicott Guardian are as follows:

• Name: Sara Courtney
• Email: hiowicb-hsi.hsiow-caldicottguardian@nhs.net

They are supported by another senior member of staff who is responsible for information risk and information security, this person is called the Senior Information Risk Owner (SIRO).
The contact details of our SIRO are as follows:

• Name: Martin Sheldon
• Email: hiowicb-hsi.hsiow-siro@nhs.net

The above two roles are also supported by our Data Protection Officer (DPO).  The DPO is responsible for monitoring compliance with Data Protection legislations (GDPR & DPA 2018), Information Governance (IG) policies, providing advice and guidance, raising awareness, training and audits.  The DPO acts as a contact point for the Information Commissioner’s Office (ICO), employees and the public.  They co-operate with the ICO and will consult on any other matter relevant to Data Protection. 

The contact details of our DPO are as follows:

• Name: Rebecca Willis 
• Email: hiowicb-hsi.hsiow-dpo@nhs.net

HIOW ICB is a Data Controller and are registered with the ICO to collect data for a variety of purposes. Our registration number is: ZB370396 and a copy of the registration is available through the ICO website.

We do not routinely hold or have access to your medical records. However, we may need to hold some personal information about you, for example: 

• Your name, address, your date of birth, contact details and your NHS number which in some circumstances we may use as your single identifying number with no other information about you attached. Your NHS number is present in all of your health records and therefore we are able to use that number to link information to you or about you without revealing any personal or confidential data, where we are lawfully allowed to do this.  There are limited times where we will need to hold information about your health and treatment and these are set out below.

We use the following types of information/data:

• Personal Data – means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. 
• Special Categories of Personal Data – this term describes personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation.  
• Confidential Patient Information – this term describes information or data relating to their health and other matters disclosed to another (e.g. patient to clinician) in circumstances where it is reasonable to expect that the information will be held in confidence.  Including both information ‘given in confidence’ and ‘that which is owed a duty of confidence’. As described in the Confidentiality: NHS code of Practice: Department of Health guidance on confidentiality 2003.
• Pseudonymised - The process of distinguishing individuals in a dataset by using a unique identifier which does not reveal their ‘real world’ identity.
• Anonymised – Data in a form that does not identify individuals and where identification through its combination with other data is not likely to take place.
• Aggregated - Statistical data about several individuals that has been combined to show general trends or values without identifying individuals within the data.
   

There are some limited exceptions where we may hold and use sensitive personal information about you (also referred to as special category data). For example, the ICB is required by law to perform certain services that involve the processing of sensitive personal information.

The areas where we regularly use sensitive personal information include:

• assessments for continuing healthcare and appeals
• responding to your queries, compliments or concerns
• assessment and evaluation of safeguarding concerns
• where there is a provision permitting the use of sensitive personal information under specific conditions, for example to:

1. understand the local population needs in order to plan and commission services
2. ensure that the ICB is billed accurately for the treatment of its patients, which is known as “invoice validation”
    

We use pseudonymised, anonymised and aggregated data to plan health care services. Specifically, we use it to:

• check the quality and value for money of the health services we commission
• prepare performance reports on the services we commission
• work out what illnesses people may have in the future, so we can plan and prioritise new or changed services to ensure that these services will meet the needs of our population in the future

We commission NHS funded health services for you from a number of organisations, both within and outside the NHS (see Appendix A of the full Fair Processing Notice document for details). We may also share anonymised statistical information for the purpose of improving local services, for example understanding how our populations health and how the services provided compare with similar services in other geographical areas e.g. to share good practice. We do not share information outside of the European Economic Area (EEA) without taking appropriate steps to safeguard that information.  

We would not share information that identifies you unless we have a fair and lawful basis such as:

• You have given us permission;
• We need to act to protect children and vulnerable adults;
• When a formal court order has been served upon us;
• When we are lawfully required to report certain information to the appropriate authorities e.g. to prevent fraud or a serious crime;
• We are complying with our legal obligations or public tasks;
• Where we are pursuing a legitimate interest;
• Emergency Planning reasons such as for protecting the health and safety of others;
• When permission is given by the Secretary of State or the Health Research Authority on the advice of the Confidentiality Advisory Group to process confidential information without the explicit consent of individuals

The law enables some NHS bodies, particularly NHS England, (formally NHS Digital) to collect and use anonymised patient data (e.g. that cannot identify a person) to support Commissioners to design and procure the combination of services that best suit the population they serve.

There are times where the ICB will need to share personal data with third parties, including but not limited to organisations such as the Police, the Care Quality Commission, the GMC or other professional regulators.  The ICB may also need to share information with its lawyers or others in the legal system where it relates to seeking legal advice or responding to claims.

Integrated Care Systems (ICSs) are partnerships that bring together providers and commissioners of NHS services across a geographical area with local authorities and other local partners to collectively plan health and care services to meet the needs of their population. The central aim of the ICS is to integrate care across different organisations and settings, joining up hospital and community-based services, physical and mental health, and health and social care. All parts of England are now covered by one of 42 ICSs.

In order to assure a smooth transition to the new commissioning landscape, the ICB needs to be able to share data with providers and local authorities within their ICS, so they are fully able to contribute to commissioning decisions.

The ICS Sub-License approach allows the ICB to share data they receive from NHS Digital via their commissioning agreements with members of their ICS. This will be limited to pseudonymised commissioning data without the provider unique local patient id included.

The ICS Partners will become Data Controllers in their own right for the data received under the sub-licensing, however certain rules will apply to this:

• Onward sharing of the data by ICS members is not permitted
• Data must be segregated from other datasets and additional linkage is not permitted

Data may be anonymised and linked with other data so that it can be used to improve health care and development and monitor NHS performance. Where data is used for these statistical purposes, stringent measures are taken to ensure individual patients cannot be identified.

When analysing current health services and proposals for developing future services it is sometimes necessary to link separate individual datasets to be able to produce a comprehensive evaluation. This may involve linking primary care data from your Doctor (GP) with other data such as hospital inpatient stays, outpatient appointments and A&E attendances. This type of data is called secondary uses service (SUS) data.  In some cases, there may also be a need to link local datasets with other services such as radiology, physiotherapy, audiology, mental health and community-based clinics and services. When carrying out this analysis, the linkage of these datasets is always done using a unique identifier that does not reveal a person’s identity.

We may also contract with other organisations to process data, some of which could identify a person. These organisations are known as Data Processors. We ensure external data processors that support us are legally and contractually bound to operate and are required to prove that robust security arrangements are in place. 

A full list of details, including the legal basis and purposes for processing information can be found in Appendix A of our full Fair Processing Notice.

The NHS England Code of Practice on Confidential Information applies to all of our staff and anyone acting on behalf of the ICB. Each are required to protect your information, inform you of how your information will be used, and allow you to decide if and how your information can be shared. Each are expected to make sure information is kept confidential and undertake annual training on how to do this. This is monitored by the ICB and can be enforced through disciplinary procedures.

We also ensure the information we hold is kept in secure locations, restrict access to information to authorised personnel only, protect personal and confidential information held on equipment such as laptops with encryption (which codes data so that unauthorised users cannot see or make sense of it). 
 

All records held by the ICB will be kept for the duration specified by national guidance from NHSX Records Management CoP Once information that we hold has been identified for destruction it will be disposed of in the most appropriate way for the type of information it is. Personal confidential and commercially sensitive information will be disposed of by approved and secure confidential waste procedures. We keep a record of retention schedules within our information asset registers, in line with the NHSX Records Management Code of Practice 2021.

The information collected about you when you use health and care services can also be used and provided to other organisations for purposes beyond your individual care, for instance to help with:

• improving the quality and standards of care provided
• research into the development of new treatments
• preventing illness and diseases
• monitoring safety
• planning services

 This may only take place when there is a clear lawful basis to use this information. All these uses help to provide better health and care for you, your family and future generations. Confidential health and care information is only used like this when allowed by law.

Whenever possible data used for research and planning is anonymised, so that you cannot be identified and your confidential information is not accessed.

You have a choice about whether you want your confidential information to be used in this way. If you are happy with this use of information you do not need to do anything. If you do choose to opt out your confidential information will still be used to support your individual care.

Find out more or register your choice to opt out here. 

You can change your mind about your choice at any time.
 
Data being used or shared for purposes beyond individual care does not include your data being shared with insurance companies or used for marketing purposes and data would only be used in this way with your specific agreement.

Under data protection law, you have rights including:

• Your right of access - You have the right to ask us for copies of your personal information (known as a subject access request). 
• Your right to rectification - You have the right to ask us to rectify personal information you think is inaccurate. You also have the right to ask us to complete information you think is incomplete. 
• Your right to erasure - You have the right to ask us to erase your personal information in certain circumstances. 
• Your right to restriction of processing - You have the right to ask us to restrict the processing of your personal information in certain circumstances. 
• Your right to object to processing - You have the right to object to the processing of your personal information in certain circumstances.
• Your right to data portability - You have the right to ask that we transfer the personal information you gave us to another organisation, or to you, in certain circumstances.

You are not required to pay any charge for exercising your rights. If you make a request, we have one month to respond to you.

Please contact us if you wish to make a request:

Email:  hiowicb-hsi.hsiow-dpo@nhs.net

Postal Address: 
NHS Hampshire and Isle of Wight ICB
Omega House
112 Southampton Road
Eastleigh
Hampshire
SO50 5BP
 

Automated individual decision-making is defined as making a decision solely by automated means without any human involvement. The ICB does not use any process of this type in relation to patient identifiable data.

Everybody has the right to see, or have a copy, of data we hold that can identify you. If you want to access your data you must make the request verbally or in writing. Under special circumstances, some information may be withheld.  If you want to access your data you can do this by contacting us at:

Email: hiowicb-hsi.hsiow-dpo@nhs.net

Postal Address: 

NHS Hampshire and Isle of Wight ICB
Omega House
112 Southampton Road
Eastleigh
Hampshire
SO50 5PB

The Freedom of Information Act 2000 (FOIA) gives people a general right of access to information held by or on behalf of public authorities, promoting a culture of openness and accountability across the public sector. You can request any information that the ICB holds, that does not fall under an exemption. You may not ask for information that is covered by the Data Protection Legislation under FOIA. However, you can request this under a right of access request – see section above ‘Gaining access to the data we hold about you’.

Your request must be in writing and can be either posted or emailed to:

Email: hsiccg.foi@nhs.net

Post:  
Freedom of Information enquiries
Omega House
112 Southampton Road
Eastleigh
Hampshire
SO50 5BP

Freedom of Information (FOI) requests are managed by South, Central and West (SCW) Commissioning Support Unit.

For independent advice about data protection, privacy, data sharing issues and your rights you can contact:

Information Commissioner’s Office
Wycliffe House, Water Lane
Wilmslow
Cheshire
SK9 5AF

Telephone: 0303 123 1113 (local rate) or 01625 545 745

Email: casework@ico.org.uk

Visit the ICO website. 

We try to meet the highest standards when collecting and using personal information. For this reason, we take any complaints we receive about this very seriously. We encourage people to bring concerns to our attention if they think that our collection or use of information is unfair, misleading or inappropriate. Please contact: 

Telephone: 0300 561 2561
Email: hiowicb-hsi.patientexperience@nhs.net  

You can also make a complaint to the ICO if you are unhappy with how the ICB has used your personal information:

Information Commissioner’s Office (ICO)
Wycliffe House, Water Lane
Wilmslow
Cheshire
SK9 5AF
Telephone: 0303 123 1113 (local rate) 
Email: casework@ico.org.uk

Visit the ICO website.