Purpose and Legal basis for processing

NHS Continuing Healthcare (CHC) is explained by NHS Choices here.

The National Health Service Commissioning Board and Clinical Commissioning Groups (Responsibilities and Standing Rules) Regulations 2012, Part 6 places a duty on CCGs to make provision for, i.e. provide, CHC services.

NHS South Worcestershire CCG manages the CHC process on behalf of the three Worcestershire CCGs. Further information can be found at www.redditchandbromsgroveccg.nhs.uk/about-us/nhs-continuing-healthcare/

To determine if someone is eligible for CHC and to then arrange a care and support package that meets their assessed needs, information about the individual will need to be collected, reviewed and shared with care providers such as care homes. As the CCG has a duty to provide CHC services, this allows for the collection of information about individuals for this purpose, the use of that information and the sharing of it with third parties who need to be involved in the process.

We will make sure that we keep the individual concerned informed at all times of who will be providing or receiving data about them and why.

Sources of the data

The personal data are submitted by the CCGs and the applicant for review. 

Categories of personal data

The information CCGs use to assess eligibility, and which may be submitted to an Independent Review Panel, fall under the following headings:

• Behaviour
  
• Cognition (understanding)
• Communication
• Psychological/emotional needs
• Mobility
• Nutrition (food and drink)
• Continence 
• Skin (including wounds and ulcers)
• Breathing
• Symptom control through drug therapies and medication
• Altered states of consciousness
• Other significant needs 
  

The obtained records that relate to these areas may include Care Home records, Health Records (for example GP, Hospital, Mental Health, District Nursing) and Social Care Records.

Recipients of personal data

Categories of recipient’s Personal data relating to the application is received by health providers.

Purpose and Legal basis for processing

Most NHS care and treatment goes well but sometimes things can go wrong. If you are unhappy with your care or the service you have received, it is important to let us know so we can improve.  When the CCGs receive a complaint, to allow it to be fairly and thoroughly managed, in most cases personal information will be required. CCGs have statutory duties which allow the processing of personal data in relation to complaints, under (Section 6 of the Local Authority Social Services and National Health Service Complaints [England] Regulations (2009) (under section 113 “Complaints about Healthcare” of the Health and Social Care (Community Health and Standards) Act 2003).

The legal basis we rely on to process your personal data is article 6(1)(e) of the GDPR, which allows us to process personal data when this is necessary to perform our public tasks as a CCG.

If the information you provide us in relation to your complaint contains special category data, such as health, religious or ethnic information, the legal basis we rely on to process it is article 9(2)(g) of the GDPR, which also relates to our public task and the safeguarding of your fundamental rights, and also Schedule 1 part 2(6) of the DPA 2018 which relates to statutory and government purposes.

NHS Redditch and Bromsgrove CCG manages the Complaints process on behalf of the three Worcestershire CCGs.  Further information can be found at www.redditchandbromsgroveccg.nhs.uk/contact-us/complaints-feedback/complaining-to-the-ccg/

Sources of the data

NHS Redditch and Bromsgrove, NHS Wyre Forest and NHS South Worcestershire CCG’s will generally collect/receive information when members of the public, their representatives, or members of Parliament, contact us with concerns or enquiries. In order to process a complaint Redditch and Bromsgrove, Wyre Forest and South Worcestershire CCG’s will collect the relevant information at the point of contact to enable the team to provide a sufficient response to the complaint.

Categories of personal data

Information relating to complaints would generally include the following categories of personal data:

• Patient’s name
• Patient’s address
• Patient’s contact number
• GP Surgery
• Patient’s NHS number
• Patient’s date of birth
• Representative details (if applicable)
• Representative address (if applicable)
• The nature of the complaint
  

Recipients of personal data

The recipients of personal data relating to complaints include:

• Any team within the CCG that may receive an enquiry or complaint
• Relevant providers (with the consent of the data subject) in order to fully investigate the complaint being made.
  

Purpose and legal basis for processing

The CCGs actively seek to involve patients and the public in discussions about local service, including any changes, improvements and what is needed for future care. This can take place in a variety of ways, for example through the CCGs’ Worcestershire Involvement Network (WIN), contact via social media, voluntary community and social enterprise (VCSE) organisations, elected representatives and/or through formal consultations and meetings.

Everyone working for the NHS has a legal duty to keep information about you confidential. The NHS Care Record Guarantee and NHS Constitution provide a commitment that all NHS organisations and those providing care on behalf of the NHS, including the CCGs will use records about you in ways that respect your rights and promote your health and wellbeing.

If you have requested a service from the CCGs, for example you have requested to join the Worcestershire Involvement Network (WIN), then we will hold the details of the people who have requested the service in order to effectively provide it. However, we only use these details to provide the service the person has requested. For example, we might use information about people who have joined the Worcestershire Involvement Network (WIN) to send them information on the CCGs’ current workstreams or to invite them to an event.

Another example may be where you have opted to provide your details as part of a survey, in this case the CCG may contact you to ask if you are happy with the level of service received, or if the information is useful to you. Any personal data received in responses is removed before responses are collated, analysed or disseminated.

When people do subscribe to our services, they can cancel their subscription at any time by emailing worcs.engagement@nhs.net and asking to unsubscribe. All information that we hold about you will be held securely and confidentially. We use administrative and technical controls to do this. We use strict controls to ensure that only a limited number of authorised staff are able to see information that identifies you where it is appropriate to their role and is strictly on a need-to-know basis. All of our staff, contractors and committee members receive role appropriate and on-going training to ensure they are aware of their personal responsibilities and have contractual obligations to uphold confidentiality, enforceable through disciplinary procedures.

We will only use the minimum amount of information necessary about you and will only retain information in accordance with the schedules set out in the Records Management Code of Practice for Health and Social Care 2016. 
We are committed to protecting your privacy and will only process data in accordance with the Data Protection Legislation.  This includes the General Data Protection Regulation (EU) 2016/679 (GDPR), the Data Protection Act (DPA) 2018, the Law Enforcement Directive (Directive (EU) 2016/680) (LED) and any applicable national Laws implementing them as amended from time to time. 

In addition, consideration will also be given to all applicable Law concerning privacy, confidentiality, the processing and sharing of personal data including the Human Rights Act 1998, the Health and Social Care Act 2012 as amended by the Health and Social Care (Safety and Quality) Act 2015, the common law duty of confidentiality and the Privacy and Electronic Communications (EC Directive) Regulations.

The CCGs are Data Controllers as defined under the GDPR.  We are legally responsible for ensuring that all personal information that we process i.e. hold, obtain, record, use or share about you, is done in compliance with the Data Protection Principles as set out in Article 5 under GDPR.


Sources of the data

The personal data is provided by data subjects when signing up to the Worcestershire Involvement Network, or if requesting one of our newsletters or expressing interest in an engagement event, either via our website or by completing one of our sign-up forms at one of the stakeholder events that we hold from time to time.

Categories of Personal data

We only require you to provide us with your name and email address or residential address so that we can send you our publications. Information regarding your gender, sexual orientation, marital status and disabilities is collected so that we can ensure that our patient involvement groups are representative of the population we serve. We may also use it to send you targeted information or news. However, it is not mandatory to provide this information.

Do we use any processors?

Yes - we use Survey Monkey to manage and populate our engagement programmes. For more information on Survey Monkey please visit their Privacy Policy.

Purpose and legal basis for processing

The NHS has a duty to spend the money it receives from the Government in a fair way, taking into account the health needs of the whole community. The CCG’s role is to ensure they get best value for this money by spending it wisely on behalf of the public.

CCGs pay for local NHS health services and NHS England pays for highly specialised health services. The CCGs have a legal duty to provide health services for patients in the county with the fixed amount of money they have received from the Government. They have a legal duty not to spend more than this. This means that some hard choices have to be made. Not all treatments can be provided by the NHS, and some have evidence to show which patient groups most benefit from that treatment. The CCG document these in their Clinical Commissioning Policies which are available on NHS Redditch and Bromsgrove CCG, NHS South Worcestershire CCG and NHS Wyre Forest CCG website:

IFR Policies and Procedures

However, the CCGs know that there will always be times when a patient would benefit from a particular treatment not usually given by the NHS. To apply for this treatment, an Individual Funding Request is made. To allow the CCGs to consider these requests, access to both personal and health information regarding the individual to whom the request relates is required. 

As the National Health Service Commissioning Board and Clinical Commissioning Groups (Responsibilities and Standing Rules) Regulations 2012, Part 7, Regulation 34 places a duty on CCGs in respect of the funding and commissioning of drugs and other treatments, this provides the CCGs with a legal basis to use personal data as part of this process.

The NHS Redditch and Bromsgrove CCG Contracts team manage the IFR process on behalf of the three Worcestershire CCGs in line with the IFR Policy as per the website link shown above.

Sources of the data

The information is provided by a clinician who submits an IFR application form on behalf of a patient.  

Categories of personal data

The IFR application form includes NHS number, name and address, date of birth, GP details, diagnosis, requested intervention and other information relevant to the request. The details are recorded on a secure database and all information is anonymised before presented. Each IFR will have an individual case number that is used to process the request and outcome.

Categories of recipients

Applications are considered by an independent panel who have not been involved in your treatment. The panel is made up of doctors, nurses, public health experts, pharmacists, NHS England representatives and lay members and is led by a lay chair.

Purpose and legal basis for processing

Invoice validation is an important process. It involves using your NHS number to check that we are the CCGs that are responsible for paying for your treatment.

NHS Midlands and Lancashire Commissioning Support Unit is an accredited Controlled Environment for Finance (CEfF) under a Section 251 exemption which enables them to process patient identifiable information on behalf of NHS Redditch and Bromsgrove CCG, NHS Wyre Forest CCG and NHS South Worcestershire CCGs without consent for the purposes of invoice validation – Confidentiality Advisory Group - CAG 7-07(a)(b)(c)/2013.

We will also use your NHS number to check whether your care has been funded through specialist commissioning, which NHS England will pay for. The process makes sure that the organisations providing your care are paid correctly.

NHS England has published guidance on how invoices must be processed and Commissioners have a duty to detect, report and investigate any incidents of where a breach of confidentiality has been made.

Sources of the data

The sources of data are providers who submit invoices to NHS Shared Business Services for payment.

Categories of Personal data

The data required for effective invoice validation can be found in Appendix B, of “Who Pays? Information Governance Advice for Invoice Validation” which you can find here:

www.england.nhs.uk/wp-content/uploads/2013/12/who-pays-advice.pdf

Recipients of personal data

NHS Midlands and Lancashire Commissioning Support Unit is the only organisation that will receive personal data relating to invoice validation as an accredited Controlled Environment for Finance.

Purpose and legal basis for processing

Risk stratification is a process GPs use to help them to identify and support patients with long-term conditions and to help prevent un-planned hospital admissions or reduce the risk of certain diseases developing such as type 2 diabetes. This is called risk stratification for case-finding and is a type of profiling as it is the automated processing of personal data to analyse or predict health needs. However, this is not a solely automated process as whilst cases are identified through an automated process, no decisions are made automatically, they are made by the GP.

The CCGs also use risk stratified data to understand the health needs of the local population in order to plan and commission the right services. This is called risk stratification for commissioning.

Risk stratification tools use historic information about patients, such as age, gender, diagnoses and patterns of hospital attendance and admission collected by NHS Digital from NHS hospitals and community care services.  This is linked to data collected in GP practices and analysed to produce a risk score.

GPs are able to identify individual patients from the risk stratified data when it is necessary to discuss the outcome and consider preventative care, however the CCGs can never identify an individual from the risk stratified data that we see. Where the risk stratification process has linked GP data to health data obtained from other sources i.e. NHS Digital or other health care provider, the GP will ask for your permission to access the details of that information.  

The law says commissioners are not allowed to access Personal Confidential Data (PCD) because they are not providing direct patient care. So they need an intermediary service called Data Services for Commissioners Regional Office (DSRCO), that specialise in processing, analysing and packaging patient information within a secure environment into a format commissioners can legally use i.e. anonymised patient level data. You can find more comprehensive information about this on the NHS Digital Website.

NHS Digital, through its Data Services for Commissioners Regional Offices (DSCROs), is permitted to collect, hold and process Personal Confidential Data (PCD). This is for purposes beyond direct patient care to support NHS commissioning organisations and the commissioning functions within local authorities.

NHS Digital, formally known as HSCIC, is able to disseminate data to commissioners under the Health and Social Care Act (2012). The act provides the powers for NHS Digital to collect, analyse and disseminate national data and statistical information. To access this data organisations must submit an application and demonstrate that they meet the appropriate governance and security requirements. For GDPR purposes NHS Redditch and Bromsgrove, NHS Wyre Forest and South NHS Worcestershire CCG’s lawful basis for processing is Article 6(1)(e) ‘…exercise of official authority…’. For special categories (health) data the basis is Article 9(2)(h) ‘…health or social care…’

Sources of the data

Personal data is supplied by GPs and NHS Digital commissioning data sets (CDS). Commissioning data sets are maintained and developed by NHS Digital, in accordance with the needs of the NHS and the Department of Health and Social care. Commissioning data sets form the basis of data on activity carried out by organisations reported centrally for monitoring and payment purposes. For more information about (CDS) please visit: Commissioning Data Sets Overview.

Categories of Personal data

Risk stratification tools use historic information about patients, such as age, gender, diagnoses and patterns of hospital attendance and admission collected by NHS Digital from NHS hospitals and community care services (Secondary Use Services data). This is linked to data collected in GP practices and analysed to produce a risk score.

The Secondary Uses Service (SUS) is the single, comprehensive repository for healthcare data in England which enables a range of reporting and analyses to support the NHS in the delivery of healthcare services. Information on care provided for all patients by Health Care Providers (both NHS and Independent Sector Healthcare Providers for NHS patients only) must be submitted to the Secondary Uses Service according to the Commissioning Data Set Mandated Data Flows guidelines.

Data from the GP Practice system will be obtained by using a “bulk data extract”, uploaded directly by the risk stratification tool supplier from the practice system. Prior to the upload, the supplier will obtain permission from the practice to request the data from the practice system provider and the practice will notify their system providers that this permission has been granted.

The data extract will EXCLUDE patients who have expressed a wish not to share information. Reports produced from the system,including identifiable data,are only provided back to your GP or member of your care team in an identifiable form.

Your GP can provide more information about any risk stratification programme they are using. Should you have any concerns about how your information is managed at the surgery please contact the Practice Manager at your surgery to discuss how the disclosure of your personal information can be limited.

Purposes and basis for processing 

NHS Redditch and Bromsgrove, NHS Wyre Forest and NHS South Worcestershire CCGs are dedicated in ensuring that the principles and duties of safeguarding adults and children are holistically, consistently and thoroughly applied with the wellbeing of all, at the heart of what we do. 

Our Legal basis for processing For the General Data Protection Regulation (GDPR) purposes is Article 6(1)(e) ‘…exercise of official authority…’. For the processing of special categories data, the basis is Article 9(2)(b) – ‘processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment and social security and social protection law…’

Categories of personal data

The data collected by CCG staff including hosted bodies, in the event of a safeguarding situation will be as much personal information as is necessary or possible to obtain in order to handle the situation. In addition to some basic demographics and contact details, this is likely to be special category information (such as health information).

Sources of the data

The CCGs will either receive or collect information when someone contacts the organisation with safeguarding concerns or we believe there may be safeguarding concerns.

Recipients of personal data

The information is used by the CCGs when handling a safeguarding incident or concern. We may share information accordingly to ensure duty of care and investigation as required with other partners such as Local Authorities, the Police, Care Homes, healthcare professional (i.e. their GP or mental health team).

Purposes and basis for processing 

The CCG have a statutory duty to the improvement of quality and delivery of services, therefore use incident events, investigations, evidence and reports relating to incidents under various policy and procedural structures.

The CCG monitor patient healthcare and the way in which their information is handled within care homes or services provided which the CCGs fund; this is to assess the quality of care given to patients, and close monitoring of staff delivering these services. Where there maybe concerns identified an investigation is carried out. It is important to carry out quality assurance visits to ensure the correct processes are being adhered to, patients are getting the best service and the correct paperwork is being completed. This information is shared with Healthcare providers and Care homes so that services and care can be reviewed and maintained at a high level.

In order to promote quality and compliance, the CCG has several reporting protocols for incidents and provides investigation and learning to improve systems and services they commission.

Apart of this monitoring allows the CCG to review, hospital discharge data so that delayed transfers of care are identified and so that the CCG can assess how these can be reduced for more efficiency.

Our Legal basis for processing For the General Data Protection Regulation (GDPR) purposes is Article Article 6(1)(c) “processing is necessary for compliance with a legal obligation to which the controller is subject” and Article 9(2)(h “processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services on the basis of Union or Member State law or pursuant to contract with a health professional and subject to the conditions and safeguards”.

Categories of personal data

NHS Number and other personal details, including relevant healthcare records and information about the concerns, including others involved or impacted by the event are used by the CCG to facilitate concerns/incident investigations.

Sources of the data

Data received in order to fulfil the duties relating to concerns investigation will be received directly from the organisation in concern or the reporting organisation, such as a Care Home or provider.

Recipient of personal data

Information relating to outcomes will be sent back to the relevant providers.

Purposes and basis for processing
 
The CCG has a statutory duty to monitor the quality of care and services provided by the CCG and work closely with the organisation involved in providing patient care. The CCG has employed a commissioning infection prevention and control nurse to support the CCG’s , to work with organisations to identify the cause or factors which may have contributed to an infection in line with National requirements e.g Quality Premium(GNBSI).

Our Legal basis for processing For the General Data Protection Regulation (GDPR) purposes is Article Article 6(1)(c) “processing is necessary for compliance with a legal obligation to which the controller is subject” and Article 9(2)(h “processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services on the basis of Union or Member State law or pursuant to contract with a health professional and subject to the conditions and safeguards”.

Categories of personal data

NHS Number and personal details such as name, dob, address and GP details, including relevant healthcare records and information about the infection. There may be occasions were details are required of contacts who may have been in contact with an infection or infectious individual ,so that these individuals can be followed up as required. Risk assessments are carried out on the basis of the organism as to what contact details are required.

Sources of the data

Data received in order to fulfil the investigation of the infection monitoring. This information will be directly received from the healthcare provider and care homes. The nurse working on behalf of the CCG has access to a national system called Public Health England (PHE) Data Capture system, in order to view personal level data in relation to individual’s infections and care, information is accessed in order to review and monitor the quality of care.

Recipient of personal data

Information relating to the outcomes of investigation reviews and lessons learnt from reviews will be sent back to the relevant providers for example GPs, Care Homes and Hospitals. This is necessary to do so that any local or national changes can be implemented from the learning and actions addressed from the investigations.