Fair Processing Notice

The purpose of this notice is to inform you of the type of information (including personal information) that the NHS North of England Commissioning Support Unit processes on behalf of the Clinical Commissioning Groups (CCGs) and providers we support, how that information is used, with whom we may share that information and how we keep it secure and confidential.

How we use information

We use anonymous information for statistical purposes to allow us to help CCGs plan the commissioning of healthcare services. Examples of this include:

  • Evaluation and review of services such as checking their quality and efficiency.
  • Checking NHS accounts and services.
  • Working out what illnesses people will have in the future so that CCGs can work with the local primary care services, community services and hospital services to make sure that patient needs are met.
  • Preparing statistics on NHS performance.
  • Reviewing the care the CCGs commission to make sure it is of the highest standard.

Personal and confidential information

For the purposes listed above, we will only use anonymised data which means that individuals can not be identified. We can only use any information that may identify individuals (known as personal information) in accordance with the Data Protection Act 1998 and other laws such as the Health and Social Care Act 2012. www.legislation.gov.uk/ukpga/1998/29/contents  and  www.legislation.gov.uk/ukpga/2012/7/contents/enacted.

We also have a Common Law Duty of Confidentiality to protect your information. This means that where a legal basis for using your personal or confidential information does not exist, we will not do so.

Therefore, as a commissioning support organisation we do not routinely hold medical records or confidential patient data. There are some specific areas, however, because of our responsibilities, where we do hold and use personal information. In order to process that information we will have met a legal requirement and will use only the minimum data allowed. Examples of where we have a lawful basis for using personal confidential data are as follows:

  • The information is necessary for direct healthcare for patients.
  • We have received consent from individuals to be able to use their information for a specific purpose.
  • There is an over-riding public interest in using the information e.g. in order to safeguard an individual, or to prevent a serious crime.
  • There is a legal requirement that will allow us to use or provide information (e.g. a formal court order).
  • For the health and safety of others, for example to report an infectious disease such as meningitis or measles.
  • We have special permission for health and research purposes (granted by the Health Research Authority).
  • We have special permission called a ‘section 251 agreement’ (Section 60 of the Health and Social Care Act 2001 as re-enacted by Section 251 of the NHS Act 2006) which allows the Secretary of State for Health to make regulations to set aside the common law duty of confidentiality for defined medical purposes.

The areas where we use personal information are:

  • Individual Funding Requests – a process where patients and their GPs or Consultants can request treatments not routinely funded by the NHS
  • Assessments for continuing healthcare assessments (a package of care for those with complex medical needs)
  • Responding to your queries, concerns or complaints
  • Assessment and evaluation of safeguarding concerns for individuals
  • Certain incident investigations
  • Validation of invoices to ensure that providers are reimbursed correctly for the care and treatment they have delivered to patients
  • To identify specific patient groups and enable clinicians with the duty of care for the patient to offer appropriate care and treatment; this is known as risk stratification

Sharing information

We process and share anonymised statistical information with CCGs for the purpose of improving local services, for example understanding how conditions spread across our local area compared against other areas.

We process personal data as described above and have been granted a legal basis for processing data in this way which operates under strict controls to ensure your information is handled lawfully. We are an established Accredited Safe Haven which allows us to use limited personal data lawfully for specific purposes and operate a Controlled Environment for the processing of invoices.

Keeping information secure and confidential

All staff have contractual obligations of confidentiality, enforceable through disciplinary procedures. All staff receive annual training on confidentiality of information.

We take relevant organisational and technical measures to make sure that the information we hold is secure – such as holding information in secure locations, restricting access to information to authorised personnel, secure email systems and ensuring that mobile equipment such as laptops are encrypted.

Each NHS organisation has a senior person responsible for protecting the confidentiality of patient information and enabling appropriate information sharing. This person is called the Caldicott Guardian. The Caldicott Guardian for the CSU is Dr James Gossow.

Your right to withdraw consent

You have a right in law to refuse or withdraw previously granted consent to the use of your personal information.

Access to your personal information

You are entitled to obtain a copy of the personal information held about you by the CSU. Any request to access or obtain a copy of this information will be considered under Section 7 of the Data Protection Act.

To make a request for personal information, email NECSU.IG@nhs.net or write to:

Information Governance Team
John Snow House
University Science Park
DH1 3YG.