How we use your information

Fair Processing Notice - How We Use Your Information

Patient Communications

This Clinical Commissioning Group will contact patients at times in relation to services, feedback and new initiatives in the area that they have registered an interest in.

We collect and store information that has been received directly from you when you have consented to this process.

We may share information with the following organisations with your explicit consent or when the law allows: GP Practices or other Healthcare Providers.

You have the right to object to your identifiable information being used or shared for this purpose. Please speak to the CCG if you no longer wish to have your data used or be contacted by the CCG in future. 

Patient Participation and Engagement Groups

This Clinical Commissioning Groups hosts Patient Participation and Engagement groups to improve the quality of services delivered by the CCGs.  

We collect and store information that has been received directly from you if you are actively involved in the Patient Participation or Engagement group.

We may share information with the following organisations with your explicit consent or when the law allows: GP Practices or other Healthcare Providers.

You have the right to object to your identifiable information being used or shared for this purpose. Please speak to the Clinical Commissioning Group if you no longer wish to have your data used or be a part of the Patient Participation or Engagement group. 

Medicines Management

This Clinical Commissioning Group has a Medicines Management Function to support patients and also help to deliver cost effective changes at GP Practices.

The processing takes place under two national Service Level Agreements, the National Tariff Excluded Drugs Service and the Home Oxygen Service.

Personal data is used for both care outcomes and monitoring although any reports based on this do not contain personal data.

We collect and store information that has been received directly from the patient or from the following organisations; - GP Practices, NHS Trusts, Providers and Care Homes.

We may share information with the following organisations with your explicit consent or when the law allows: GP Practices and other Healthcare Providers.

You have the right to object to your identifiable information being used or shared for this purpose. Please speak to the Clinical Commissioning Group if you no longer wish to have your data used by the Medicines Management Team.

Complaints, Subject Access Requests and Freedom of Information Requests

This Clinical Commissioning Group holds and uses limited patient data for the purposes of Complaints, Subject Access Requests and Freedom of Information Requests.  

We collect and store information that has been received directly from you or organisations such as Local Authority and GP Practices if you are a patient with the Continuing Healthcare, IFR or Medicines Management Team.

Under GDPR and the Data Protection Act 2018, you have the right to see or be given a copy of any personal data held about you by the Clinical Commissioning Group. To gain access to a copy of your information, you will need to make a Subject Access Request (SAR) to the Clinical Commissioning Group.

Under the Freedom of Information Act 2000, you have the right to request copies of non-personal information held by the Clinical Commissioning Group. To gain access to a copy of your information, you will need to make a Freedom of Information (FOI) Request to the NELCSU.foi@nhs.net

Should you wish to make a complaint to the Clinical Commissioning Group, then there may be a need for them to view and access your patient data or request some from you directly. This will allow the Clinical Commissioning Group to look into your complaint.

Public Health 

Public health encompasses everything from national smoking and alcohol policies, the management of epidemics such as flu, the control of large scale infections such as TB and Hepatitis B to local outbreaks of food poisoning or Measles. Public Health England (PHE) monitors the numbers of certain infections that occur in healthcare settings through routine surveillance programmes, and advises on how to prevent and control infection in establishments such as hospitals, care homes and schools. In order to allow PHE to carry out accurate monitoring of infections, it may rely on information held by the CCG with regards to Healthcare Acquired Infections (HCAIs).

This will necessarily mean the subjects personal and health information being shared with the Public Health organisations.

Some of the relevant legislation includes:

Quality Alerts

A Quality Alert is a systemic issue, generally affecting a service, or the ability to deliver a high quality service. The CCG's Quality Team triage quality alerts (QA's) and incidents reported by GPs/Provider organisations. The CCG has a statutory duty to support NHS England with the continuous quality improvement of primary medical services as set out in the Health and Social Care Act 2012 and the Primary Medical Services assurance framework.

In order for the CCG to triage quality alerts and incidents reported by GPs and providers, the Quality team at the CCG may require the relevant individual's NHS number in order to investigate the quality alert or incident. 

Safeguarding

Some members of society are recognised as needing protection, for example children and vulnerable adults. If a person is identified as being at risk from harm we are expected as professionals to do what we can to protect them. In addition we are bound by certain specific laws that exist to protect individuals. This is called "Safeguarding".

Where there is a suspected or actual safeguarding issue we will share information that we hold with other relevant agencies whether or not the individual or their representative agrees.

There are three laws that allow us to do this without relying on the individual or their representatives agreement (unconsented processing), these are:

Section 47 of The Children Act 1989 :
(https://www.legislation.gov.uk/ukpga/1989/41/section/47),

Section 18 Schedule 1 Part 2 of Data Protection Bill 2018

(https://www.legislation.gov.uk/and

Section 45 of the Care Act 2014 http://www.legislation.gov.uk/ukpga/2014/23/section/45/enacted.

In addition there are circumstances when we will seek the agreement (consented processing) of the individual or their representative to share information with local child protection services, the relevant law being;

Section 17 Children Act 1989 https://www.legislation.gov.uk/ukpga/1989/41/section/17

Direct Care, (routine care and referrals)

The CCG keeps identifiable and clinical data on you relating to the Continuing Health Care, Individual Funding Request and Personal Health Budget services where you have applied for these services.

This data is used to assess whether you meet the criteria for funding for these services and to enable provision of services thereafter.

People who have access to your information will only normally have access to that which they need to fulfil their roles.

You have the right to object to our sharing your data in these circumstances but we have an overriding responsibility to comply with our legal obligations. Please see below.

We are required by Articles in the General Data Protection Regulations to provide you with the information in the following 9 subsections.

Incident Management

The CCG takes every measure to ensure that no identifiable personal data is accessed or shared without complying with necessary regulations. On the rare occasion that the CCG or one of our providers may breach these regulations it is our duty to investigate what may have caused such an incident and the consequences of this.

In these circumstances the CCG may be required to obtain and process information relating to the data subject in order to fully investigate and inform the individual of the outcome of their enquiries. The CCG will always ensure the information obtained is not excessive, in line with the Data Protection Principles of GDPR Article 5(1)(c) adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed ('data minimisation').

HR, Staffing, Employment, Recruitment & Training

This Clinical Commissioning Group collects and stores information pertaining to staff for the purposes of HR, Employment, Recruitment and Training.

Information is collected and stored about prospective, current and past employees, including self-employed and temporary staff.

Data is collected for purposes including recruitment, occupational health, vetting checks, staff training and payroll. 

We commission NEL to carry out and manage our HR processes.

We share information with the following organisations with your explicit consent or when the law allows: Future Employers Reference Request, HM Revenue & Customs and NEL.

Invoice Validation

Invoice validation is an important process in ensuring that your care is paid for correctly. It involves using your NHS number to check that we are the CCG that is responsible for paying for your treatment. We can also use your NHS number to check whether your care has been funded through specialist commissioning, which NHS England will pay for. 

The process makes sure that the organisations providing your care are paid correctly. All information with NHS numbers collected to validate invoices is held within a secure, controlled environment for finance (CEfF) (within/on behalf of) the CCGs. The use of personal data by CCGs for invoice validation has been approved by the Confidentiality Advisory Group of the Health Research Authority and is scheduled for review 30 September 2018. Further information regarding this can be found here: https://www.hra.nhs.uk/planning-and-improving-research/application-summaries/confidentiality-advisory-group-registers/

We are required by Articles in the General Data Protection Regulations to provide you with the information in the following 9 subsections.

1)Controller contact details

Wandsworth CCG
www.wandsworthccg.nhs.uk

2) Data Protection Officer contact details

 

NEL Head of Information Governance
nelcsu.dpo@nhs.net
03000 428438

3) Purpose of the  processing

To enable the CCG to ensure accurate payment of invoices. To provide accountability and fulfil their legal obligations.

4) Lawfulness Conditions and Special Categories

The lawful basis for processing, storing and sharing this data are;-   

Article 6(1)(c)the processing is necessary for compliance with any legal obligation to which the controller is subject”

The CCG does not require access to Special Category data for the purposes of Invoice Validation and will not process data at this level.

5) Recipient or categories of recipients of the processed data

The data will be shared with our external provider into a Controlled Environment for Finance (CEfF).
Anonymised data will further be shared with NHS Shared Business Services (SBS) to arrange payment of the invoice.

6) Rights to object

You have the right to object to some or all the information being processed under Article 21of GDPR. Please contact the Controller for more information.
You should be aware that this is a right to raise an objection, which is not the same as having an absolute right to have your wishes granted in every circumstance.
Under the Confidentiality Advisory Group review 10 October 2017 the requirement to oblige with patient objections from the flow of information to Controlled Environments for Finance (CEfF) which are required to support invoice validation was removed.

7) Right to access and correct

You have the right to access the data that is being shared and have any inaccuracies corrected. There is no right to have accurate medical records deleted except when ordered by a court of Law.

8) Retention period

The data will be retained in line with the law and national guidance. https://digital.nhs.uk/article/1202/Records-Management-Code-of-Practice-for-Health-and-Social-Care-2016  or speak to the Clinical Commissioning Group.

9)  Right to Complain

You have the right to complain to the Information Commissioner’s Office, you can use this link https://ico.org.uk/global/contact-us/  

or calling their helpline Tel: 0303 123 1113 (local rate) or 01625 545 745 (national rate)
There are National Offices for Scotland, Northern Ireland and Wales, (see ICO website)