Who we are
NHS Greater Nottingham Clinical Commissioning Group Partnership is made up of Nottingham City CCG, Nottingham North and East CCG, Nottingham West CCG and Rushcliffe CCG. The Partnership has many different roles and responsibilities. A major part of our work is effective planning, buying and monitoring of services from healthcare providers, such as hospitals and GP Practices in the local area. This means making sure that the NHS services that people need in the Nottingham area are available as well as making sure that those services are high quality and value for money. This is known as “commissioning”.
For more information please see our about us section.
The Sorts of Information We Use
For the majority of our work we do not need to know the personal details of individuals who live in our community, and this is our preferred way of working. It should be noted that information which cannot identify an individual is not covered by data protection law. There are different types of information collected and used across the NHS. We use six types of information/data:
- Anonymised data, which is data about you but from which you cannot be personally identified;
- De-identified data with pseudonym identifier, which is data about you but we are able to track you through the patient pathway without using your personal information, and you cannot be personally identified;
- De-identified data with weakly pseudonym identifier such as the NHS number. We use this to link two or more types of datasets together using your NHS number. For example, using your NHS number to link and analyse datasets such as acute hospital data with community data to see the full picture of your patient pathway. No other personal information is used during this process and you will not be personally identified. However, there may be times whereby you may be re-identified in the event of patient safety requirements, or re-identified for direct care purposes where we pass on information to your GP to treat you;
- Anonymised information (for commissioning purposes), which is de-identified data about you but from which you cannot be personally identified within a commissioning (CCG) environment.
- Personal data from which you can be personally identified
- Special category (sensitive) information/data about you from which you can be identified.
Personal data and personal sensitive data are only used where it is lawfully and absolutely necessary.
Information We Collect
We hold information centrally which is used for statistical purposes to allow us to plan the commissioning of healthcare services. We will only use anonymised data for this purpose which will mean you would not be able to be identified from that information. Examples of this include:
Evaluation and review of services such as checking their quality and efficiency.
Checking NHS accounts and services.
Working out what illnesses people will have in the future so that we can work with the local primary care services such as GPs, community services and hospital services to make sure that patient needs are met.
Preparing performance reports about the services we commission
Reviewing the care we commission to make sure it is of the highest standard.
We will only use information that may identify you (known also as personal, confidential data) in accordance with Data Protection law. Under Data Protection law we are required to have a legal basis if we wish to process any personal information.
Reasons We Might Need to Use Personal Information
The areas where we use personal information are:
- Individual funding requests – a process where patients and their GPs can request special treatments not routinely funded by the NHS.
- Continuing Healthcare Assessments (a package of care for those with complex medical needs).
- Responding to your queries, concerns or complaints.
- Incident investigations.
- Assessment and evaluation of safeguarding concerns for individuals.
- If you are a member of our patient participation group, or have asked us to keep you up to date about our work and involved in our engagement and public consultations.
- Staff personal confidential information for employment purposes (see below for further information about staff personal information use).
We keep your information in written form and / or on a computer securely and confidentially.
The records may include basic personal details about you, such as your name, address and NHS number. They may also contain more sensitive information about your health and also information such as outcomes of needs assessments, funding requests or details relating to your complaint investigation.
To ensure that the NHS continues to run lawfully and efficiently, the Secretary of State for Health has given limited permission for us (and other NHS commissioners) to use certain confidential patient information without explicit consent, but only when it is necessary for the work listed above. We have to meet strict conditions that are set out in section 251 of the NHS Act 2006, and approval is given based on the advice of the Health Research Authority’s Confidentiality and Advisory Group
Finance/ Validating Invoices
Invoice validation is an important process in ensuring that patient care is paid for correctly. It involves using a patient’s NHS number to check which is the CCG responsible for paying for their treatment. We can also use a NHS number to check that care has been funded through specialist commissioning, which NHS England pays for.
The process makes sure that the organisations providing care are paid correctly. All information with NHS numbers collected to validate invoices is held within a secure, controlled environment within the CCG. The use of personal data by CCGs for invoice validation has been approved by the Confidentiality Advisory Group of the Health Research Authority and it is anticipated this will be in place until at least end of September 2018. This approval provides the legal basis for the CCGs to process personal data for invoice validation purposes.
Risk stratification is a process GPs use to help them to identify a person who may benefit from a targeted healthcare intervention and to help prevent un-planned hospital admissions or reduced the risk of certain diseases developing such as type 2 diabetes. This is called risk stratification for case-finding.
The CCGs use risk stratified data to understand the health needs of the local population in order to plan and commission the right services. This is called risk stratification for commissioning. The CCGs do not have access to person identifiable data. The information is pseudonymised.
The legal basis for data flows
The CCGs process personal data under a variety of legal bases depending on the data being processed and the purposes it is processed.
For each instance a legal basis is identified and recorded. The legal bases most commonly used are:
Condition for processing personal data (from Article 6(1))
the data subject has given consent to the processing of their personal data for one or more specific purposes;
This option may be used for example when we keep individuals up to date with general news and events in the CCGs.
For other uses of personal data it is usually a very last resort. Consent must meet criteria of being freely given, specific, informed and unambiguous indication with affirmative action (in agreement).
processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;
A less common used condition for our purposes for processing personal data.
Required where a contract with an individual is or will be put in place.
processing is necessary for compliance with a legal obligation to which the controller is subject;
Applies where there is another legal requirement. It may be a court order or a duty under another law.
processing is necessary in order to protect the vital interests of the data subject;
Where the matter is concerns an instance of life or death.
processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
The most likely condition to be used by the CCGs for processing of personal data.
Condition processing special category (sensitive) personal data (from Article 9 (2)0
Explicit consent of the data subject, unless reliance on consent is prohibited by EU or Member State law.
Used in limited instances (as above).
Explicit consent must meet criteria specified under data protection law.
Necessary for the carrying out of obligations under employment, social security or social protection law, or a collective agreement
We would use this condition for processing personal data about staff for employment purposes
Necessary to protect the vital interests of a data subject who is physically or legally incapable of giving consent.
Used where the matter concerns an instance of life or death and an individual affected is not able to make a decision themselves.
Necessary for the establishment, exercise or defence of legal claims or where courts are acting in their judicial capacity.
Used in instances of legal matters.
Necessary for reasons of substantial public interest on the basis of Union or Member State law which is proportionate to the aim pursued and which contains appropriate safeguarding measures.
Necessary for the purposes of preventative or occupational medicine, for assessing the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or management of health or social care systems and services on the basis of Union or Member State law or a contract with a health professional
Most commonly applied condition for CCGs processing personal data for the management of health or social care systems.
Necessary for reasons of public interest in the area of public health, such as protecting against serious crossborder threats to health or ensuring high standards of healthcare and of medicinal products or medical devices
Used for public health purposes.
(Section 251 of the NHS Act 2006)
The Secretary of State for Health gives limited permission for CCGs (and other NHS commissioners) to use certain confidential patient information when it is necessary for our work for purposes other than direct care such as information from NHS Digital for commissioning, Risk Stratification and Invoice Validation.
This approval is given under Regulations made under Section 251 of the NHS Act 2006 and is based on the approval of the Health Research Authority’s Confidentiality and Advisory Group.
This allows the Secretary of State for Health to make regulations to set aside the common law duty of confidence for defined medical purposes. Section 251 came about because it was recognised that there were essential activities of the NHS, and important medical research, that required the use of identifiable patient information – but, because patient consent had not been obtained to use people’s personal and confidential information for these other purposes, there was no secure basis in law for these uses.
Section 251 was established to enable the common law duty of confidentiality to be overridden to enable disclosure of confidential patient information for medical purposes, where it was not possible to use anonymised information and where seeking consent was not practical, having regard to the cost and technology available.
More information about Section 251 is available from the Health Research Authority web site.
How long we hold information for and our destruction arrangements
All records held by the CCGs will be kept for the duration specified by national guidance from NHS Digital (Information Governance Alliance), found in the Records Management Code of Practice for Health and Social Care 2016.
In all circumstances data will be retained in accordance with data protection requirements and ‘kept for no longer than is absolutely necessary’.
Once data is no longer required it will be destroyed securely:
Paper records will be destroyed in line with international standards. Where external confidential waste suppliers are used these will be under contract and assurance that destruction meets the necessary legal requirements and standards.
For digital media permanent destruction will be achieved by over writing the media a sufficient number of times or physical destruction of media by breaking it up into small pieces.
Sharing your information with other organisations or individuals (third parties)
If you are receiving services from the NHS, we share information that does not identify you (anonymised) with other NHS and social care partner agencies for the purpose of improving local services, research, audit and public health.
We would not share information that identifies you unless;
- You have given us permission • This is anonymised and therefore non-personal data • We are lawfully required to report certain information to the appropriate authorities e.g. to prevent fraud or a serious crime • It is necessary to protect children and vulnerable adults from harm • A formal court order has been served upon us; and/or • For the health and safety of others, for example to report an infectious disease like meningitis or measles.
Other organisations that provide services for us
We have entered into contracts with other NHS organisations to provide other services for us. These include holding and processing data including patient information on our behalf in provision of Information Technology (IT) services or providing human resources services for our staff. These services are subject to the same legal rules and conditions for keeping personal information confidential and secure. We are responsible for making sure that staff in those organisations are appropriately trained, that procedures are in place to keep information secure and protect privacy.
The CCGs also have services that support this function provided by a Joint Data Management Team (hosted by NHS Rushcliffe CCG). These services are also subject to the same legal rules and conditions for keeping personal information confidential and secure. Where possible a pseudonymisation technique (whereby identifiable information is replaced with an alias) is used so that those other NHS staff processing data on our behalf do not have access to information such as the NHS number and data cannot be tracked back to individuals.
We will not otherwise share, sell or distribute any of your personal information to any third party (other person or organisation) without your consent, unless required by law. Data collected will not be sent to countries where the laws do not protect your privacy to the same extent as the law in the UK, unless rigorous checks on the security and confidentiality of that data are carried out in line with the requirements of the General Data Protection Regulation.
Protecting your privacy
We are committed to protecting your privacy and will only process personal information in accordance with GDPR/ data protection law, the Human Rights Act 1998 and the Common Law Duty of Confidence.
The CCGs forming the Greater Nottingham Clinical Commissioning Partnership are Data Controllers under the terms of data protection law and are legally responsible for ensuring that all personal information that is processed i.e. held, obtained, recorded, used or shared about individuals is done in compliance with the six Data Protection Principles. All data controllers must notify the Information Commissioner’s Office of all personal information processing activities. Our registration details can be found on the public register of Data Controllers: Information Commissioner’s Office public register of Data Controllers.
All information that we hold about individuals will be held securely and confidentially. We use administrative and technical controls to do this. All of our staff, contractors and committee members receive appropriate and on-going training to ensure they are aware of their personal responsibilities and have contractual obligations to uphold confidentiality, enforceable through disciplinary procedures. We will only use the minimum and proportionate amount of personal information necessary. Where possible we will use information that does not directly identify individuals, but when it becomes necessary for us to know or use personal information a person, we will only do this when we have either a legal basis or have that person’s consent. We use strict controls to ensure that only authorised staff are able to see information that identifies you. Only a limited number of authorised staff have access to information that identifies individuals, where it is appropriate to their role, and is strictly on a need-to-know basis.
The CCGs have a Caldicott Guardian (see “Contact us”, below) who is the person responsible for protecting the confidentiality of patient information and enabling appropriate and lawful information sharing.
You have certain legal rights, including:
- to have your information processed fairly and lawfully
- to request access any personal information we hold about you
- the right to privacy, and to expect the NHS to keep your information confidential and secure
- to request that your confidential information is not used beyond your own care and treatment and to have your objections considered
- to request that any inaccurate data that we hold about you is corrected
- in some circumstances to have data erased
These are commitments set out in the NHS Constitution, for further information please visit: https://www.gov.uk/government/publications/the-nhs-constitution-for-england
Subject Access Requests and Requests to Correct Errors
Individuals can access personal information about them by making a ‘subject access request’ under the EU General Data Protection Regulation. If we do hold information about you we will:
- confirm this to you;
- give you a copy in a format that is easy to understand;
- provide the information within one month, or contact you if that is not going to be possible;
- not charge you a fee; unless there are extenuating circumstances.
To make a request for any personal information we may hold you need to put the request in writing to the address provided below (see contact details at the end of this page).
If we do hold information about you and you consider it to be inaccurate, you can ask us to correct any mistakes by, once again, contacting us at the address below.
We will only retain personal confidential information for as long as necessary. Records are maintained in line with the IGA Records Management Code of Practice which offers guidance on the minimum length of time records should be retained.
If you do not wish us to share or process your information for purposes beyond your direct care, or have any concerns then please let us know. We may need to explain the possible impact this could have on our ability to help you, and discuss the alternative arrangements that are available to you.
There are two types of objections that you can ask of your GP practice regarding your health information:
Type 1 objections: patients can object to personal information about them leaving a General Practice in identifiable form for purposes other than direct care.
Type 2 objections: patients can object to personal information collected from healthcare providers by NHS Digital being used for purposes other than their direct care. Type 1 and 2 objections will be respected, except in very limited circumstances such as:
- You have given explicit permission for a particular use of data (e.g. a research project) • Data is anonymised and therefore non personal data • We are lawfully required to report certain information to the appropriate authorities e.g. to prevent fraud or a serious crime • It is necessary to protect children and vulnerable adults from harm • A formal court order has been served upon us • For the health and safety of others, for example to report an infectious disease like meningitis or measles.
You have the right to refuse/ withdraw consent to information sharing at any time. The possible consequences will be fully explained to you and could include delays in receiving care or omission from health screening programmes. If you wish to discuss withdrawing consent please contact us (see Contact us, below), or speak to your GP.
Staff Related Information
Job Applications, Current and Former Employees
When individuals apply to work at Greater Nottingham Clinical Commissioning Partnership, we will use the information they supply to us to process their application and to monitor recruitment statistics. Where we want to disclose information to a third party, for example where we want to take up a reference we will not do so without informing them beforehand unless the disclosure is required by law.
Personal information about unsuccessful candidates will be held for 12 months after the recruitment exercise has been completed, it will then be destroyed or deleted. We retain de-personalised statistical information about applicants to help inform our recruitment activities, but no individuals are identifiable from that data.
Once a person has taken up employment with us, we will compile a file relating to their employment. The information contained in this will be kept secure and will only be used for purposes directly relevant to that person’s employment. Once their employment with Greater Nottingham Clinical Commissioning Partnership has ended, we will retain the file in accordance with the requirements of our retention schedule and then delete it.
In order to comply with our obligations as an employer we will need to share your personal information with other organisations for the purpose of managing your employment, these are:
- NHS Arden and GEM
- COPE (Consultants in Occupational Health, Physiotherapy and Ergonomics)
- NHS Business Services
The links below give more information about your rights and the ways that the NHS uses personal information:
- NHS Care Record Guarantee • NHS Constitution • Confidentiality: The NHS Code of Practice • Health Research Authority’s Confidentiality and Advisory Group • An independent review named Information: To share or not to share?The Information Governance Review was conducted in 2012. • Better Data, Informed Commissioning, Driving Improved Outcomes: Clinical Data Sets provides more information about the data used to support commissioning • NHS England advice for CCGs and GPs on information governance and risk stratification • NHS Digital • The Information Commissioner (the Regulator for the Data Protection Act 1998, who can offer independent advice and guidance on the law and personal data, including your rights and how to access your personal information)
Our Contact Details
If you have any questions or concerns regarding how we use your information or wish to submit a Subject Access Request for access to personal information, please contact us at:
NHS Greater Nottingham CCGs Partnership
Rm 3.05 1 Standard Court, Park Row, Nottingham NG1 6NG
Telephone: 0115 883 9508
The contact details for the Greater Nottingham CCGs' Caldicott Guardian who is the most senior person in the organisation responsible for patient confidentiality are:
Nichola Bramhall, Chief Nurse & Director of Quality: firstname.lastname@example.org
Data Protection Officer
NHS Greater Nottingham Clinical Commissioning Partnership
Rm 3.05 1 Standard Court, Park Row, Nottingham NG1 6NG
Telephone: 0115 883 9508