Privacy Policy

Privacy Policy

At NHS Blackpool and NHS Fylde and Wyre Clinical Commissioning Groups (CCG) we are committed to protecting and respecting your privacy.

The CCG has various roles and responsibilities, but a major part of our work involves making sure that:

  • contracts are in place with local health service providers;
  • routine and emergency NHS services are available to patients;
  • those services provide high-quality care and value for money; and
  • paying for those services for the care and treatment they have provided.

This is called “commissioning” and is explained in more detail in the ‘our work‘ section of this website.

Accurate, timely and relevant information is essential for our work to help us to design and plan current and future health and care services, evidence and review our decisions and manage budgets.

As commissioning organisations, our purpose is not to provide direct care and so we do not routinely hold or receive information about patients and service users in relation to your care. We do however sometimes hold information from which people can be identified to enable us to fulfil our responsibilities as outlined above and this is explained in this notice.

Click each header to expand its content

Definitions

What is a privacy notice? What information do we collect? Your rights
We respect your right with regards to data privacy and data protection when you communicate (online or offline) with us through our various websites, offline programs and events. Privacy notices go by many names: privacy policy, privacy statement, fair processing, or data protection notice Find out what information we collect about you, what types of personal data we handle and what we do with that information. UK data protection laws give you several rights in relation to the information that Fylde and Wyre CCG holds about you.

What is a privacy notice?

A privacy notice is a statement that describes the CCGs collect, use, retain and discloses personal information. Different organisations sometimes use different terms and it can be referred to as a privacy statement, a fair processing notice or a privacy policy.

To ensure that we process your personal data fairly and lawfully we are required to inform you:

  • Why we need your data
  • How it will be used and
  • Who it will be shared with

This information also explains what rights you have to control how we use your information.

The law determines how organisations can use personal information. The key laws are: The Data Protection Act 2018 (DPA), the Human Rights Act 1998 (HRA), and the common law duty of confidentiality.

Below we describe instances where Blackpool CCG and Fylde and Wyre CCG are the “data controller”, for the purposes of the Data Protection Act 2018, and where we direct or commission the processing of patient data to help deliver better healthcare, or to assist the management of healthcare services.

Both CCGs recognise the importance of protecting personal and confidential information in all that we do, all we direct or commission, and takes care to meet our legal duties.

This part of the fair processing notice outlines the management of the notice, contact details and other access to information legislation.

Complaints about how we process your personal information

If your complaint is regarding Fylde and Wyre CCG  you should contact our customer care team via:

Post: Customer care team, Jubilee House Lancashire Business Park Leyland PR26 6TR
Freephone:  0800 032 2424
Telephone:  01772 777 952
Textphone:  01772 227 005
Email: mlcsu.customercarelancashire@nhs.net

If your complaint is regarding Blackpool CCG you should contact our complaints team via:

Post: Complaints Team, Blackpool Stadium, Seasiders Way, Blackpool, FY1 6JX
Email: ccgcomments@blackpool.nhs.uk

If, however, you are not satisfied that your complaint has been resolved, you have the right to contact the Information Commissioner to lodge a complaint:

Information Commissioner’s Office
Wycliffe House
Water Lane,
Wilmslow SK9 5AF
ico.org.uk

Tel: 0303 123 1113

Changes to our Privacy Notice
We keep our privacy notice under regular review and we will place any updates on this web page. This notice was last updated on 01/06/2018.

Data Protection Notification
Both Blackpool CCG and Fylde and Wyre CCG are ‘data controllers’ under the DPA. We have notified the Information Commissioner that we process personal data and the details are publicly available from the:

Information Commissioner’s Office
Wycliffe House
Water Lane,
Wilmslow SK9 5AF
ico.org.uk

Blackpool CCG Registration number:  ZA001543
Fylde and Wyre CCG Registration number: ZA001559

How to contact us
Please contact us via our Data Protection Officer Patricia Butcher if you have any questions about our privacy notice or information we hold about you:

Email: fwccg.dataprotection@nhs.net
Phone: 01253 953531

What information do we collect at Blackpool CCG?

We only collect and use your information for the lawful purposes of administering the business of Blackpool CCG.

We process personal information to enable us to support the provision of healthcare services to patients, maintain our own accounts and records, promote our services, and to support and manage our employees. In order to so effectively we are often required to process personal data i.e. that which identifies a living individual.

We also process special category data. This is personal data which the Data Protection Act 2018 (DPA) says is more sensitive, and so needs more protection:

  • racial and ethnic origin
  • offences (including alleged offences), criminal proceedings, outcomes and sentences
  • trade union membership
  • religious or similar beliefs
  • employment tribunal applications, complaints, accidents, and incident details

This information will generally relate to our staff, covered by the Privacy Notice for Staff.

In terms of patient information, the special category data we process includes:

  • physical or mental health details
  • racial and ethnic origin
  • sexual life

How the NHS and care services use your information

Whenever you use a health or care service, such as attending Accident & Emergency or using Community Care services, important information about you is collected to help ensure you get the best possible care and treatment.

The information collected about you when you use these services can also be provided to other approved organisations, where there is a legal basis, to help with planning services, improving care provided, research into developing new treatments and preventing illness. All of these help to provide better health and care for you, your family and future generations. Confidential personal information about your health and care is only used in this way where allowed by law and would never be used for insurance or marketing purposes without your explicit consent.You have a choice about whether you want your confidential patient information to be used in this way.

To find out more about the wider use of confidential personal information and to register your choice to opt out if you do not want your data to be used in this way, visit www.nhs.uk/my-data-choice

If you do choose to opt out you can still consent to your data being used for specific purposes.

If you are happy with this use of information you do not need to do anything. You can change your choice at any time.

How will NHS Blackpool CCG use information about you?

NHS Continuing Healthcare

 

Purpose and legal basis for processing
NHS Continuing Healthcare (CHC) is explained by the  NHS website here.

To determine if someone is eligible for CHC and to then arrange a care and support package that meets their assessed needs, information about the individual will need to be collected, reviewed and shared with care providers such as care homes. As the CCG has a duty to provide CHC services, this allows for the collection of information about individuals for this purpose, the use of that information and the sharing of it with third parties who need to be involved in the process; we will make sure that we keep the individual concerned informed at all times of who will be providing or receiving data about them and why.

The National Health Service Commissioning Board and Clinical Commissioning Groups (Responsibilities and Standing Rules) Regulations 2012, Part 6 places a duty on CCGs to make provision for, i.e. provide, CHC services. As such, Blackpool CCG’s legal basis for processing this personal data under GDPR is Article 6(1)(e) ‘…exercise of official authority…’. For special categories (health) data the basis is Article 9(2)(h) ‘…health or social care…’

Sources of the data
The personal data are submitted by the CCG and the applicant for review.

Categories of personal data
The information CCGs use to assess eligibility, and which may be submitted to an Independent Review Panel, fall under the following headings:

  • behaviour
  • cognition (understanding)
  • communication
  • psychological/emotional needs
  • mobility
  • nutrition (food and drink)
  • continence
  • skin (including wounds and ulcers)
  • breathing
  • symptom control through drug therapies and medication
  • altered states of consciousness
  • other significant needs

The obtained records that relate to these areas may include Care Home records, Health Records (for example GP, Hospital, Mental Health, District Nursing) and Social Care Records.

Recipients of personal data
Categories of recipient’s Personal data relating to the application is received by Midlands and Lancashire Commissioning Support Unit Continuing Healthcare teams and the members of the review panel. An Independent Review Panel is made up of:

  • an independent chair
  • a representative nominated by a Clinical Commissioning Group (not involved in the case);
  • a representative nominated by a Local Authority (not involved in the case); and
  • at times there is also a clinical advisor in attendance.

Complaints and enquiries

Purpose and Legal basis for processing

Most NHS care and treatment goes well but sometimes things can go wrong. If you are unhappy with your care or the service you have received, it is important to let us know so we can improve.  When Blackpool CCG receive a complaint, to allow it to be fairly and thoroughly managed, in most cases personal information will be required. CCGs have statutory duties (Section 6 of the Local Authority Social Services and National Health Service Complaints [England] Regulations (2009) (under section 113 “Complaints about Healthcare” of the Health and Social Care (Community Health and Standards) Act 2003)) which allow the processing of personal data in relation to complaints.

The legal basis we rely on to process your personal data is article 6(1)(e) of the GDPR, which allows us to process personal data when this is necessary to perform our public tasks as a CCG.

If the information you provide us in relation to your complaint contains special category data, such as health, religious or ethnic information the legal basis we rely on to process it is article 9(2)(g) of the GDPR, which also relates to our public task and the safeguarding of your fundamental rights. And Schedule 1 part 2(6) of the DPA 2018 which relates to statutory and government purposes.

Sources of personal data

Blackpool CCG will generally collect/receive information when members of the public, their representatives, or members of Parliament, contact us with concerns or enquiries. In order to process a complaint Blackpool CCG will collect the relevant information at the point of contact to enable the team to provide a sufficient response to the request.

Categories of personal data

Information relating to complaints would generally include the following categories of personal data:

  • Patient’s name
  • Patient’s address
  • Patient’s contact number
  • GP Surgery
  • Patient’s NHS number
  • Patient’s date of birth
  • Representative details (if applicable)
  • Representative address (if applicable)
  • The nature of the complaint

Recipients of personal data

The recipients of personal data relating to complaints include:

  • Any team within the CCG that may receive an enquiry or complaint
  • Midlands and Lancashire Commissioning Support Unit who manage complaints on behalf of the CCG under contract
  • Relevant providers (with the consent of the data subject) in order to fully investigate the complaint being made

Do we use any processors?

Yes – Blackpool CCG commission Midlands and Lancashire Commissioning Support Unit to provide these services on their behalf.

Communications and engagement

Purpose and legal basis for processing

Blackpool CCG offers various services to the public giving them the opportunity to engage with us. This could be providing people with the latest news and information from the CCG, opportunities, events and details on how to get involved.

We have to hold the details of the people who have requested the service in order to provide it. However, we only use these details to provide the service the person has requested and for other closely related purposes. For example, we might use information about people who have requested a publication to carry out a survey to find out if they are happy with the level of service they received or if the information is useful to them. We will never ask you to provide any personal data in response to a survey. Any personal data received in responses is removed before responses are collated, analysed or disseminated.

When people do subscribe to our services, they can cancel their subscription at any time and are given an easy way of doing this. Personal data collected for the above purposes is only processed with the explicit consent of the data subject unless it becomes apparent that we are required to process the personal data due to statutory obligations such as investigating a complaint.

Source of personal data

The personal data is provided by data subjects when signing up to receive one of our newsletters either via our website or by completing one of our sign-up forms at one of our stakeholder events we hold from time to time.

Categories of Personal Data

We only require you to provide us with your name and email address so that we can send you our publications. Information regarding your gender, sexual orientation, marital status and disabilities is collected so that we can ensure that our patient involvement groups are representative of our population we serve. We may also use it to send you targeted information or news. However, it is not mandatory to provide this information.

Recipients of personal data.

The information you provide as a member of one of our patient involvement groups is never shared outside of Blackpool CCG.

Do we use any processors

Yes – We use MailChimp to manage our contact database and deliver our newsletters. For more information, please see MailChimp’s Privacy notice.

We occasionally use Survey Monkey to operate our surveys. For more information please see Survey Monkey’s Privacy Notice

How to withdraw your consent

If at any point you wish to remove your consent for information to be saved please email communications@blackpool.nhs.uk or write to

NHS Blackpool CCG
Complaints Team
Blackpool Stadium
Seasiders Way
Blackpool
FY1 6JX

Individual funding requests

Purpose and Legal basis for processing

The NHS has a duty to spend the money it receives from the Government in a fair way, taking into account the health needs of the whole community. The CCGs role is to ensure it gets best value for this money by spending it wisely on behalf of the public.

CCGs pay for local NHS health services and NHS England pays for highly specialised health services. The CCGs have a legal duty to provide health services for patients in the county with the fixed amount of money they have received from the Government. They have a legal duty not to spend more than this. This means that some hard choices have to be made. Not all treatments can be provided by the NHS. Treatments that are limited by CCGs are shown in their Clinical Commissioning Policies.

However, the CCGs know that there will always be times when a patient would benefit from a particular treatment not usually given by the NHS. To apply for this treatment, an Individual Funding Request is made. To allow the CCG to consider these requests, access to both personal and health information regarding the individual to whom the request relates is required.  As the National Health Service Commissioning Board and Clinical Commissioning Groups (Responsibilities and Standing Rules) Regulations 2012, Part 7, Regulation 34 places a duty on CCGs in respect of the funding and commissioning of drugs and other treatments, this provides the CCG with a legal basis to use personal data as part of this process.

Blackpool CCG commission Midlands and Lancashire Commissioning Support Unit (MLCSU) to provide these services on their behalf.

Source of personal data

The information may be provided by a clinician who submits an IFR application form on behalf of a patient.

Categories of personal data

The IFR application form includes NHS number, name and address, date of birth, GP details, diagnosis, requested intervention and other information relevant to the request. Gender and ethnicity are also collected and held in anonymous form for equality monitoring.

Categories of recipients

Applications are considered by an independent panel who have not been involved in your treatment. The panel is made up of doctors, nurses, public health experts, pharmacists, NHS England representatives and lay members and is led by a lay chair.

Invoice validation

Purpose and Legal basis for processing

Invoice validation is an important process. It involves using your NHS number to check that we are the CCG that is responsible for paying for your treatment.

There are situations where identifiable patient personal data is required to ensure that the correct service provider is paid.

In such cases, service providers are required to send identifiable patient personal data such as the NHS Number to a Controlled Environment for Finance (CEfF). Midlands and Lancashire Commissioning Support Unit is an accredited Controlled Environment for Finance (CEfF) which enables them to process patient identifiable information on behalf of Blackpool CCG without consent for the purposes of invoice validation. We will also use your NHS number to check whether your care has been funded through specialist commissioning, which NHS England will pay for. The process makes sure that the organisations providing your care are paid correctly.

NHS England has published guidance on how invoices must be processed and Commissioners have a duty to detect report and investigate any incidents of where a breach of confidentiality has been made.

Under the NHS Act 2006, provision is made for the sharing of patient information that is in the interests of improving patient care or deemed to be in the public interest. This is commonly referred to as a Section 251 exemption that allows the common law duty of confidentiality to be bypassed in order to fulfil a task in the interests of improving patient care or in the public interest. The specific reference for this exemption is: CAG 7-07(a)(b)(c)/2013. As such, our legal basis under GDPR is Article 6(1)(e) ‘…exercise of official authority…’. For special categories (health) data the basis is Article 9(2)(h) ‘…health or social care…’.

Sources of the data
The sources of data are providers who submit invoices to NHS Shared Business Services for payment.

Categories of Personal data
The data required for effective invoice validations can be found in appendix B. of “Who Pays? Information Governance Advice for Invoice Validation” which you can find here.

Recipients of personal data
Midlands and Lancashire Commissioning Support Unit is the only organisation that will have received personal data relating to invoice validation as an accredited Controlled Environment for Finance.

Risk stratification

Purpose and legal basis for processing
Health care commissioners need information about the treatment of patients to review and plan current and future health care services. To do this they need to be able to see information about the health care provided to patients which can include patient level data.

The law says commissioners are not allowed to access Personal Confidential Data (PCD) because they are not providing direct patient care. So they need an intermediary service called Data Services for Commissioners Regional Office (DSRCO), that specialise in processing, analysing and packaging patient information within a secure environment into a format commissioners can legally use; anonymised patient level data. You can find more comprehensive information about this on the NHS Digital Website.

NHS Digital is able to disseminate data to commissioners under the Health and Social Care Act (2012). The act provides the powers for NHS Digital to collect, analyse and disseminate national data and statistical information. To access this data organisations must submit an application and demonstrate that they meet the appropriate governance and security requirements. For GDPR purposes Blackpool CCGs lawful basis for processing is Article 6(1)(e) ‘…exercise of official authority…’. For special categories (health) data the basis is Article 9(2)(h) ‘…health or social care…’

NHS Digital, through its Data Services for Commissioners Regional Offices (DSCROs), is permitted to collect, hold and process Personal Confidential Data (PCD). This is for purposes beyond direct patient care to support NHS commissioning organisations and the commissioning functions within local authorities

GPs are able to identify individual patients from the risk stratified data when it is necessary to discuss the outcome and consider preventative care, however the CCG can never identify an individual from the risk stratified data that we see. Where the risk stratification process has linked GP data to health data obtained from other sources i.e. NHS Digital or other health care provider, the GP will ask for your permission to access the details of that information.

Source of personal data
Personal data is supplied by GPs and NHS Digital (commissioning datasets)

Categories of Personal data
Risk stratification tools use historic information about patients, such as age, gender, diagnoses and patterns of hospital attendance and admission collected by NHS Digital from NHS hospitals and community care services (Secondary Use Services data).  This is linked to data collected in GP practices and analysed to produce a risk score.

The Secondary Uses Service (SUS) is the single, comprehensive repository for healthcare data in England which enables a range of reporting and analyses to support the NHS in the delivery of healthcare services. Information on care provided for all patients by Health Care Providers (both NHS and Independent Sector Healthcare Providers for NHS patients only) must be submitted to the Secondary Uses Service according to the Commissioning Data Set Mandated Data Flows guidelines.

The data extract will exclude patients who have expressed a wish not to share information. Reports produced from the system including identifiable data is only provided back to your GP or member of your care team as data controller in an identifiable form.

Your GP can provide more information about any risk stratification programme they are using. Should you have any concerns about how your information is managed at the surgery please contact the Practice Manager at your surgery to discuss how the disclosure of your personal information can be limited.

Recipients of personal data
The combined CCGs Secondary Use Service (SUS) data and GP data which contains an identifier (usually NHS number) is made available to clinicians with a legitimate relationship with their patients to enable them to identify which patients should be offered targeted preventative support to reduce those risks. Blackpool CCG does not have access to identifiable information.

Safeguarding

Information in the CCG is held for a specific length of time depending on the type of information it is.  The length of time we retain your information for is defined by the NHS retention schedule which can be viewed online here: NHS Digital Records Management Code of Practice for Health and Social Care 2016

Once information has been reviewed and is no longer required to be kept by a retention period the information will be securely destroyed.

Security of your information
Blackpool CCG take our duty to protect your personal information and confidentiality seriously. We are committed to taking all reasonable measures to ensure the confidentiality and security of personal data for which we are responsible, whether computerised or on paper. Alongside the Data Protection Officer (DPO), we have appointed a Senior Information Risk Owner (SIRO) who is accountable for the management of all information assets and any associated risks and incidents, and a ‘Caldicott Guardian’ who is responsible for the management of patient information and patient confidentiality.

All staff are required to undertake annual information governance training and are provided with an information governance handbook that they are required to read and agree to adhere to. The handbook ensures that staff are aware of their information governance responsibilities and follow best practice guidelines ensuring the necessary safeguards and appropriate use of person-identifiable and confidential information.

Under the NHS Confidentiality Code of Conduct, all our staff are also required to protect your information and inform you of how your information will be used. This includes, in most circumstances, allowing you to decide if and how your information can be shared.

Everyone working for the NHS is subject to the common law duty of confidentiality.  Information provided in confidence will only be used for the purposes advised and consented to by the service user, unless it is required or permitted by the law.

eReferral

Purposes and legal basis for processing
The CCG has to ensure that arrangements are in place for patients to be offered an appointment which best suits their needs; including time, date and location. Patients contact the CCG  Choice and Referral team following an appointment with a potential referrer; such as a GP. The aim is to ensure consistency with only appropriate referrals, as set out by the relevant CCG policy, proceeding to provider services in order to reduce inappropriate activity.

Under GDPR, the legal basis for processing eReferral data is Article 6(1)(c) ‘processing necessary for compliance with a legal obligation to which the controller is subject or  6(1)(e)  ‘the processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.’ For special categories (health) data the basis is Article 9(2)(h) ‘…health or social care…’.

Categories of personal data
Typically, referrals received by the CCG contain the name, address, contact number, NHS Number and unique booking reference number. Limited clinical data and referral information relating to the request may also be processed.

Sources of the data
Typically data is supplied to the CCG from local referrers, such as GPs. Data subjects or their representatives may also contact the CCG to arrange their referral.

Recipients of personal data
All information held by the CCG will only be for the purposes of processing a referral or to pass on for further triage. Subsequent sharing of data may flow to and from GP practices, the Booking and Choice Triage Service, the Information Funding Request Panel and Acute or Community Providers.

Quality

Purpose and basis for processing
Blackpool has a duty to the improvement of quality and delivery of services and uses incident events, investigation, evidence and reports relating to incidents under various policy and procedural structures.

An incident requiring investigation is defined as an incident that occurred in relation to NHS funded services and care resulting in unexpected or avoidable death, harm or injury to patient, carer, staff or visitor. In order to promote quality and compliance, Blackpool has several reporting protocols for incidents and provides investigation and learning to improve systems and services they commission.

Categories of personal data
NHS Number and other personal details, including relevant healthcare records and information about the incident, including others involved or impacted by the event are used by the CCG to facilitate incident investigations.

Sources of the data
Data received in order to fulfil the duties relating to the incident investigation will be received directly from the reporting organisation, such as a GP practice or provider.

Recipient of personal data
Information relating to outcomes will be sent back to the relevant providers.

Children’s information

We do not provide services directly to children or proactively collect their personal information. However, we are sometimes given information about children while handling a complaint or conducting an investigation. The information in the relevant parts of this notice applies to children as well as adults.

What information do we collect at Fylde and Wyre CCG?

We only collect and use your information for the lawful purposes of administering the business of Fylde and Wyre CCG.

We process personal information to enable us to support the provision of healthcare services to patients, maintain our own accounts and records, promote our services, and to support and manage our employees. In order to so effectively we are often required to process personal data i.e. that which identifies a living individual.

We also process special category data. This is personal data which the Data Protection Act 2018 (DPA) says is more sensitive, and so needs more protection:

  • racial and ethnic origin
  • offences (including alleged offences), criminal proceedings, outcomes and sentences
  • trade union membership
  • religious or similar beliefs
  • employment tribunal applications, complaints, accidents, and incident details

This information will generally relate to our staff, covered by the Privacy Notice for Staff.

In terms of patient information, the special category data we process includes:

  • physical or mental health details
  • racial and ethnic origin
  • sexual life

How the NHS and care services use your information

Whenever you use a health or care service, such as attending Accident & Emergency or using Community Care services, important information about you is collected to help ensure you get the best possible care and treatment.

The information collected about you when you use these services can also be provided to other approved organisations, where there is a legal basis, to help with planning services, improving care provided, research into developing new treatments and preventing illness. All of these help to provide better health and care for you, your family and future generations. Confidential personal information about your health and care is only used in this way where allowed by law and would never be used for insurance or marketing purposes without your explicit consent.

You have a choice about whether you want your confidential patient information to be used in this way.

To find out more about the wider use of confidential personal information and to register your choice to opt out if you do not want your data to be used in this way, visit www.nhs.uk/my-data-choice. If you do choose to opt out you can still consent to your data being used for specific purposes.

If you are happy with this use of information you do not need to do anything. You can change your choice at any time.


How will Fylde and Wyre CCG use information about you?

NHS Continuing Healthcare

NHS Continuing Healthcare (CHC) is explained by NHS Choices here.

To determine if someone is eligible for CHC and to then arrange a care and support package that meets their assessed needs, information about the individual will need to be collected, reviewed and shared with care providers such as care homes. As the CCG has a duty to provide CHC services, this allows for the collection of information about individuals for this purpose, the use of that information and the sharing of it with third parties who need to be involved in the process; we will make sure that we keep the individual concerned informed at all times of who will be providing or receiving data about them and why.

The National Health Service Commissioning Board and Clinical Commissioning Groups (Responsibilities and Standing Rules) Regulations 2012, Part 6 places a duty on CCGs to make provision for, i.e. provide, CHC services.  As such, Fylde and Wyre CCG’s legal basis for processing this personal data under GDPR is Article 6(1)(e) ‘…exercise of official authority…’. For special categories (health) data the basis is Article 9(2)(h) ‘…health or social care…’

Sources of the data

The personal data are submitted by the CCG and the applicant for review.

Categories of personal data

The information CCGs use to assess eligibility, and which may be submitted to an Independent Review Panel, fall under the following headings:

  • behaviour
  • cognition (understanding)
  • communication
  • psychological/emotional needs
  • mobility
  • nutrition (food and drink)
  • continence
  • skin (including wounds and ulcers)
  • breathing
  • symptom control through drug therapies and medication
  • altered states of consciousness
  • other significant needs

The obtained records that relate to these areas may include Care Home records, Health Records (for example GP, Hospital, Mental Health, District Nursing) and Social Care Records.

Recipients of personal data

Categories of recipient’s Personal data relating to the application is received by Midlands and Lancashire Commissioning Support Unit Continuing Healthcare teams and the members of the review panel. An Independent Review Panel is made up of:

  • an independent chair
  • a representative nominated by a Clinical Commissioning Group (not involved in the case);
  • a representative nominated by a Local Authority (not involved in the case); and
  • at times there is also a clinical advisor in attendance

Do we use any processors?

Yes – Fylde and Wyre CCG commission Midlands and Lancashire Commissioning Support Unit to provide these services on their behalf.

Complaints and enquiries

Most NHS care and treatment goes well but sometimes things can go wrong. If you are unhappy with your care or the service you have received, it is important to let us know so we can improve.  When Fylde and Wyre CCG receive a complaint, to allow it to be fairly and thoroughly managed, in most cases personal information will be required. CCGs have statutory duties (Section 6 of the Local Authority Social Services and National Health Service Complaints [England] Regulations (2009) (under section 113 “Complaints about Healthcare” of the Health and Social Care (Community Health and Standards) Act 2003)) which allow the processing of personal data in relation to complaints.

The legal basis we rely on to process your personal data is article 6(1)(e) of the GDPR, which allows us to process personal data when this is necessary to perform our public tasks as a CCG.

If the information you provide us in relation to your complaint contains special category data, such as health, religious or ethnic information the legal basis we rely on to process it is article 9(2)(g) of the GDPR, which also relates to our public task and the safeguarding of your fundamental rights. And Schedule 1 part 2(6) of the DPA 2018 which relates to statutory and government purposes.

Sources of personal data

Fylde and Wyre CCG will generally collect/receive information when members of the public, their representatives, or members of Parliament, contact us with concerns or enquiries. In order to process a complaint Fylde and Wyre CCG will collect the relevant information at the point of contact to enable the team to provide a sufficient response to the request.

Categories of personal data

Information relating to complaints would generally include the following categories of personal data:

  • Patient’s name
  • Patient’s address
  • Patient’s contact number
  • GP Surgery
  • Patient’s NHS number
  • Patient’s date of birth
  • Representative details (if applicable)
  • Representative address (if applicable)
  • The nature of the complaint

Recipients of personal data

The recipients of personal data relating to complaints include:

  • Any team within the CCG that may receive an enquiry or complaint
  • Midlands and Lancashire Commissioning Support Unit who manage complaints on behalf of the CCG under contract
  • Relevant providers (with the consent of the data subject) in order to fully investigate the complaint being made

Do we use any processors?

Yes – Fylde and Wyre CCG commission Midlands and Lancashire Commissioning Support Unit to provide these services on their behalf.

Communications and engagement

Fylde and Wyre CCG offers various services to the public giving them the opportunity to engage with us. This could be providing people with the latest news and information from the CCG, opportunities, events and details on how to get involved.

We have to hold the details of the people who have requested the service in order to provide it. However, we only use these details to provide the service the person has requested and for other closely related purposes. For example, we might use information about people who have requested a publication to carry out a survey to find out if they are happy with the level of service they received or if the information is useful to them. We will never ask you to provide any personal data in response to a survey. Any personal data received in responses is removed before responses are collated, analysed or disseminated.

When people do subscribe to our services, they can cancel their subscription at any time and are given an easy way of doing this. Personal data collected for the above purposes is only processed with the explicit consent of the data subject unless it becomes apparent that we are required to process the personal data due to statutory obligations such as investigating a complaint.

Source of personal data

The personal data is provided by data subjects when signing up to receive one of our newsletters either via our website or by completing one of our sign-up forms at one of our stakeholder events we hold from time to time.

Categories of Personal data

We only require you to provide us with your name and email address so that we can send you our publications. Information regarding your gender, sexual orientation, marital status and disabilities is collected so that we can ensure that our patient involvement groups are representative of our population we serve. We may also use it to send you targeted information or news. However, it is not mandatory to provide this information.

Recipients of personal data

The information you provide as a member of one of our patient involvement groups is never shared outside of Fylde and Wyre CCG.

Do we use any processors

No

Consent can be withdrawn at any time by emailing fwccg.dataprotection@nhs.net

Individual Funding Requests

The NHS has a duty to spend the money it receives from the Government in a fair way, taking into account the health needs of the whole community. The CCGs role is to ensure it gets best value for this money by spending it wisely on behalf of the public.

CCGs pay for local NHS health services and NHS England pays for highly specialised health services. The CCGs have a legal duty to provide health services for patients in the county with the fixed amount of money they have received from the Government. They have a legal duty not to spend more than this. This means that some hard choices have to be made. Not all treatments can be provided by the NHS. Treatments that are limited by CCGs are shown in their Clinical Commissioning Policies http://www.fyldeandwyreccg.nhs.uk/resources/our-policies/

However, the CCGs know that there will always be times when a patient would benefit from a particular treatment not usually given by the NHS. To apply for this treatment, an Individual Funding Request is made. To allow the CCG to consider these requests, access to both personal and health information regarding the individual to whom the request relates is required.  As the National Health Service Commissioning Board and Clinical Commissioning Groups (Responsibilities and Standing Rules) Regulations 2012, Part 7, Regulation 34 places a duty on CCGs in respect of the funding and commissioning of drugs and other treatments, this provides the CCG with a legal basis to use personal data as part of this process.

Fylde and Wyre CCG commission Midlands and Lancashire Commissioning Support Unit (MLCSU) to provide these services on their behalf.

Source of personal data

The information may be provided by a clinician who submits an IFR application form on behalf of a patient.

Categories of personal data

The IFR application form includes NHS number, name and address, date of birth, GP details, diagnosis, requested intervention and other information relevant to the request. Gender and ethnicity are also collected and held in anonymous form for equality monitoring.

Categories of recipients

Applications are considered by an independent panel who have not been involved in your treatment. The panel is made up of doctors, nurses, public health experts, pharmacists, NHS England representatives and lay members and is led by a lay chair.

Invoice validation

Invoice validation is an important process. It involves using your NHS number to check that we are the CCG that is responsible for paying for your treatment.

There are situations where identifiable patient personal data is required to ensure that the correct service provider is paid.

In such cases, service providers are required to send identifiable patient personal data such as the NHS Number to a Controlled Environment for Finance (CEfF). Midlands and Lancashire Commissioning Support Unit is an accredited Controlled Environment for Finance (CEfF) which enables them to process patient identifiable information on behalf of Fylde and Wyre CCG without consent for the purposes of invoice validation. We will also use your NHS number to check whether your care has been funded through specialist commissioning, which NHS England will pay for. The process makes sure that the organisations providing your care are paid correctly.

NHS England has published guidance on how invoices must be processed, and Commissioners have a duty to detect report and investigate any incidents of where a breach of confidentiality has been made.

Under the NHS Act 2006, provision is made for the sharing of patient information that is in the interests of improving patient care or deemed to be in the public interest. This is commonly referred to as a Section 251 exemption that allows the common law duty of confidentiality to be bypassed in order to fulfil a task in the interests of improving patient care or in the public interest. The specific reference for this exemption is: CAG 7-07(a)(b)(c)/2013. As such, our legal basis under GDPR is Article 6(1)(e) ‘…exercise of official authority…’. For special categories (health) data the basis is Article 9(2)(h) ‘…health or social care…’.

Sources of the data

The sources of data are providers who submit invoices to NHS Shared Business Services for payment.

Categories of Personal data

The data required for effective invoice validations can be found in appendix B. of “Who Pays? Information Governance Advice for Invoice Validation” which you can find here:

https://www.england.nhs.uk/wp-content/uploads/2013/12/who-pays-advice.pdf

Recipients of personal data

Midlands and Lancashire Commissioning Support Unit is the only organisation that will have receive personal data relating to invoice validation as an accredited Controlled Environment for Finance.

Risk stratification

Health care commissioners need information about the treatment of patients to review and plan current and future health care services. To do this they need to be able to see information about the health care provided to patients which can include patient level data.

The law says commissioners are not allowed to access Personal Confidential Data (PCD) because they are not providing direct patient care. So they need an intermediary service called Data Services for Commissioners Regional Office (DSRCO), that specialise in processing, analysing and packaging patient information within a secure environment into a format commissioners can legally use; anonymised patient level data. You can find more comprehensive information about this on the NHS Digital Website.

NHS Digital is able to disseminate data to commissioners under the Health and Social Care Act (2012). The act provides the powers for NHS Digital to collect, analyse and disseminate national data and statistical information. To access this data organisations must submit an application and demonstrate that they meet the appropriate governance and security requirements. For GDPR purposes Fylde and Wyre CCGs lawful basis for processing is Article 6(1)(e) ‘…exercise of official authority…’. For special categories (health) data the basis is Article 9(2)(h) ‘…health or social care…’

NHS Digital, through its Data Services for Commissioners Regional Offices (DSCROs), is permitted to collect, hold and process Personal Confidential Data (PCD). This is for purposes beyond direct patient care to support NHS commissioning organisations and the commissioning functions within local authorities

GPs are able to identify individual patients from the risk-stratified data when it is necessary to discuss the outcome and consider preventative care, however the CCG can never identify an individual from the risk stratified data that we see. Where the risk stratification process has linked GP data to health data obtained from other sources i.e. NHS Digital or other health care provider, the GP will ask for your permission to access the details of that information.

Source of personal data

Personal data is supplied by GPs and NHS Digital (commissioning data sets)

Categories of Personal data

Risk stratification tools use historic information about patients, such as age, gender, diagnoses and patterns of hospital attendance and admission collected by NHS Digital from NHS hospitals and community care services (Secondary Use Services data).  This is linked to data collected in GP practices and analysed to produce a risk score.

The Secondary Uses Service (SUS) is the single, comprehensive repository for healthcare data in England which enables a range of reporting and analyses to support the NHS in the delivery of healthcare services. Information on care provided for all patients by Health Care Providers (both NHS and Independent Sector Healthcare Providers for NHS patients only) must be submitted to the Secondary Uses Service according to the Commissioning Data Set Mandated Data Flows guidelines.

The data extract will exclude patients who have expressed a wish not to share information. Reports produced from the system including identifiable data is only provided back to your GP or member of your care team as data controller in an identifiable form.

Your GP can provide more information about any risk stratification programme they are using. Should you have any concerns about how your information is managed at the surgery please contact the Practice Manager at your surgery to discuss how the disclosure of your personal information can be limited.

Recipients of personal data

The combined CCGs Secondary Use Service (SUS) data and GP data which contains an identifier (usually NHS number) is made available to clinicians with a legitimate relationship with their patients to enable them to identify which patients should be offered targeted preventative support to reduce those risks. Fylde and Wyre CCG does not have access to identifiable information.

Safeguarding

Purposes and basis for processing

Fylde and Wyre CCG is dedicated in ensuring that the principles and duties of safeguarding adults and children are holistically, consistently and conscientiously applied with the wellbeing of all, at the heart of what we do.

Our Legal basis for processing For the General Data Protection Regulation (GDPR) purposes is Article 6(1)(e) ‘…exercise of official authority…’. For the processing of special categories data, the basis is Article 9(2)(b) – ‘processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment and social security and social protection law…’

Categories of personal data

The data collected by Fylde and Wyre CCG staff including its hosted bodies in the event of a safeguarding situation will be as much personal information as is necessary or possible to obtain in order to handle the situation. In addition to some basic demographics and contact details, we will also process details of what the safeguarding concern is. This is likely to be special category information (such as health information).

Sources of the data

Fylde and Wyre CCG will either receive or collect information when someone contacts the organisation with safeguarding concerns or we believe there may be safeguarding concerns and make enquiries to relevant providers.

Recipients of personal data

The information is used by Fylde and Wyre when handling a safeguarding incident or concern. We may share information accordingly to ensure duty of care and investigation as required with other partners such as Local Authorities, the Police, healthcare professional (i.e. their GP or mental health team).

eReferral

Fylde and Wyre CCG must ensure that arrangements are in place for patients to be offered an appointment which best suits their needs; including time, date and location. Patients contact Fylde and Wyre CCG Choice and Referral team following an appointment with a potential referrer; such as a GP. The aim is to ensure consistency with only appropriate referrals, as set out by the relevant CCG policy, proceeding to provider services in order to reduce inappropriate activity.

Under GDPR, the legal basis for processing eReferral data is Article 6(1)(c) ‘processing necessary for compliance with a legal obligation to which the controller is subject or 6(1)(e)  ‘the processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.’ For special categories (health) data the basis is Article 9(2)(h) ‘…health or social care…’.

Categories of personal data

Typically, referrals received by Fylde and Wyre CCG contain the name, address, contact number, NHS Number and unique booking reference number. Limited clinical data and referral information relating to the request may also be processed.

Sources of the data

Typically data is supplied to the CCG from local referrers, such as GPs. Data subjects or their representatives may also contact the CCG to arrange their referral.

Recipients of personal data

All information held by the CCG will only be for the purposes of processing a referral or to pass on for further triage. Subsequent sharing of data may flow to and from GP practices, the Booking and Choice Triage Service, the Information Funding Request Panel and Acute or Community Providers.

Assuring Transformation

The Department of Health published ‘Transforming Care: A national response to Winterbourne View Hospital and the Concordat: Programme of Action’ in December 2012. The purpose of this data collection is to ensure that the public awareness of the NHS commitments in the Winterbourne View Concordat is transparent and robust. By collecting this data, the CCG is able to achieve the most appropriate outcomes for ‘people with a learning disability or autism, who may also have mental health needs or behaviour that challenges’

Under the NHS Act 2006, provision is made for the sharing of patient information that is in the interests of improving patient care or deemed to be in the public interest. This is also referred to as a Section 251 exemption. A Section 251 exemption has been granted for the delivery of Assuring Transformation work programmes. Therefore, our lawful basis for processing is Article 6(1)(e) ‘…exercise of official authority…’. For special categories (health) data the basis is Article 9(2)(h) ‘…health or social care…’

Source of personal data Data

Data is received by Fylde and Wyre CCG from local providers who are providing care to any patient who has ‘any status under the Mental Health Act (informal or detained).’

Categories of Personal Data

The Assuring Transformation Programme relies upon collecting healthcare information such as NHS number and information relating to a patients current treatment; such as how long they have been in hospital for, when their care and treatment is checked and what kind of hospital they are in. Additional information such as any levels of security assigned to an individual (general/low/medium/high) currently in care as well as their status under the Mental Health Act (informal or detained) is also collected.

Recipients of Personal Data

Data collected for this purpose is shared with NHS Digital.

Quality

Purpose and basis for processing

Fylde and Wyre CCG has a duty to the improvement of quality and delivery of services and uses incident events, investigation, evidence and reports relating to incidents under various policy and procedural structures.

An incident requiring investigation is defined as an incident that occurred in relation to NHS funded services and care resulting in unexpected or avoidable death, harm or injury to patient, carer, staff or visitor. In order to promote quality and compliance, Fylde and Wyre CCG has several reporting protocols for incidents and provides investigation and learning to improve systems and services they commission.

Categories of personal data

NHS Number and other personal details, including relevant healthcare records and information about the incident, including others involved or impacted by the event are used by the CCG to facilitate incident investigations.

Source of personal data

Data received in order to fulfil the duties relating to incident investigation will be received directly from the reporting organisation, such as a GP practice or provider.

Recipient of personal data

Information relating to outcomes will be sent back to the relevant providers.

Children’s Information

We do not provide services directly to children or proactively collect their personal information. However, we are sometimes given information about children while handling a complaint or conducting an investigation. The information in the relevant parts of this notice applies to children as well as adults.

Automated Decision Making

Fylde and Wyre CCG does not use automated individual decision-making (making a decision solely by automated means without any human involvement).

How we use information provided by NHS Digital

We use information collected by NHS Digital from healthcare providers such as hospitals, community services and GPs, which includes information about the patients who have received care and treatment from the services that we fund.

The data we receive does not include patients’ names or home addresses, but it will usually include information such as your NHS number, postcode, date of birth, ethnicity and gender as well as coded information about your visits to clinics, Emergency Department, hospital admissions and other NHS services.

The Secretary of State for Health has given limited permission for us (and other NHS commissioners) to use certain confidential patient information when it is necessary for our work and unless we have a legal basis to use identifiable data, de-identified information is used for all purposes other than direct care. This approval is given under Regulations made under Section 251 of the NHS Act 2006 and is based on the advice of the Health Research Authority’s Confidentiality and Advisory Group.

In order to use this data, we have to meet strict conditions that we are legally required to follow, which includes making a written commitment to NHS Digital that we will not use information in any way that would reveal your identity.

You can find more information about this in the sections on invoice validations and risk stratification.

Retaining information

Information in the CCG is held for a specific length of time depending on the type of information it is.  The length of time we retain your information for is defined by the NHS retention schedule which can be viewed online here: NHS Digital Records Management Code of Practice for Health and Social Care 2016

Once information has been reviewed and is no longer required to be kept by a retention period the information will be securely destroyed.

Security of your information

Fylde and Wyre CCG take our duty to protect your personal information and confidentiality seriously. We are committed to taking all reasonable measures to ensure the confidentiality and security of personal data for which we are responsible, whether computerised or on paper.

Alongside the Data Protection Officer (DPO), we have appointed a Senior Information Risk Owner (SIRO) who is accountable for the management of all information assets and any associated risks and incidents, and a ‘Caldicott Guardian’ who is responsible for the management of patient information and patient confidentiality.

All staff are required to undertake annual information governance training and are provided with an information governance handbook that they are required to read and agree to adhere to. The handbook ensures that staff are aware of their information governance responsibilities and follow best practice guidelines ensuring the necessary safeguards and appropriate use of person-identifiable and confidential information.

Under the NHS Confidentiality Code of Conduct, all our staff are also required to protect your information and inform you of how your information will be used. This includes, in most circumstances, allowing you to decide if and how your information can be shared.

Everyone working for the NHS is subject to the common law duty of confidentiality.  Information provided in confidence will only be used for the purposes advised and consented to by the service user, unless it is required or permitted by the law.

Your rights

The right to be informed

You have the right to be informed about the collection and use of your personal data. This privacy notice is one of our key methods for providing you with this information. In addition to this notice, we will provide you with more specific information at the time we collect personal data from you, such as when you apply for continuing healthcare or make a complaint to us.

The right of access

You have the right to ask us for confirmation of whether we process data about you and if we do, to have access to that data so you are aware and can verify the lawfulness of the processing.

You can make your own application to see the information we hold about you, or you can authorise someone else to make an application on your behalf.  A child’s parent or guardian, a patient representative, or a person appointed by the Court may also apply. If you wish to ask us for confirmation of whether we process data about you or access your personal data, then please contact fwccg.dataprotection@nhs.net.

The right to rectification

You are entitled to have personal data that we hold about you rectified if it is inaccurate or incomplete. If we have passed the data concerned on to others, we will contact each recipient and inform them of the rectification – unless this proves impossible or involves a disproportionate effort. If this is the case, we will explain to you why.

The right to erasure

You have the right to have personal data we hold about you erased and to prevent processing in specific circumstances:

  • Where the personal data is no longer necessary in relation to the purpose for which it was originally collected/processed.
  • If you withdraw your consent for us to process your data (if this was the basis on which it was collected).
  • The personal data was unlawfully processed (i.e. a breach of UK data protection laws).
  • The personal data has to be erased in order to comply with a legal obligation.

However, if we have collected and are processing data about you to comply with a legal obligation for the performance of a public interest task or exercise of official authority, i.e. because we have a legal duty to do so in our functioning as a CCG, then the right to erasure does not apply.

The right to restrict processing

You have the right to ‘block’ or suppress processing of your personal data which means that if you exercise this right, we can still store your data but not to further process it and will retain just enough information about you to ensure that the restriction is respected in future.

You can ask us to restrict the processing of your personal data in the following circumstances:

  • If you contest the accuracy of the data, we hold about you we will restrict the processing until the accuracy of the data has been verified;
  • If we are processing your data as it is necessary for the performance of a public interest task and you have objected to the processing, we will restrict processing while we consider whether our legitimate grounds for processing are overriding.;
  • If the processing of your personal data is found to be unlawful but you oppose erasure and request restriction instead; or
  • If we no longer need the data we hold about you, but you require the data to establish, exercise or defend a legal claim.

If we have disclosed the personal data in question to others, we will contact each recipient and inform them of the restriction on the processing of the personal data – unless this proves impossible or involves disproportionate effort. If asked, we must also inform you about these recipients.

We will inform you if we decide to lift a restriction on processing.

The right to data portability

The right to data portability allows you to obtain and reuse your personal data for your own purposes across different services. It allows you to move, copy or transfer personal data easily from one IT environment to another in a safe and secure way, without hindrance to usability although it only applies where we are processing your personal data based on your consent for us to do so or for the performance of a contract and where the processing is carried out by automated means. This means that currently, the CCG does not hold any data which would be subject to the right to data portability.

The right to object

Where the CCG processes personal data about you on the basis of being required to do so for the performance of a task in the public interest/exercise of official authority, you have a right to object to the processing.

You must have an objection on grounds relating to your particular situation.

If you raise an objection, we will no longer process the personal data we can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms or the processing is for the establishment, exercise or defence of legal claims.

Rights in relation to automated decision making and profiling

As we do not make any decisions based solely on automated processing, individuals’ rights in relation to personal data processed in this way are not applicable.

If the CCG processes data about you on the basis that you have given your consent for us to do so, you have the right to withdraw that consent at any time. Where possible, we will make sure that you are able to withdraw your consent using the same method as when you gave it.

If you withdraw your consent, we will stop the processing as soon as possible.  To withdraw your consent please email fwccg.dataprotection@nhs.net

Employee Privacy Notice

During the course of its employment activities, Fylde & Wyre CCG collects, stores and processes personal information about prospective, current and former staff.

This Privacy Notice includes applicants, employees (and former employees), workers (including agency, casual and contracted staff), volunteers, trainees and those carrying out work experience.

We recognise the need to treat staff personal and sensitive data in a fair and lawful manner. No personal information held by us will be processed unless the requirements for fair and lawful processing can be met.

What types of personal data do we handle?

In order to carry out our activities and obligations as an employer, we handle data in relation to:

  • Contact details such as names, addresses, telephone numbers
  • Emergency contact(s)
  • Education and training, incl. development reviews (appraisals)
  • Employment / identity records (including professional membership, qualifications, references and proof of identity and eligibility to work in the UK)
  • Bank details
  • Pay, benefits and Pension details (incl. National Insurance number)
  • Information around travel and subsistence; expenses
  • For staff driving a vehicle for work purposes: vehicle details, details of driving licence and vehicle insurance, tax, MOT etc.
  • Personal demographics (including protected characteristics such as gender, race, ethnicity, sexual orientation, religion, date of birth, marital status, nationality)
  • Medical information including mental and physical health
  • Information relating to health and safety
  • Trade union membership
  • Offences (including alleged offences), criminal proceedings, outcomes and sentences
  • Employment Tribunal applications, Employee Relations cases, complaints, accidents, and incident details
  • Employment details (position, salary, FTE etc.) Status in relation to organisational change
  • Support provided under employee assistance programmes
  • Please note this list is not exhaustive and may change over time.

Our staff are trained to handle your information correctly and protect your confidentiality and privacy.

We aim to maintain high standards, adopt best practice for our record keeping and regularly check and report on how we are doing.  Your information is never collected or sold for direct marketing purposes.

What is the purpose of processing data?

  • Staff administration and management (including payroll, performance and monitoring)
  • Pensions administration
  • Business management and planning
  • Accounting and Auditing
  • Accounts and records
  • Crime prevention and prosecution of offenders
  • Education
  • Health administration and services
  • Information and databank administration
  • Sharing and matching of personal information for national fraud initiative
  • Legal basis for processing

For entering into and managing contracts with the individuals concerned, for example our employees the legal basis is GDPR Article 6(1)(b) – ‘processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract’.

Where we have a specific legal obligation that requires the processing of personal data, the legal basis is Article 6(1)(c) – ‘processing is necessary for compliance with a legal obligation to which the controller is subject’.

For other processing of personal data about our employees, our legal basis is Article 6(1)(e) – ‘…exercise of official authority…’.

Where we process special categories data for employment purposes the condition is: Article 9(2)(b) – ‘…processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment and social security and social protection law…’.

For the processing of information about the health of our workforce, the legal basis is: Article 9(2)(h) – ‘ …processing is necessary for the purposes of preventive or occupational medicine…assessment of the working capacity of the employee…the provision of health or social care…’.

Sharing your information

There are a number of reasons why we may have to share your personal information with third parties.

There may be circumstances where information is shared without your consent, for example:

  • The disclosure is necessary for a statutory function of the CCG or the third party to whom the information is being disclosed;
  • There is a statutory obligation to share the data; for example, making returns to the Cabinet Office, Department of Health, Office of National Statistics etc.
  • Disclosure is required for the performance of a contract
  • Disclosure is necessary to protect your vital interest; for example, in medical emergency situations
  • Disclosure is made to assist with prevention or detection of crime, or the apprehension or prosecution of offenders
  • Disclosure is required by a Court Order
  • Disclosure is necessary to assist the CCG to obtain legal advice
  • Use of Third-Party Companies

To enable effective staff administration Blackpool or Fylde and Wyre CCG may share your information with external companies to process your data on our behalf in order to comply with our obligations as an employer.

Recruitment, Employee Records and Contracts Administration (Midlands and Lancashire CSU)

Midlands and Lancashire CSU works in partnership with the CCG to provide a shared HR service. We share information with the Midlands and Lancashire CSU and allow them access to employee personal data as they are responsible for undertaking our recruitment (including pre-employment checks; creating and updating all employee data in ESR (see below); and maintaining employee personal files. Midlands and Lancashire CSU may work with external service providers in order to provide this service, e.g. electronic recruitment systems and criminal record check systems.

Payroll and Pensions Administration (Blackpool Teaching Hospitals NHS Foundation Trust)

The payroll of the CCG is managed by Blackpool Teaching Hospitals NHS Foundation Trust. Your personal information will be made available to Blackpool Teaching Hospitals NHS Foundation Trust through the Electronic Staff Record (ESR) (see below) in order to allow them to pay your salary, any associated expenses, to make appropriate deductions and to comply with our legal and statutory obligations. From time to time we may need to share additional information to that held in ESR with Blackpool Teaching Hospitals NHS Foundation Trust in order to ensure that they deliver the services we require and continue meet statutory or contractual obligations. Data will also be shared with pensions providers, e.g. NHS Pensions.

Electronic Staff Record (ESR)

Your personal information may also be used to fulfil other employer responsibilities, for example, by to maintain appropriate occupational health records, comply with health and safety obligations, carry out any necessary security checks and all other employment-related matters. In addition, the information held may be used in order to send to you information which is relevant to our relationship with you. Your information will only be disclosed as required by law or to our appointed agents and/or service providers who may be used for a variety of services; for example, processing of payroll and provision of pensions administration or staff surveys.

IBM, who provide ESR, and its partners as service providers will be responsible for maintaining the system. This means that they may occasionally need to access your staff record, but only to ensure that the ESR works correctly. Where this happens, access will be very limited and is only to allow any problems with the computer system to be investigated and fixed as necessary. They will not have the right to use this data for their own purposes and contracts are in place with the Department of Health to ensure that the data is protected and that they only act on appropriate instructions. IBM and the ESR Central Team may access anonymised data about transactions on the ESR system in order to support the development and optimal use of the system.

Some of your personal information from ESR will be transferred to a separate database, known as the Data Warehouse. This will be used by various Government and other bodies (listed below) to meet their central and strategic reporting requirements. It will allow them to access certain personal information to generate the reports that they need and are entitled to. The Data Warehouse is intended to provide an efficient way of sharing information.  Organisations currently granted access to the Data Warehouse are; NHS Digital, NHS Employers, Health Education England and its local committees (LETBs), Deaneries, Department of Health, Welsh Government, NHS Wales Shared Services Partnership, Care Quality Commission, NHS Trust Development Authority, and Monitor.  The government may allow further organisations to have access in the future and therefore an exhaustive list cannot be provided, however any organisation having access to your data will have a legal justification for access.

Occupational Health Service Provider

The CCG’s Occupational Health Service is managed by an external provider – People Assessment Management (PAM). Your personal information will need to be shared with the provider as and when required in order to allow them to provide CCG employees and managers with the services required.

Internal Audit

We provide information to our internal audit function which is provided by an external service provider (Mersey Internal Audit Agency) in order to ensure the CCG has good processes and systems to manage and protect public funds.

Prevention and Detection of Crime and Fraud

The CCG is responsible for protecting the public funds it manages. To do this we may use the information we hold about you to detect and prevent crime or fraud. We may also share this information with other bodies that inspect and manage public funds.

National Fraud Initiative Privacy Notice

NHS Blackpool and NHS Fylde and Wyre CCGs are required [by law] to protect the public funds they administer. It may share information provided to it with other bodies responsible for; auditing, or administering public funds, or where undertaking a public function, in order to prevent and detect fraud.

The Cabinet Office is responsible for carrying out data matching exercises.

Data matching involves comparing computer records held by one body against other computer records held by the same or another body to see how far they match. This is usually personal information. Computerised data matching allows potentially fraudulent claims and payments to be identified. Where a match is found it may indicate that there is an inconsistency which requires further investigation. No assumption can be made as to whether there is fraud, error or other explanation until an investigation is carried out.

We participate in the Cabinet Office’s National Fraud Initiative: a data matching exercise to assist in the prevention and detection of fraud. We are required to provide particular sets of data to the Minister for the Cabinet Office for matching for each exercise, as detailed here.

Staff personal data such as contact details may be provided to bodies responsible for auditing, administering public funds or where undertaking a public function for the purposes of preventing and detecting fraud. This is done in line with the Cabinet Office’s National Fraud Initiative, a data matching exercise that is carried out with statutory authority under Part 6 of the Local Audit and Accountability Act 2014.

Data matching by the Cabinet Office is subject to a Code of Practice.

View further information on the Cabinet Office’s legal powers and the reasons why it matches particular information. For further information on data matching at Fylde and Wyre CCG contact:

Darrell Davies
Counter Fraud Specialist
Email: darrell.davies@miaa.nhs.uk / darrell.davies@nhs.net
Telephone: 0151 285 4520

Other Bodies

We may also share your personal information due to:

  • Our obligations to comply with current legislation
  • Our duty to comply with any Court Order which may be imposed
  • Any disclosures of personal data are always made on case-by-case basis, using the minimum personal data necessary for the specific purpose and circumstances and with the appropriate security controls in place. Information is only shared with those agencies and bodies who have a “need to know” or where you have consented to the disclosure of your personal data to such persons.

We will not routinely disclose any information about you without your express permission. However, there are circumstances where we must or can share information about you owing to a legal/statutory obligation or other legal basis for disclosure.

We may obtain and share personal data with a variety of other bodies, which may include:

  • Her Majesty’s Revenue and Customs (HMRC)
  • Disclosure and Barring Service
  • Home Office
  • Child Support Agency
  • Internal Audit, service currently provided by Deloitte LLP
  • NHS Counter Fraud Authority
  • Department of Health
  • Central government, government agencies and departments
  • Other local authorities and public bodies
  • Ombudsman and other regulatory authorities
  • Courts/Prisons
  • Financial institutes for e.g. banks and building societies for approved mortgage references
  • Credit Reference Agencies
  • Utility providers
  • Educational, training and academic bodies
  • Law enforcement agencies including the Police, the Serious Organised Crime Agency
  • Emergency services for e.g. The Fire and Rescue Service
  • Auditors e.g. Audit Commissioner
  • Department for Work and Pensions (DWP)
  • The Assets Recovery Agency
  • Relatives or guardians of an employee where there is a legal duty to do so

What if the data you hold about me is incorrect?

It is important that the information which we hold about you is up to date. If you believe that the information we hold is incorrect, in the first instance please contact your line manager or workforce team at mlcsu.hrservices@nhs.net

How long do we keep your information?

We hold data securely in line with the Records Management Code of Practice for Health and Social Care 2016 https://digital.nhs.uk/data-and-information/looking-after-information/data-security-and-information-governance/codes-of-practice-for-handling-information-in-health-and-care/records-management-code-of-practice-for-health-and-social-care-2016

Individuals Rights

Data Protection laws gives individuals rights in respect of the personal information that we hold about you.  These are:

  • To be informed why, where and how we use your information.
  • To ask for access to your information.
  • To ask for your information to be corrected if it is inaccurate or incomplete.
  • To ask for your information to be deleted or removed where there is no need for us to continue processing it.
  • To ask us to restrict the use of your information.
  • To ask us to copy or transfer your information from one IT system to another in a safe and secure way, without impacting the quality of the information.
  • To object to how your information is used.
  • To challenge any decisions made without human intervention (automated decision making)

Further information about these individual rights is provided in the CCGs’ IG & Data Security and Protection Policies and IG Handbook which can be found in our document library.

Requesting Access to your Personal Data

Under data protection legislation, you have the right to request access to information about you that we hold. To make a request for your personal information, should you have any further queries on the uses of your information, or should you wish to lodge a complaint about the use of your information please contact the CCGs Data Protection Officer:

Patricia Butcher
Information Governance Manager
Blackpool Teaching Hospitals NHS Foundation Trust
Email: patricia.butcher1@nhs.net
Telephone: 01253 953531

Last updated on 7 January 2019 at 11:38 by communications manager