The purpose of this notice is to inform you of the type of information (including personal information) that the CSU processes on behalf of the Clinical Commissioning Groups (CCGs) and providers we support, how that information is used, with whom we may share that information and how we keep it secure and confidential.
How we use information
We use anonymous information for statistical purposes to allow us to help CCGs plan the commissioning of healthcare services. Examples of this include:
- Evaluation and review of services such as checking their quality and efficiency
- Checking NHS accounts and services
- Working out what illnesses people will have in the future so that CCGs can work with the local primary care services, community services and hospital services to make sure that patient needs are met
- Preparing statistics on NHS performance
- Reviewing the care the CCGs commission to make sure it is of the highest standard.
Personal and confidential information
For the purposes listed above, we will only use anonymised data which means that individuals can not be identified. We can only use any information that may identify individuals (known as personal information) in accordance with the Data Protection Act 1998 and other laws such as the Health and Social Care Act 2012. www.legislation.gov.uk/ukpga/1998/29/contents and www.legislation.gov.uk/ukpga/2012/7/contents/enacted.
We also have a Common Law Duty of Confidentiality to protect your information. This means that where a legal basis for using your personal or confidential information does not exist, we will not do so.
Therefore, as a commissioning support organisation we do not routinely hold medical records or confidential patient data. There are some specific areas, however, because of our responsibilities, where we do hold and use personal information. In order to process that information we will have met a legal requirement and will use only the minimum data allowed. Examples of where we have a lawful basis for using personal confidential data are as follows:
- The information is necessary for direct health care for patients
- We have received consent from individuals to be able to use their information for a specific purpose
- There is an over-riding public interest in using the information e.g. in order to safeguard an individual, or to prevent a serious crime
- There is a legal requirement that will allow us to use or provide information (e.g. a formal court order)
- For the health and safety of others, for example to report an infectious disease such as meningitis or measles
- We have special permission for health and research purposes (granted by the Health Research Authority)
- We have special permission called a ‘section 251 agreement’ (Section 60 of the Health and Social Care Act 2001 as re-enacted by Section 251 of the NHS Act 2006) which allows the Secretary of State for Health to make regulations to set aside the common law duty of confidentiality for defined medical purposes.
The areas where we use personal information are:
- Individual Funding Requests – a process where patients and their GPs or Consultants can request treatments not routinely funded by the NHS
- Assessments for continuing healthcare assessments (a package of care for those with complex medical needs)
- Responding to your queries, concerns or complaints
- Assessment and evaluation of safeguarding concerns for individuals
- Certain incident investigations
- Validation of invoices to ensure that providers are reimbursed correctly for the care and treatment they have delivered to patients
- To identify specific patient groups and enable clinicians with the duty of care for the patient to offer appropriate care and treatment; this is known as risk stratification.
Hospital Episode Statistics (HES) data
HES is a record of all people who attend hospital. This might be for an outpatient appointment or for an operation requiring an overnight stay. We know the age and gender of these patients, what hospital they went to and what they went to hospital for. We do not know who the patient is, their name or address, or any other information which could be used to accurately identify them.
The data is stored in a safe and secure way, only accessible by members of analytics team that use it. The data will only be used to support analytics projects and will not be shared with any other organisation. All staff with access to the data receive comprehensive information governance training covering safe handling of data.
We hold the data for a range of analytics purposes all focussed on understanding and improving NHS and wider care services. Details of specific projects are available on request.
We process and share anonymised statistical information with CCGs for the purpose of improving local services, for example understanding how conditions spread across our local area compared against other areas.
We process personal data as described above and have been granted a legal basis for processing data in this way which operates under strict controls to ensure your information is handled lawfully. We are an established Accredited Safe Haven which allows us to use limited personal data lawfully for specific purposes and operate a Controlled Environment for the processing of invoices.
Keeping information secure and confidential
All staff have contractual obligations of confidentiality, enforceable through disciplinary procedures. All staff receive annual training on confidentiality of information.
We take relevant organisational and technical measures to make sure that the information we hold is secure – such as holding information in secure locations, restricting access to information to authorised personnel, secure email systems and ensuring that mobile equipment such as laptops are encrypted.
Each NHS organisation has a senior person responsible for protecting the confidentiality of patient information and enabling appropriate information sharing. This person is called the Caldicott Guardian. The Caldicott Guardian for the CSU is Dr James Gossow.
Your right to withdraw consent
You have a right in law to refuse or withdraw previously granted consent to the use of your personal information.
Access to your personal information
You are entitled to obtain a copy of the personal information held about you by the CSU. Any request to access or obtain a copy of this information will be considered under Section 7 of the Data Protection Act.
To make a request for personal information, email NECSU.IG@nhs.net or write to:Information Governance Team John Snow House University Science Park Durham DH1 3YG.