Privacy

Published 21 November 2018; updated 04 April 2019

How your personal information is used by NHS Vale of York Clinical Commissioning Group

Please click on the highlighted text within the notice for links to further information. Click the link for a Glossary of definitions used throughout this notice.

Who we are and what we do

Data Controller : NHS Vale of York Clinical Commissioning Group

Address : West Offices
                 Station Rise
                 York, YO1 6GA

Data Protection Officer (DPO) : Caroline Million

DPO Contact Details : embed.gdpr@nhs.net

NHS Vale of York Clinical Commissioning Group is responsible for planning, designing and paying for your NHS health services. We do this by ‘commissioning’ or buying health and care services including:

  • Out of Hours Primary Medical Services
  • Planned hospital care
  • Unplanned care (urgent care), including 111, A&E and Ambulance Services
  • Community Health Services e.g. Rehabilitation  care,  Speech and Language Services, Continence Services, Wheelchair Services, Home Oxygen Services, (but not including Health visiting and Public Health)
  • General Practice Services including other Community Based Services provided by GP practices beyond the scope of the GP contract
  • Maternity and new-born services
  • Child Health (mental and physical)
  • Mental Health and learning disability services, including psychological therapies
  • NHS Continuing Healthcare

A list of General Practices within the NHS Vale of York Clinical Commissioning Group can be found here.

We manage the performance of services that we commission to make sure that they are safe, provide high quality care and meet the needs of local people. Part of this performance management role includes responding to any concerns from our patients about these services.

How we use your personal information

The purpose of this notice is to inform you about information we collect and hold about you, what we do with it, how we will look after it and who we might share it with.  It is part of how we ensure we are open and transparent about the data processing activities we carry out in order to meet our commissioning obligations.

It covers information we collect directly from you or collect indirectly from other individuals or organisations for the CCG’s registered population.

The CCG is a Data Controller as defined by General Data Protection Regulations and determines the purposes for which and the means by which personal data is processed. We have a duty to inform you how your information is used, the legal basis for using the information, who we share information with and how we keep it secure and confidential.

This notice applies to all information held by the CCG relating to individuals, whether you are a patient, service user or a member of staff. This notice was last reviewed October 2018.

Types of information we hold

We need to use informaton about you in various forms and will only use the minimun amount of information necessary for that purpose. Where possible, we will use information that does not identify you.

The CCG uses and processes several different types of information, click on the links below for more information :

  • Identifiable - information which contains personal details that identify individuals such as name, address, email address, NHS Number, full postcode, date of birth.
  • Pseudonymised - individual level information where individuals can be distinguished by using a coded reference, which does not reveal their ‘real world’ identity
  • Anonymised - data which is about you but from which you cannot be personally identified.
  • Aggregated – grouped information about individuals that has been combined to show general trends or values without identifying individuals

Throughout this Notice you will see reference to an organisation called NHS Digital. They are the national provider of information, data and IT systems for commissioners (such as the CCG), analysts and clinicians in health and social care. NHS Digital provides information based on identifiable data passed securely to them by Primary and Secondary Care Providers who are legally obliged to provide this information.

Our records may be held on paper or in a computer system.

Details of information used for specific purposes

Use of Anonymised Data 

We use anonymised data to plan health care services, including : 

  • Checking the quality and efficiency of the health services we commission;
  • Preparing performance reports on the services we commission;
  • Working out what illnesses people will have in the future, so we can plan and prioritise services and ensure these meet the needs of patients;
  • Reviewing the care being provided to make sure it is of the highest standard.

Use of Pseudonymised (De-identified) Information

We use de-identified information in our role as commissioner including :

  • Commissioning - to plan, design, purchase and pay for the best possible care available for you; look at the care provided by different providers across our area to make sure that together they support the needs of the local population; performance manage contracts; to prepare statistics on NHS performance to understand health needs and support service redesign, modernisation and improvement; to help us plan future services to ensure they continue to meet our local population needs.
  • Risk Stratification- to identify groups of patients who would benefit from some additional help from their GP or care team. The aim is to prevent ill health and possible future hospital stays, rather than wait for you to become sick. Only de-identified information is accessible to the CCG in order to help us plan the most appropriate health services for our population.
  • Invoice Validation – part of the process by which providers of care or services get paid for the work they do. The CCG does not receive any identifiable information for purposes of invoice validation; however we do receive aggregated reports to help us manage our finances.

Use of Personal and Sensitive (Identifiable) Information

As a CCG we do not often hold general medical records or confidential patient data however, there are some exceptions, such as the continuing health care department.

There are some categories of personal data for which special safeguards are required by law, known as special category or sensitive data. This includes records relating to health, sex life, race, ethnicity, political opinions, trade union membership, religion, genetics and biometrics.

The following list includes examples of where we collect and use personal information. Please click on each of the following examples for information on the purpose, the type of information used, the legal basis identified for the collection and use of the information, how we collect and use the information required, any third parties we may share the information with and your rights regarding the use of the information including, where relevant, your right to opt out.

Identifiable Information

    Anonymised Information

    • Infection Prevention and Control

    Staff Information

    The CCG as an NHS Employer needs to process information in relation to staff. This information is used in a variety of ways to ensure staff are paid, that the CCG complies with employments law, or to provide other services related to their employment. For more details about how staff information is used please click on the following :

    Child Information

    Please see the link on our website here for our Privacy Notice for children.

    Sharing Information with Health and Care organisations

    Information Sharing Agreements and contracts will be in place ensuring that where we share information, this meets both the requirements of the Health and Social Care Act 2012 and the current Data Protection legislation ensuring that your confidentiality and rights are not breached.

    Whenever a new arrangement is made to share information externally, both with health and social care organisations and with third party suppliers, we will ensure that a legal basis has been identified, using a tool called a Data Protection Impact Assessment, which will highlight any risks to your information and ensure they are resolved before any sharing takes place.

    If a new arrangement is made to share information or any existing arrangements are altered, this privacy notice will be updated to reflect those changes.

    Our Commitment to Data Privacy and Confidentiality

    We are committed to protecting your privacy and will only process personal confidential data in accordance with the General Data Protection Regulation, the Data Protection Act 2018, the Common Law Duty of Confidentiality, Professional Codes of Practice and the Human Rights Act 1998.

    In the circumstances where we are required to use personal identifiable information we will only do this if :

    • The information is necessary for your direct healthcare, or
    • We have received explicit consent from you to use your information for a specific purpose, or
    • There is an overriding public interest in using the information:
      • In order to safeguard an individual,
      • To prevent a serious crime or in the case of Public Health or other emergencies, to protect the health and safety of others, or
    • There is a legal requirement that allows or compels us to use or provide information (e.g. a formal court order or legislation), or
    • We have permission from the Secretary of State for Health and Social Care to use certain confidential patient identifiable information when it is necessary for our work

    Everyone working for the CCG has a legal and contractual duty to keep information about you confidential. All CCG staff are subject to confidentiality clauses contained within their employment contract.

    All identifiable information that we hold about you will be held securely and confidentially. We use administrative and technical controls to do this. All health and social care organisations are required to provide annual evidence of compliance with applicable laws, regulations and standards through the Data Security and Protection toolkit.

    Our staff, contractors and committee members receive appropriate and ongoing training to ensure that they are aware of their personal responsibilities and have contractual obligations to uphold confidentiality, enforceable through disciplinary procedures. Staff are trained to ensure how to recognise and report an incident and the organisation has procedures for investigating, managing and learning lessons from any incidents that occur.

    Your information will not be sent outside of the European Economic Area (EEA) where the laws do not protect your privacy to the same extent as the law in the EEA, unless we have gained assurance that the appropriate safeguards are in place.  We will never sell any information about you.

    The CCG maintains a set of regularly updated policies and procedures covering all aspects of information governance. These can be found here:

    http://www.valeofyorkccg.nhs.uk/publications-plans-and-policies-1/policies/

    Your Rights

    Under the General Data Protection Regulation all individuals have certain rights in relation to the information which the CCG holds about them.

    If you require further detail each link below will take you to the Information Commissioner’s Office’s website where further detail is provided in section ‘When does the right apply’.

    These rights are :

    The following table summarises where your rights apply :

      Right to Ensure  Right to Portability Right to Object
    Consent Yes Yes No *
    Contract Yes Yes No
    Legal Obligation No No No
    Vital Interests Yes No No
    Public Task No No Yes
    Legitimate Interests Yes No Yes

    * but right to withdraw consent

    Under the NHS Constitution you have the right to privacy and to expect the NHS to keep your information confidential and secure.

    You have the right to be informed about how your information is used.

    You have the right to request that your confidential information is not used beyond your own care and treatment, and to have your objections considered and where your wishes cannot be followed, to be told the reasons including the legal basis.

    You have the right to access the information we hold about you, this is commonly known as a Subject Access Request (SAR). If you make a SAR we are legally obligated to provide you with the personal information we hold about you.

    A new system is being developed which will allow people to opt out of their confidential patient information being used for reasons other than their individual care and treatment. The system will offer patients and the public the opportunity to make an informed choice about whether they wish their personally identifiable data to be used just for their individual care and treatment or also used for research and planning purposes. Details of the national patient opt out can be found here: https://www.nhs.uk/your-nhs-data-matters/

     

    Queries and Complaints

    If we do hold identifiable information about you, you can ask us to correct any mistakes by contacting us at the address below.

    If you have any questions or complaints regarding the information we hold about you or the use of your information, please contact :

    Address : NHS Vale of York Clinical Commissioning Group, West Offices, Station Rise, York YO1 6GA

    Email : voyccg.patientrelations@nhs.net

    Phone : 01904 555999

    Our Data Protection Officer is : Caroline Million

    Contact details : embed.gdpr@nhs.net

    For independent advice about data protection, privacy and data-sharing issues, or to make a complaint about our handling of your information you can contact :

    The Information Commissioner
    Wycliffe House
    Water Lane
    Wilmslow
    Cheshire, SK9 5AF

    Phone : 0303 1231113 or 01625 54 57 45

    Website : https://ico.org.uk/

     

    Details of information used for specific purposes

    Commissioning

    Data Controller(s)

    NHS Vale of York CCG

    Purpose

    Hospitals and community setting organisations that provide NHS-funded care must by law submit certain information to NHS Digital about services provided to you and the population we serve. This information is known as commissioning datasets. The CCG obtains these datasets from NHS Digital which relate to patient registered with our GP Practices. This enables us to plan, design, purchase and pay for the best possible care available for you.

    Type of Information Used

    Different types of commissioning data are legally allowed to be used by different organisations within, or contracted to, the NHS.

    Identifiable – when disclosed from Primary and Secondary care services to NHS Digital

    Pseudonymised – the CCG may only receive this information in a pseudonymised format which does not identify individuals.

    Legal Basis

    Statutory requirement for NHS Digital to collect identifiable information.

    For use by the CCG:

    GDPR Article 6(1)(e) – processing is necessary for the performance of a task carried out in the exercise of official authority vested in the controller

    GDPR Article 9(2)(h) processing is necessary for the purposes of the provision of health or social care or treatment or the management of health or social care systems and services.

    How we collect (the source) and use the information

    The datasets we receive from NHS Digital have been linked and are in a format that does not directly identify you. Information such as your age, ethnicity and gender, as well as coded information about any clinic or Accident and Emergency attendances, hospital admissions and treatment will be included.

    We also receive information from the GP Practices within our CCG that does not identify you.

    We use these datasets for a number of purposes such as:

    Performance managing contracts

    Reviewing the care delivered by providers to ensure service users are receiving quality and cost effective care

    To prepare statistics on NHS performance to understand health needs and support service redesign, modernisation and improvement

    To help us plan future services to ensure they continue to meet our local population needs

    Data Processors

    Yorkshire Data Services for Commissioning Regional Office (DSCRO), hosted by NHS Digital, obtains the identifiable information from the Secondary Uses Service (SUS)  at NHS Digital. The DSCRO also receives identifiable information directly from providers They pseudonymise the information and pass it to eMBED.  eMBED run further data quality checks and prepare the data for use by the CCG.

    Your Rights

    If you do not want the NHS to use information about you, collected by your GP then you can opt out by completing an opt-out form and returning it to your GP practice. There are different types or levels of opt-out available; Type 1 opt out is where you do not wish for your information to be shared outside of your GP Practice for any purpose other than your direct care and Type 2 opt out  is where you do not wish for your information to be shared by NHS Digital. Further information about the Type 2 opt out is available from NHS Digital.

    Details of the national patient opt out can be found here: https://www.nhs.uk/your-nhs-data-matters/

    With regards to Commissioning under GDPR you have the right :

    • To be informed about the processing of your information (this notice)
    • Of access to the information held about you
    • To have the information corrected in the event that it is inaccurate
    • To restrict or stop processing
    • To object to it being processed or used
    • Not to be subject automated decision-taking or profiling
    • To be notified of data breaches

    How long we will keep the information

    The data will be retained for a period of 8 years in accordance with the CCG rules outlined in the Records Management: NHS Codes of Practice.  Data that supports trend analysis or identification of patterns may be held for longer.

    Who we will share the information with (recipients)

    This information is not shared outside of the CCG.

    Risk Stratification

    Data Controller(s)

    NHS Vale of York CCG

    Purpose

    Information from health and social care records, using the NHS Number provided via the Secondary Uses Service (SUS) at NHS Digital, is looked at to identify groups of patients who would benefit from some additional help from their GP or care team. This is known as ‘Risk Stratification’. The aim is to prevent ill health and possible future hospital stays, rather than wait for you to become sick. You have the right to opt out of your information being shared by NHS Digital; please see the Your Right to Opt Out section below.

    Type of information Used

    Only de-identified information (NHS number removed) is accessible to the CCG.

    Only GP Practices within the CCG have access to identifiable information (NHS Number) of their own patients in order to see who may benefit from additional help.

    Legal basis

    GDPR Article 6(1)(e) – processing is necessary for the performance of a task carried out in the exercise of official authority vested in the controller.

    GDPR Article 9(2)(h) processing is necessary for the purposes of the provision of health or social care or treatment or the management of health or social care systems and services.

    A section 251 approval (CAG 7-04(a)/2013) from the Secretary of State, through the Confidentiality Advisory Group of the Health Research Authority, enables the pseudonymised information to be sent to the CCG via NHS Digital in order to help us plan the most appropriate health services for our population.

    How we collect (the source) and use the information

    Primary Care data extracted from individual GP practices and Secondary Care data (collected nationally via the Secondary Uses Service): Inpatient, Outpatient, Accident and Emergency, Out of Hours, Urgent Care, Community Nursing, Community Mental Health is passed to the Data Services for Commissioners Regional Office (DSCRO) so that the information can be linked. This information is passed to eMBED Health Consortium who provides the Risk Stratification tool to GP Practices on behalf of the CCG.

    De-identified information is made available to the CCG to provide a picture of the health and needs of their local population, which enables:

    priorities to be determined in the management and use of resources;

    planning services; cover the range of potential questions, and issues they may need to consider, and to support and evidence decisions.

    Data Processors

    Data services for commissioners Regional Office (DSCRO) hosted by NHS Digital.

    eMBED Health Consortium.

    Your Rights

    If you do not want the NHS to use information about you, collected by your GP then you can opt out by completing an opt-out form and returning it to your GP practice. There are different types or levels of opt-out available; Type 1 opt out is where you do not wish for your information to be shared outside of your GP Practice for any purpose other than your direct care and Type 2 opt out  is where you do not wish for your information to be shared by NHS Digital. Further information about the Type 2 opt out is available from NHS Digital. Details of the national patient opt out can be found here: https://www.nhs.uk/your-nhs-data-matters/

    With regards to Risk Stratification under GDPR you have the right:

    • To be informed about the processing of your information (this notice)
    • Of access to the information held about you
    • To have the information corrected in the event that it is inaccurate
    • To restrict or stop processing
    • To object to it being processed or used
    • Not to be subject automated decision-taking or profiling
    • To be notified of data breaches

    How long we will keep the information

    The data will be retained in accordance with the CCG rules outlined in the Records Management: NHS Codes of Practice. Specifically for the Risk tool, the system will hold 3 years of data updated monthly to be used within the tool. Only live data will be used and the data will be destroyed at the end of the contract or if the patient dies or the practice gives notice that they no longer wish to use the tool.

    Who we will share the information with (recipients)

    This information is not shared outside of the CCG, except as appropriate with our local Community Services Provider at practice level to support their work with the practices to improve services to patients.

    Invoice Validation

    Data Controller(s)

    NHS Vale of York CCG

    Purpose

    Invoice validation is part of the process by which providers of care or services get paid for the work they do.

    Invoices, with supporting information, are submitted to the CCG of their service for payment, but before payment can be released, the CCG needs to ensure that the activity claimed for each patient is their responsibility. These invoices are validated within a special secure area known as a Controlled Environment for Finance (CEfF) to ensure that the right amount of money is paid, by the right organisation, for the treatment provided. The process followed ensures that only the minimum amount of information about individuals is used by a very limited number of people and is designed to protect confidentiality.

    Type of information Used

    Identifiable (NHS number, date of birth or postcode) and Special Category (health information)

    Legal basis

    GDPR Article 6(1)(e) – processing is necessary for the performance of a task carried out in the exercise of official authority vested in the controller.

    GDPR Article 9(2)(h) processing is necessary for the purposes of the provision of health or social care or treatment or the management of health or social care systems and services.

    A section 251 approval (CAG 7-07(a)(c)/2013) from the Secretary of State, through the Confidentiality Advisory Group of the Health Research Authority, enables the CCG to process identifiable information for the purpose of invoice validation within a Controlled Environment for Finance.

    How we collect (the source) and use the information

    Organisations that provide treatment submit their invoices to the CCG for payment. The nominated secure area (Controlled Environment for Finance) receives additional information, including the NHS Number, or occasionally date of birth and postcode, from the organisation that provided the treatment.

    NHS Digital sends information into the secure area, including the NHS number and details of the treatment received. The information is then validated ensuring that any discrepancies are investigated and resolved between the Controlled Environment for Finance and the organisation that submitted the invoice. The invoices will be paid when the validation is completed.

    The CCG does not receive any identifiable information for purposes of invoice validation; however we do receive aggregated reports to help us manage our finances.

    Data Processors

    Data services for commissioners Regional Office (DSCRO) hosted by NHS Digital. 

    eMBED Health Consortium

    Transfers of Data Overseas

     

    NHS SBS carry out some of their processing activity in India. Where this occurs it is governed by the use of approved Model Contract Clauses.

    Your Rights

    With regards to Invoice Validation under GDPR you have the right:

    • To be informed about the processing of your information (this notice)
    • Of access to the information held about you
    • To have the information corrected in the event that it is inaccurate
    • To object to it being processed or used
    • Not to be subject automated decision-taking or profiling
    • To be notified of data breaches

    How long we will keep the information

    This information will be kept for a period of 8 years. This is in line with the Records Management: NHS Code of Practice.

    Who we will share the information with (recipients)

    This information is not shared outside of the CCG.

    Complaints

    Data Controller(s)

    NHS vale of York CCG

    Purpose

    Under the NHS Complaints Procedure, individuals have a right to complain to both providers and commissioners about services provided by the NHS.

    A complaint may relate to a service which the CCG is directly responsible for providing, or it may relate to a service which we have commissioned for the patients who we are responsible for, for example hospital services. The CCG requires this information in order to investigate and help to resolve complaints.

    Type of information Used

    Identifiable:  Personal (such as name, address, date of birth) and Special Category (health information)

    Legal basis

    GDPR Article 6(1)(e) – processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller &

    GDPR Article 6(1)(c) ‘processing is necessary for compliance with a legal obligation 

    Under:

    The Local Authority Social Services and National Health Service Complaints (England) Regulations 2009 For further information please visit: http://www.legislation.gov.uk/uksi/2009/309/contents/made

    GDPR Article 9(2)(h) processing is necessary for the purposes of the provision of health or social care or treatment or the management of health or social care systems and services.

    How we collect (the source) and use the information

    When the CCG receives a complaint from a person, a complaint file is made up which will normally contain the identity of the complainant, the identity of the patient (where this is a different person) and any other individuals involved, plus details of the complaint, including health information.

    The CCG will only use the identifiable information we collect to process the complaint and to check the level of service we provide.

    Where the complainant is not the patient, the CCG will usually need to disclose the complainant’s identity to whoever the complaint is about in order to obtain consent under the Common Law Duty of Confidentiality to proceed with the complaint and for the complainant to correspond with us on behalf of the patient.

    Data Processors

    Generally, the CCG does not use external data processors for this function. However, for bespoke or large scale exercises, the CCG may commission specialist data analyst companies to process information and produce reports. Any information shared with an external company would be transferred securely and only used for the agreed purpose.

    Your Rights

    With regards to Complaints under GDPR you have the right:

    • To be informed about the processing of your information (this notice)
    • Of access to the information held about you
    • To have the information corrected in the event that it is inaccurate
    • To restrict or stop processing
    • Object to it being processed or used
    • Not to be subject automated decision-taking or profiling
    • To be notified of data breaches

    How long we will keep the information

    We will keep information in relation to complaints for a period of 10 years.

    Who we will share the information with (recipients)

    Where complaints relate to a service we commission, such as hospital care, the complaint will be shared with that organisation. The complainant will be informed where this occurs.

    Individual Funding Requests (IFR)

    Data Controller(s)

    NHS Vale of York CCG

    Purpose

    To fund specific treatment for you for a particular condition that is not covered in our contracts with providers. Individual Funding Requests provide payments required to receive specialist treatment, not routinely provided on the NHS, on a case by case basis.

    Type of information Used

    Identifiable: Personal (such as name, address, date of birth) and Special Category (health information) – to make payments

    Anonymous – to provide reports for analysis of payments made

    Legal basis

    GDPR Article 6(1)(e) – processing is necessary for the performance of a task carried out in the exercise of official authority vested in the controller

    GDPR Article 9(2)(h) processing is necessary for the purposes of the provision of health or social care or treatment or the management of health or social care systems and services.

    How we collect (the source) and use the information

    Information required to make payments in relation to funding treatments is provided by you, along with relevant information from primary and secondary care regarding the referral for specialist treatment. The CCG will only use the identifiable information we collect to process the request for funding.

    This process is carried out with the consent of the patient to satisfy the Common Law Duty of Confidentiality.

    Data Processors

    North of England Commissioning Support (NECS)

    Your Rights

    With regards to Individual Funding Requests under GDPR you have the right :

    • To be informed about the processing of your information (this notice)
    • Of access to the information held about you
    • To have the information corrected in the event that it is inaccurate
    • To restrict or stop processing
    • To object to it being processed or used
    • Not to be subject automated decision-taking or profiling
    • To be notified of data breaches

    How long we will keep the information

    The organisation has adopted the retention periods for health and non-health records as set out in the Records Management Code of Practice for Health and Social Care 2016.  The retention schedule is in line with the Records Management Code of Practice for Health and Social Care 2016. For Individual funding requests this is 6 years after the end of the financial year to which they relate.

    Who we will share the information with (recipients)

    This information will be shared with NECS, GP’s, and health and care organisations involved in delivering or arranging the Individual Funding Request.

    Continuing Healthcare

    Data Controller(s)

    NHS Vale of York CCG

    Purpose

    Where you have asked us to undertake assessments for Continuing Healthcare – a package of care for those with complex needs. We use your information in order to be able to make the appropriate arrangements for assessing your needs. Individual consent will be sought before any information about you is sought from other professionals.

    Type of information Used

    Identifiable: Personal (such as name, address, date of birth) and Special Category (health information)

    Legal basis

    GDPR Article 6(1)(e) – processing is necessary for the performance of a task carried out in the exercise of official authority vested in the controller

    GDPR Article 9(2)(h) processing is necessary for the purposes of the provision of health or social care or treatment or the management of health or social care systems and services.

    How we collect (the source)and use the information

    The CHC team will collect, use, share and securely store information from/with the Local Authority (Social Services) and other organisations or individuals that are either directly or indirectly involved in the assessment, decision making process, the arranging of care, the funding and payment of care and appropriate monitoring of and audit of the safety and quality of care.

    This process is carried out with the consent of the patient to satisfy the Common Law Duty of Confidentiality.

    Data Processors

    The CCG does not use external data processors for this function.

    Your Rights

    With regards to Continuing Healthcare under GDPR you have the right:

    • To be informed about the processing of your information (this notice)
    • Of access to the information held about you
    • To have the information corrected in the event that it is inaccurate
    • To restrict or stop processing
    • To object to it being processed or used
    • Not to be subject automated decision-taking or profiling
    • To be notified of data breaches

    How long we will keep the information

    The CCG will keep this information for a period of 8 years. The retention schedule is in line with the Records Management Code of Practice for Health and Social Care 2016.

    Who we will share the information with (recipients)

    The Local Authority (Social Services), Care Homes, health and care organisations involved in delivering or arranging the continuing care required.

    Personal Health Budgets (PHBs)

    Data Controller(s)

    NHS Vale of York CCG

    Purpose

    A personal health budget is an amount of money to support someone’s health and wellbeing needs, which is planned and agreed between the person, or their representative, and the local clinical commissioning group (CCG) or NHS team.

    The amount in someone’s personal health budget is based upon their personalised care and support plan. This plan helps people to identify their health and wellbeing outcomes, together with their local NHS team, and sets out how the budget will be spent to enable them to reach their goals and keep them healthy and safe.

    Type of information Used

    Identifiable: Personal (such as name, address, date of birth) and Special Category (health information)

    Legal basis

    GDPR Article 6(1)(e) – processing is necessary for the performance of a task carried out in the exercise of official authority vested in the controller

    GDPR Article 9(2)(h) processing is necessary for the purposes of the provision of health or social care or treatment or the management of health or social care systems and services.

    Relevant legislation: National Health Service (Direct Payments) Regulations 2013

    How we collect (the source)and use the information

    A personal health budget is based upon a personalised care and support plan. This plan sets out someone’s health and wellbeing needs, the outcomes they wish to achieve, the amount of money available and how it will be spent. Once the plan and budget has been agreed, the money in a personal health budget can be managed in three ways, or a combination of these:

    Notional budget: No money changes hands. The personal health budget holder knows how much money is available for their assessed needs and decides together with the NHS team how to spend that money. The NHS is then responsible for holding the money and arranging the agreed care and support.

    Third party budget: An organisation independent of both the person and the NHS commissioner (for example an independent user trust or a voluntary organisation) is responsible for and holds the money on the person’s behalf. They then work in partnership with the person and their family to ensure the care they arrange and pay for with the budget meets the agreed outcomes in the care plan.

    Direct payment for healthcare: The personal health budget holder or their representative has the money in a bank account and takes responsibility for purchasing the agreed care and support. Budget holders must show what the money has been spent on. Further guidance is included in the Direct Payments in Healthcare Guidance.

    In most cases people will need a separate bank account to receive a personal health budget via a direct payment (there are some exceptions when the money can be paid directly into someone’s existing account, for example if it is a one-off payment).  The separate account must only be used for purchasing care, but it may also be used for receiving and managing a social care personal budget, if someone has an integrated personal budget.

    If someone wishes to have a personal health budget but doesn’t want to manage it themselves or doesn’t have the capacity to manage the budget themselves, it may be possible for someone else to manage the budget on their behalf. This might be a family member, a close friend or representative.  Regardless of who is responsible for the budget, every effort must be made to ask the person about their wishes and to keep their best interests in mind.

    This process is carried out with the consent of the patient to satisfy the Common Law Duty of Confidentiality.

    Data Processors

    The CCG does not use external data processors for this function.

    Your Rights

    With regards to Personal Health Budgets under GDPR you have the right:

    • To be informed about the processing of your information (this notice)
    • Of access to the information held about you
    • To have the information corrected in the event that it is inaccurate
    • To restrict or stop processing
    • To object to it being processed or used
    • Not to be subject automated decision-taking or profiling
    • To be notified of data breaches

    How long we will keep the information

    The CCG will keep this information for a period of 8 years. The retention schedule is in line with the Records Management Code of Practice for Health and Social Care 2016.

    Who we will share the information with (recipients)

    The Local Authority (Social Services), health and care organisations involved in delivering or arranging the care required. The third party (for example an independent user trust or a voluntary organisation, or payroll/managed account provider) looking after your money where this has been arranged. If someone wishes to have a personal health budget but doesn’t want to manage it themselves or doesn’t have the capacity to manage the budget themselves, it may be possible for someone else to manage the budget on their behalf (e.g. family member, friend or representative, nominee).

    Safeguarding

    Data Controller(s)

    NHS Vale of York CCG

    Purpose

    The CCG has a legal duty to have arrangements in place for safeguarding both adults and children. In order to carry out this role, the CCGs’ Safeguarding Team processes information for safeguarding purposes.

    Type of information Used

    Identifiable: Personal (such as name, address, date of birth) and Special Category (health information)

    The information processed for relevant people only, can include; names, date of birth, address, NHS number, relevant and proportionate information concerning their health and care and their racial or ethnic origin where this is relevant. The CCG will only share this personal information where expressly permitted by law, and will not share with any partners who do not have a lawful basis to process the personal information.

    Legal basis

    GDPR Article 6(1)(e) ‘processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority…’

    GDPR Article 9(2)(b) ‘processing is necessary for the purposes of carrying out the obligations and exercising the specific rights of the controller or of the data subject in the field of …social protection law in so far as it is authorised by Union or Member State law..’

    The Children Act 1989 & 2004 establishes implied powers for local authorities and relevant partner agencies to share information to safeguard children. Local authorities have a duty to investigate where there is reasonable cause to suspect that a child is suffering or is likely to suffer significant harm is the subject of an emergency protection order, or is in police protection. 

    The Children Act also requires local authorities ‘to safeguard and promote the welfare of children within their area who are in need’ and to request help from specified authorities including NHS Trusts and Foundation Trusts, NHS England and CCGs. These are required by the Children Act to comply with such requests. Under the Children Act 2004 local authorities must make arrangements to promote cooperation with relevant partners and others, to improve well-being.

    The Criminal Justice Act 2003 provides for the establishment of Multi-Agency Public Protection Arrangements (“MAPPA”) in England and Wales. Under this legislation the NHS have a duty to co-operate with MAPPA processes by sharing relevant and proportionate information regarding MAPPA subjects. 

    The Care Act 2014 requires that local authorities must make enquiries, or cause another agency to do so, whenever abuse or neglect are suspected in relation to an adult and the local authority thinks it necessary to enable it to decide what (if any) action is needed to help and protect the adult.

    The Care Act 2014 stipulates that partners should ensure that they have the mechanisms in place that enable early identification and assessment of risk through timely information sharing and targeted multi-agency intervention.

    Decisions on sharing information must be justifiable and proportionate, based on the potential or actual harm to adults or children at risk and the rationale for decision-making should always be recorded.

    When sharing information about adults, children and young people at risk between agencies it will only be shared :

    • where relevant and necessary, not simply all the information held
    • with the relevant people who need all or some of the information
    • when there is a specific need for the information to be shared at that time

    How we collect (the source)and use the information

    The CCG may receive information relating to safeguarding concerns from you directly or relatives or through notification of concerns from other Health and Social Care organisations. All Health and Social Care professionals have a legal requirement to share information with appropriate agencies where safeguarding concerns about children or adults have been received. Where it is appropriate to do so the organisations will keep you informed of when information is required to be shared.  Access to this information is strictly controlled and where there is a requirement to share information, e.g. with police or social services, all information will be transferred safely and securely ensuring only those with a requirement to know of any concerns are appropriately informed.

    Data Processors

    The CCG does not use external data processor s for this function.

    Your Rights

    With regards to Safeguarding under GDPR you have the right:

    • To be informed about the processing of your information (this notice)
    • Of access to the information held about you
    • To have the information corrected in the event that it is inaccurate
    • To be notified of data breaches

    How long we will keep the information

    Information is kept in accordance with the Records Management Code of Practice for Health and Social Care 2016 – depending on the nature of the records held, some records will be kept for longer than the standard retention periods within the Code of Practice.

    Who we will share the information with (recipients)

    Information will be shared with relevant professionals from partner agencies. Such as; Safeguarding Boards, Multi-Agency Safeguarding Hubs (MASH), Multi-Agency Risk Assessment Conference (MARAC), Local Authority, other Health and Social Care organisations or the Police

    Patient and Public Involvement

    Data Controller(s)

    NHS Vale of York CCG

    Purpose

    If you have asked the CCG to keep you regularly informed and up to date about the work of the CCG or if you are actively involved in our engagement and consultation activities through focus groups, meetings or surveys or are a patient representative in our groups, we will collect and use information you share with us. Where you submit your details to us for involvement purposes, we will only use your information for this purpose.

    Type of information Used

    Identifiable: Personal (such as name, address, date of birth)

    Legal basis

    GDPR Article 6 1(a) – the data subject has given consent to the processing of his or her personal data for one or more specific purposes

    How we collect (the source) and use the information

    We will be collecting and using your information to enable us to keep you informed of any news, consultation activities or patient participation groups.

    Your information will be held securely and accessible only to those who need it for the purposes it was collected.

    Data Processors

    Generally, the CCG does not use external data processors for this function. However, for bespoke or large scale exercises, the CCG may commission specialist data analyst companies to process information and produce reports. Any information shared with an external company would be transferred securely and only used for the agreed purpose.

    Your Rights

    With regards to Patient and Public Involvement under GDPR you have the right:

    • To be informed about the processing of your information (this notice)
    • Of access to the information we hold about you.
    • To have that information amended in the event that it is not accurate.
    • To have the information deleted
    • To restrict processing
    • To object to processing/withdraw your consent for processing
    • Not to be subject automated decision-taking or profiling
    • To be notified of data breaches

    How long we will keep the information

    We will only keep this information for as long as you are happy for us to do so, if you no longer wish us to use/ store your information you can request its removal/erasure at any time.

    Who we will share the information with (recipients)

    Your personal information will only be shared with CCG staff who need it for the purposes it was collected or, wider, with your permission and knowledge.

    Offensive and Inflammatory Comments

    Data Controller(s)

    NHS Vale of York CCG

    Purpose

    Any email sent to the CCG, including any attachments, may be monitored and used by the CCG for reasons of security and for monitoring compliance with office policy.

    Email monitoring or blocking software may also be used. Please be aware that you have a responsibility to ensure that any email you send to us is within the bounds of the law.

    If you post or send offensive, inappropriate or objectionable content anywhere on www.valeofyorkccg.nhs.uk or otherwise engage in disruptive behaviour on www.valeofyorkccg.nhs.uk  we may use whatever information is available to us about you to stop such behaviour.

    Type of information Used

    Identifiable: Personal (such as name, address, date of birth)

    Legal basis

    GDPR Article 6 1(c) processing is necessary for compliance with a legal obligation…

    How we collect (the source) and use the information

    We will be collecting and using your information to enable us to monitor any offensive or inflammatory remarks.

    Your information will be held securely and accessible only to those who need it for the purposes it was collected.

    Data Processors

    The CCG does not employ external data processors for this function.

    Your Rights

    With regards to Offensive and Inflammatory Comments under GDPR you have the right :

    • To be informed about the processing of your information (this notice)
    • Of access to the information we hold about you.
    • To have that information amended in the event that it is not accurate.
    • Not to be subject automated decision-taking or profiling
    • To be notified of data breaches

    How long we will keep the information

    The CCG will keep a register of offensive and inflammatory comments received indefinitely. 

    Who we will share the information with (recipients)

    We may share your information with the Police if the information you have provided is in breach of the law.

    Infection Prevention and Control

    Data Controller(s)

    NHS Vale of York CCG

    Purpose

    CCGs collaborate with Public Health services and work closely with the organisations involved in providing patient care, to jointly identify and agree the possible causes of, or factors that contributed to a patient’s infection.

    Type of information Used

    Identifiable:  Personal (such as name, address, date of birth) and Special Category (health information)

    Legal basis

    GDPR Article 6(1)(e) ‘processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority…’

    GDPR Article 9(2)(j) ‘ …necessary for reasons of public interest in the area of public health…or ensuring high standards of quality and safety of health care and of medicinal products or medical devices…’

    Related legislation:

    The Health and Social Care Act 2008: Code of Practice for the NHS for the Prevention and Control of Healthcare Associated Infections (revised January 2015) and

    Regulation 3 of The Health Service (Control of Patient Information) Regulations 2002

    How we collect (the source) and use the information

    CCGs participate in Post Infection Review in the circumstances set out in the Post Infection Review Guidance, issued by NHS England. The CCG receives this information from Healthcare providers.

    The CCG uses the results of the Post Infection Review to inform the mandatory healthcare associated infections reporting system.

    Data Processors

    The CCG does not use external data processors for this function.

    Your Rights

    With regards to Infection Prevention and Control under GDPR you have the right:

    • To be informed about the processing of your information (this notice)
    • Of access to the information held about you
    • To have the information corrected in the event that it is inaccurate
    • Not to be subject automated decision-taking or profiling
    • To be notified of data breaches

    How long we will keep the information

    Information relating to Infection Prevention and Control is kept for a period of 10 years. Information will be kept for longer than 10 years if it is in relation to a child.

    Who we will share the information with (recipients)

    Information may be shared with Primary and Secondary healthcare providers and with the Local Authority who are responsible for Public Health with the CCG boundary.

    Serious Incident reports

    Data Controller(s)

    NHS Vale of York CCG

    Purpose

    The CCG collects and uses information from Serious Incident reports from Primary and Secondary Care Providers to ensure incidents are dealt with appropriately and lessons learnt.

    Type of information Used

    Identifiable:  Personal (such as name, address, date of birth) and Special Category (health information)

    Legal basis

    GDPR Article 6(1)(e) ‘processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority…’ AND  6 (1) (c) – processing is necessary for compliance with a legal obligation…

    Related legislation:

    NHS Act 2006/Health and Social Care Act 2012.

    GDPR Article 9(2)(h) processing is necessary for the purposes of the provision of health or social care or treatment or the management of health or social care systems and services.

    How we collect (the source) and use the information

    We are statutorily required to fully investigate and review incidents and will receive information from Primary and Secondary Care Providers. Where there is a requirement to provide incident reports externally, the information will be anonymised unless there is a legal requirement to provide your details. You will be kept informed of the requirements we are required to meet where information is to be shared externally.

    Data Processors

    The CCG Does not use external data processors for this function.

    Your Rights

    With regards to Serious Incident Reports under GDPR you have the right:

    • To be informed about the processing of your information (this notice)
    • Of access to the information held about you
    • To have the information corrected in the event that it is inaccurate
    • Not to be subject automated decision-taking or profiling
    • To be notified of data breaches

    How long we will keep the information

    Incidents (Serious) – 20 years

    Incidents (Other) – 10 years

    Who we will share the information with (recipients)

    Your information may be shared with Primary and Secondary healthcare providers involved in the incident.

    Freedom of Information requests

    Data Controller(s)

    NHS Vale of York CCG

    Purpose

    As a public authority, the CCG has a duty to respond to requests made under the Freedom of Information Act 2000.

    Type of information Used

    Identifiable:  Personal (such as name and address).

    Legal basis

    GDPR Article 6(1)(e) ‘processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority…’ AND 6 (1) (c) – processing is necessary for compliance with a legal obligation ….

    Relevant Legislation:

    The Freedom of Information Act 2000

    How we collect (the source) and use the information

    We will only collect identifiable information such as name and contact details provided by individuals making requests under the Freedom of Information Act 2000 (FOIA), Environmental Information Regulations 2004 (EIR) and the Re-Use of Public Sector Information Regulations 2015 (RPSI). This information will only be used to respond to such requests and in correspondence with individuals following appeals.

    The personal data we process is freely provided by applicants who wish to exercise their right to use the above legislation in order to access information held by or on behalf of the CCG.

    Where the individual is making a request under the Re-Use of Public Sector Regulations 2015, by law we require the re-use purpose.

    Data Processors

    The CCG does not use external data processors for this function.  

    Your Rights

    With regards to Freedom of Information Requests under GDPR you have the right:

    • To be informed about the processing of your information (this notice)
    • Of access to the information held about you
    • To have the information corrected in the event that it is inaccurate
    • Not to be subject automated decision-taking or profiling
    • To be notified of data breaches

    How long we will keep the information

    Freedom of Information (FOI) requests and responses and any associated correspondence - 3 years from the date of closure of the FOI request.

    FOI requests where there has been a subsequent appeal - 6 years from the date of closure of the appeal.

    Who we will share the information with (recipients)

    This information is not shared outside of the CCG.

    Medicines Management

     Data Controller(s)

    NHS Vale of York CCG

    Purpose

    NHS Vale of York CCG have a duty to secure continuous improvement in the quality of services provided to individuals for or in connection with the prevention, diagnosis or treatment of illness. Taking that into account, The medicines management team supports the CCG with commissioning services that make best use of available medicines. Your personal data will be used to fulfil this duty in respect of promoting cost-effective use of medicines as well as implementing projects or actions to optimise the use of medicines to improve outcomes, enhance patient safety and improve capacity within the local health economy.

    Type of information Used

    Identifiable: Personal (such as name, address, date of birth) and Special Category (health information)

    Legal basis

    GDPR Article 6(1)(e) processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority,

    GDPR Article 9 (2)(h) processing is necessary for the purposes of the provision of health or social care or treatment or the management of health or social care systems and services.

    How we collect (the source) and use the information

    Data used to fulfil the above duties is received directly from the primary and secondary healthcare providers for which the CCG has responsibility for.

    Data Processors

    The CCG does not use external data processors for this function.

    Your Rights

    With regards to Medicines Management Reviews under GDPR you have the right:

    • To be informed about the processing of your information (this notice)
    • Of access to the information held about you
    • To have the information corrected in the event that it is inaccurate
    • To restrict or stop processing
    • To object to it being processed or used
    • Not to be subject automated decision-taking or profiling
    • To be notified of data breaches

    How long we will keep the information

    The organisation has adopted the retention periods for health and non-health care records as set out in the Records Management Code of Practice for Health and Social Care 2016. The retention schedule is in line with the Records Management Code of Practice for Health and Social Care 2016.

    Who we will share the information with (recipients)

    Personal data is shared between the CCG and local healthcare providers, including GP practices. They do this to facilitate the implementation of recommendations by the medicines management team.

    Care and Treatment Reviews

    Data Controller(s)

    NHS Vale of York CCG

    Purpose

    Care and Treatment Reviews (CTRs) are part of NHS England’s commitment to transforming services for people with learning disabilities, autism or both. CTRs are for people whose behaviour is seen as challenging and/or for people with a mental health condition. They are used by commissioners for people living in the community and in learning disability and mental health hospitals.

    Type of information Used

    Identifiable: Personal (such as name, address, date of birth) and Special Category (health information)

    Legal basis

     GDPR Article 6(1)(e) – processing is necessary for the performance of a task carried out in the exercise of official authority vested in the controller.

    GDPR Article 9(2)(h) processing is necessary for the purposes of the provision of health or social care or treatment or the management of health or social care systems and services.

    How we collect (the source) and use the information

    Care and Treatment Reviews are independent panel meetings about your care arranged by the CCG. The CTR panel is made up of professionals who are not involved in your everyday care. The panel members listen to you and to everyone involved in your care. They look at your notes and check that your care and plans are working well. They use this information and their own experience to decide what will improve your care and plans for the future. They speak up when they think your care could be different or better.

    CCGs have to understand people’s needs, to plan for different levels of support at different times. They work with other health and social care services to find out who needs extra support or contact to make sure things are okay. The CCG keeps a list or register of people who need support. This list or register helps the CCG work with health and social care services. It allows them to arrange the extra support needed, if a CTR is needed, or extra help for carers. If you need a community CTR, you can join this register. Ask your care co-ordinator about it.

    If someone suddenly becomes very unwell and urgently needs to go into hospital, there might not be enough time for a community CTR. If this happens, an adult should have a hospital CTR within four weeks of going into hospital, or two weeks if you are a child or young person. This process is carried out with consent from the patient in order to satisfy the Common Law Duty of Confidentiality.

    Data Processors

    NHS Vale of York CCG

    Other healthcare organisations involved with CTRs such as Local Authorities, Hospitals, Community Teams and GPs

    Your Rights

    With regards to Care and Treatment reviews under GDPR you have the right:

    • To be informed about the processing of your information (this notice)
    • Of access to the information held about you
    • To have the information corrected in the event that it is inaccurate
    • To restrict or stop processing
    • To object to it being processed or used
    • Not to be subject automated decision-taking or profiling
    • To be notified of data breaches

    How long we will keep the information

    The CCG will retain this information for a period of 8 years. The retention schedule is in line with the Records Management Code of Practice for Health and Social Care 2016.

    Who we will share the information with (recipients)

    Information may be shared with the Local Authority, and primary and secondary healthcare providers.

    Referral Support Services

    Data Controller(s)

    NHS Vale of York CCG

    Purpose

    When it has been identified by your GP or Optician that you require further diagnosis and/or treatment/care your GP/ Optician will make a referral to a secondary care service. For some specialties your referral will be reviewed by an independent specialist doctor to ensure that you receive the most effective care.

    Type of information Used

    Identifiable: Personal (such as name, address, date of birth) and Special Category (health information)

    Legal basis

     GDPR Article 6(1)(e) – processing is necessary for the performance of a task carried out in the exercise of official authority vested in the controller.

    GDPR Article 9(2)(h)-  processing is necessary for the purposes of the provision of health or social care or treatment or the management of health or social care systems and services.

    How we collect (the source) and use the information

    The Referral Support Service involves a review of a copy of your GP referral against agreed clinical guidelines with the aim of ensuring the patient is seen by the right clinician, in the right place at the right time. These arrangements provide for an additional ‘check’ of referrals by a team of contracted clinicians. When you and your GP agree that you need a secondary care appointment, you can choose which hospital or clinic you go to. The Referral Support Service provides access to a system, (Choose and Book) that lets you choose your hospital or clinic and book your first appointment.

    This process is carried out with your consent in order to satisfy the Common Law Duty of Confidentiality.

    Data Processors

    e-RS Choose & Book Service

    Integrated Care Gateway – Accenda

    Your Rights

    With regards to the Referral Support Service under GDPR you have the right:

    • To be informed about the processing of your information (this notice)
    • Of access to the information held about you
    • To have the information corrected in the event that it is inaccurate
    • To restrict or stop processing
    • To object to it being processed or used
    • Not to be subject automated decision-taking or profiling
    • To be notified of data breaches

    How long we will keep the information

    The CCG does not store this information. Referral letters are filed in the patient’s record and held in accordance with the rules outlined in the Records Management: NHS Codes of Practice.

    Who we will share the information with (recipients)

    This information will be shared with NHS Service Providers and Independent Sectors if providing NHS Secondary Care Services.

    Visitors to our Website

    Data Controller(s)

    NHS Vale of York CCG

    Purpose

    Monitoring how the CCG’s website is used. This is done to find out things such as the number of visitors to the various parts of the site.

    Type of information Used

    Identifiable: Personal (IP address)

    Legal basis

    GDPR Article 6 (1)(e – processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;

    How we collect (the source) and use the information

    When someone visits the CCG’s website information is collected in a standard internet log to enable the CCG to monitor how the website is used. This is done to find out things such as the number of visitors to the various parts of the site.

    From time to time, you may be asked to submit personal information about yourself (e.g. name and email address) in order to receive or use services on our website. Such services include bulletins, email updates, website feedback, requesting investigation of complaints and any other enquiries.

    By entering your details in the fields requested or sending us an email, you enable the CCG and its service providers to provide you with the services you select. Any information you provide will only be used by the CCG, or our agents or service providers, and will not be disclosed to other parties unless we are obliged or permitted to do so.

    We will hold your personal information on our systems for as long as you use the service you have requested, and remove it in the event the purpose has been met or when you no longer wish to continue your subscription.

    Data Processors

    eMBED

    Fasthosts Web Hosting

    Your Rights

    With regards to Visitors to our Website under GDPR you have the right: 

    • To be informed about the processing of your information (this notice)
    • Of access to the information held about you
    • To have the information corrected in the event that it is inaccurate
    • To restrict or stop processing
    • To object to it being processed or used
    • Not to be subject automated decision-taking or profiling
    • To be notified of data breaches

    How long we will keep the information

    Google Analytics tracking data, including visitor IP address, is retained for 26 months.

    Who we will share the information with (recipients)

    eMBED & Fasthosts Web Hosting will have access to this information.

    Film and Promotional Materials

    Data Controller(s)

    NHS Vale of York CCG

    Purpose

    We use this information to educate patients and the public on the services we provide.

    Type of information Used

    Identifiable – Name, face

    Legal basis

    GDPR Article 6 (1)(a) the data subject has given consent to the processing of his or her information for one or more specified purpose(s);

    GDPR Article 9(2)(a) the data subject has given explicit consent to the processing of those personal data for one or more specified purposes,

    How we collect (the source) and use the information

    We will only collect and use this information with your consent. If you no longer wish for your information to be used for this purpose you can withdraw your consent at any time by contacting us at valeofyork.contactus@nhs.net,

    Data Processors

    The CCG does not use external Data Processors for this function.

    Your Rights

    With regards to Film & Promotional Materials under GDPR you have the right:

    • To be informed about the processing of your information (this notice)
    • Of access to the information held about you
    • To have the information corrected in the event that it is inaccurate
    • To restrict or stop processing
    • To withdraw your consent to the processing.
    • The right to data portability
    • Not to be subject automated decision-taking or profiling
    • To be notified of data breaches

     

    How long we will keep the information

    The CCG will keep this information for a period of 5 years as documented on our consent form.

    Who we will share the information with (recipients)

    The majority of our film & promotional materials are available online via the CCGs website and are accessible/ viewable by the general public.

    Information for Job Applicants

    Data Controller(s)

    NHS Vale of York CCG

    Purpose

    The CCG will process information provided by applicants for the management of their application and the subsequent selection process.

    Type of information Used

    Anonymous – for shortlisting and selection purposes

    Identifiable: Personal such as name, address, date of birth etc.) -  following the short-listing process

    Legal basis

    Article 6 – 6(1)(c) ‘…necessary for compliance with a legal obligation…’ 

    For criminal conviction information (obtained via the Disclosure and Barring Service (DBS)) processing meets the requirements of Article 10 of the GDPR under Schedule 1, Part 1 of the Data Protection Act 2018 - processing in connection with employment, health and research - Processing necessary for the purposes of performing or exercising obligations or rights of the controller or the data subject under employment law, social security law or the law relating to social protection.

    Relevant legislation: the provisions of the Safeguarding Vulnerable Groups Act 2006 as a basis for carrying our DBS checks.

    How we collect (the source) and use the information

    The recruitment process involves passing details provided by you on your application regarding your qualifications, skills and work experience, (but excluding your name, address and other personal data) to the short-listing and selection panels. After shortlisting full details provided by you on your application form will be provided to the interview panel. Details provided by you are also used to help fulfil our obligations to monitor equality and diversity within the organisation and process your application.

    Data Processors

    eMBED Health Consortium

    Your Rights

    • To be informed about the processing of your information (this notice)
    • Of access to the information held about you
    • To have the information corrected in the event that it is inaccurate
    • To restrict or stop processing
    • To be notified of data breaches

    How long we will keep the information

    Recruitment records should be kept for a period of six months after the date of appointment.

    Who we will share the information with (recipients)

    We will share the information with recruiting managers.

    Human Resources

    Data Controller(s)

    NHS Vale of York CCG

    NHS Business Services Authority (for the Electronic Staff Record aspect)

    eMBED Health Consortium

    Purpose

    The CCG holds personal and confidential information on its staff for employment-related purposes, such as recruitment, payment of salary, sickness and absence monitoring, professional development purposes and to reimburse expense claims. 

    Type of information Used

    Identifiable : Personal (such as name, address, date of birth) and Special Category (health, racial or ethnic origin information)

    Information relating to expenses : Personal (such as, name, address, payroll number, driving licence and registration, insurance, MOT, car details)

    Information relating to criminal convictions (DBS checks).

    Legal basis

    GDPR Article 6(1)(e) – processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority AND 6 (1) (c) – Processing is necessary for compliance with a legal obligation…

    GDPR Article 9(2)(b) – processing is necessary for the purposes of carrying out the obligations and exercising the specific rights of the controller or of the data subject in the field of  employment…social protection law in so far as it is authorised by Union or Member State law.

    For reimbursement of expenses – GDPR Article 6(1)(b) – processing is necessary for the performance of a contract…

    For criminal conviction information (obtained via the Disclosure and Barring Service (DBS)) processing meets the requirements of Article 10 of the GDPR under Schedule 1, Part 1 of the Data Protection Act 2018 - processing in connection with employment, health and research - Processing necessary for the purposes of performing or exercising obligations or rights of the controller or the data subject under employment law, social security law or the law relating to social protection.

    Relevant legislation: the provisions of the Safeguarding Vulnerable Groups Act 2006 as a basis for carrying our DBS checks.

    How we collect (the source) and use the information

    The CCG uses information for the purposes of employment in a variety of ways including:

    • Recruitment – application forms, collecting references, carrying out DBS checks, payroll and pension information.
    • Managing and monitoring annual leave and sickness.
    • Carrying our personal development reviews.
    • Referrals to Occupational Health
    • Disciplinary procedures.
    • Processing staff leavers, retirements and providing references.
    • Recruitment of temporary staff/student placements
    • Reimbursement of expenses

    Data Processors

    Victoria Pay Services

    IBM (system supplier of the Electronic Staff Record - ESR and EASY expenses) 

    Harrogate and Rural District Clinical Commissioning Group

    Methods Consulting Ltd – management of NHS Jobs (recruitment website)

    NHS SBS (finance system) for payroll purposes

    Transfer of information overseas

    NHS SBS carry out some of their processing activity in India. Where this occurs it is governed by the use of approved Model Contract Clauses.

    Your Rights

    Under GDPR you have the right:

    • To be informed about the processing of your information (this notice)
    • Of access to the information held about you
    • To have the information corrected in the event that it is inaccurate
    • To be notified of data breaches

    How long we will keep the information

    The CCG will store this information for a period of 5 years after the termination of employment.

    Who we will share the information with (recipients)

    In addition to the sharing with our named Data Processors above - the CCG shares information with a variety of organisation and individuals for a number of lawful purposes including:

    • Public disclosure under Freedom of Information - e.g. requested names or contact details of senior managers or those in public-facing roles;
    • Disclosure of job applicant details - e.g. to named referees for reference checks, to the Disclosure & Barring Service for criminal record checks
    • Disclosure to employment agencies - e.g. in respect of agency staff;
    • Disclosure to banks & insurance companies - e.g. to confirm employment details in respect of loan/mortgage applications/guarantees;
    • Disclosure to professional registration organisations - e.g. in respect of fitness to practice hearings;
    • Disclosure to Occupational Health professionals (subject to explicit consent);
    • Disclosure to police or fraud investigators - e.g. in respect of investigations into incidents, allegations or enquiries.

    Declarations of Interests, Gifts and Hospitality Publication

    Data Controller(s)

    NHS Vale of York CCG

    Purpose

    The CCG is required to maintain and publish on its website registers of interests, gifts and hospitality for all staff of the CCG, as well as its Members, Governing Body and Committee Members

    Type of information Used

    Identifiable: Personal (name and job role)

    Legal basis

    GDPR Article 6(1)(c) processing is necessary for compliance with a legal obligation; Statutory guidance for CCGs on Managing Conflicts of Interest  under Section 14O of the National Health Service Act 2006 (as amended

    by the Health and Social Care Act 2012)

    How we collect (the source) and use the information

    The CCG maintains and publishes Registers of Interest and Gifts and Hospitality containing names, job roles, details of the interest and/or receipt of gifts/hospitality including the details of those supplying the gift/hospitality as per the guidance on Managing Conflicts of Interest.

    Data Processors

    The CCG does not use external data processors for this function.

    Your Rights

    In exceptional circumstances, where the public disclosure of information could lead to a real risk of harm or is prohibited by law, a person’s name or other information may be withheld from the published registers. If you feel that substantial damage or distress may be caused to you or somebody else by the publication of information in the registers, you are entitled to request that the information is not published. Such requests must be made in writing to the CCG.

    Under GDPR you have the right:

    • To be informed about the processing of your information (this notice)
    • Of access to the information held about you
    • To have the information corrected in the event that it is inaccurate
    • To restrict or stop processing
    • To object to it being processed or used
    • Not to be subject automated decision-taking or profiling
    • To be notified of data breaches

    How long we will keep the information

    CCG must retain a private record of historic interests and offers/receipt of gifts and hospitality for a minimum of 6 years after the date on which it expired.

    Who we will share the information with (recipients)

    The registers are published on the CCG’s website.

    Information may be shared with NHS England.

    National Fraud Initiative

    Data Controller(s)

    NHS Vale of York CCG

    Purpose

    The CCG is required by law to protect the public funds it administers. It may share information provided to it with other bodies responsible for; auditing, or administering public funds, or where undertaking a public function, in order to prevent and detect fraud under the National Fraud Initiative.

    The Cabinet Office is responsible for carrying out data matching exercises.

    Type of information Used

    Identifiable: Personal

    Legal basis

    GDPR Article 6 (1)(c) – processing is necessary for compliance with a legal obligation to which the controller is subject.

    Relevant Legislation: Part 6 of the Local Audit and Accountability Act 2014 (LAAA).

    How we collect (the source) and use the information

    We participate in the Cabinet Office’s National Fraud Initiative: a data matching exercise to assist in the prevention and detection of fraud. We are required to provide particular sets of data to the Minister for the Cabinet Office for matching for each exercise, as detailed here.

    Data matching involves comparing computer records held by one body against other computer records held by the same or another body to see how far they match. This is usually personal information.

    Computerised data matching allows potentially fraudulent claims and payments to be identified. Where a match is found it may indicate that there is an inconsistency which requires further investigation. No assumption can be made as to whether there is fraud, error or other explanation until an investigation is carried out.

    Data matching by the Cabinet Office is subject to a Code of Practice.

    For further information on data matching at this authority, contact the CCG’s Corporate Services Manager

    Data Processors

    The Cabinet Office

    The Cabinet Office

    National Fraud Initiative – You can find more information about how the NFI use your data here.

    Your Rights

    Under GDPR you have the right:

    • To be informed about the processing of your information (this notice)
    • Of access to the information held about you
    • To have the information corrected in the event that it is inaccurate
    • To be notified of data breaches

    How long we will keep the information

    The datasets used in the matching exercise by the Cabinet Office will be kept as per the Code of Data Matching Practice

    Who we will share the information with (recipients)

    The Cabinet Office and Counter Fraud Authority

     

    Glossary

    Aggregated – grouped information about individuals that has been combined to show general trends or values without identifying individuals.

    Anonymised - data which is about you but from which you cannot be personally identified.

    Caldicott Guardian – a senior person responsible for protecting the confidentiality of patient and service-user information and enabling appropriate information sharing. Each NHS and Social Care organisation is required to have a Caldicott Guardian.

    Data Controller – natural or legal person, public body, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.

    Data Processor – natural or legal person, public authority, agency or other body which processes personal data on behalf of the data controller.

    Data Protection Act – UK legislation to be introduced in 2018 in line with GDPR to expand on the EU Regulation and to provide for areas specifically excluded from GDPR (e.g. Law Enforcement). This Act will repeal the UK Data Protection Act 1998.

    Data Protection Officer – Under GDPR all Public Authorities must appoint a Data Protection Officer. The role of this person, who must be an expert in Data Protection Law, is :

    • Monitor CCG compliance with the GDPR
    • Provide advice and assistance with regards to the completion of Data Protection Impact Assessments
    • Act as a contact point for the Information Commissioners Office (ICO), members of the public and CCG staff on matters relating to GDPR and the protection of personal information
    • Assist in implementing essential elements of the GDPR such as the principles of data processing, data subjects’ rights, privacy impact assessments, records of processing activities, security of processing and notification and communication of data breaches

    General Data Protection Regulation (GDPR) – the main legislation on data protection binding all EU member states (including the UK) from May 2018.

    Identifiable - information which contains personal details that identify individuals such as name, address, email address, NHS Number, full postcode, date of birth.

    Personal data – any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

    Primary Care - Primary care settings include GP Practices, pharmacists, dentists and some specialised services such as military health services.

    Processing – any operation or set of operations which is performed on personal data or on sets of personal data whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

    Pseudonymised - individual level information where individuals can be distinguished by using a coded reference, which does not reveal their ‘real world’ identity.

    Right of Access Requests – The right a data subject has from the controller for confirmation as to whether or not personal data concerning him or her are being processed and, where that is the case, access to the personal data and further information about the processing.

    Secondary Care - Secondary care settings include local hospitals, rehabilitative care, urgent and emergency care (including out of hours and NHS 111), community and mental health services.

    Senior Information Risk Owner (SIRO) – an executive or member of the Senior Management Board of an organisation with overall responsibility for information risk across the organisation.

    Special Category (Sensitive) data - categories of personal data for which special safeguards are required by law. This includes records relating to health, sex life, race, ethnicity, political opinions, trade union membership, religion, genetics and biometrics.