The General Data Protection Regulations (GDPR) and the Data Protection Act 2018
The new Data Protection Legislation will be in place on the 25th May 2018
Date: 24 May 2018
SCW are getting ready for the new General Data Protection Regulations (GDPR) which comes into force on the 25th May 2018 and the new Data Protection Act 2018 which has become Law. These new regulations will replace the existing Data Protection Act 1998, and we are working very hard to ensure we comply.
What are SCW doing?
We are reviewing our processes, our forms, our policies, in fact everything that we do to make sure we comply with the Law. We are working with the customers that we support to make sure that they also have what they need to do the same.
As an NHS organisation, SCW already has much of what is needed in place, we have to demonstrate that we manage information safely, securely and comply with the Law as part of an annual self-assessment but this does not mean there is nothing to do now.
As we are governed by NHS England, we do not need to appoint a Data Protection Officer but we do have a senior member of staff who acts as our Data Protection lead. They support the NHS England Data Protection Officer with their tasks but will also act as a contact point for any questions you may have about the new Law.
If you want to contact the NHS England Data Protection Officer you can e-mail them at firstname.lastname@example.org
To contact the SCW Data Protection Lead please e-mail SCWCSU.IGEnquiries@nhs.net or telephone 02380627579. Should you wish to communicate with us by post please write to
The Head of Information
NHS South, Central and West Commissioning Support Unit
Floor 2, Omega House
Fair Processing Notice (Privacy Notice)
Your personal information – what you need to know
Who we are and what we do
NHS South, Central and West Commissioning Support Unit (SCW) are hosted by NHS England and provide a range of commissioning support services to Clinical Commissioning Groups (CCGs) and provider organisations. The range of services may include:
- The management and investigation of complaints
- Handling of Freedom of Information requests
- Communications and engagement services
- Advice and guidance on access to personal records
- Information Governance
- Recruitment of staff
- Contract monitoring
- Business Intelligence
- Financial services
- IT services
This may involve the disclosure of relevant personal information to us and may be used for informing commissioning decisions and providing information to the CCGs and Provider organisations.
SCW staff, payroll data and personal identifiers such as contact details may be provided to bodies responsible for auditing, administering public funds or where undertaking a public function for the purposes of preventing and detecting fraud.
For further information please refer to the 'Who we are' page https://www.scwcsu.nhs.uk/about-us/
Using your information
SCW holds some information about you and this document outlines how that information is used, who we may share that information with and why, how we keep it secure (confidential) and what your rights are in relation to this.
What kind of information do we use?
We do not routinely hold or have access to your medical records. However, we may need to hold some personal information about you, for example:
- Your name, address, your date of birth and your NHS number, contact details
- Details of your GP, what treatment you have received and where you received it
- Details of concerns or complaints you have raised about your health care provision and we need to investigate
- If you ask your CCG for help or involvement with your healthcare, or where the CCG are required to fund specific specialised treatment for a particular condition that is not already covered in their contracts with organisations that provide NHS care
Our records may include relevant information that you have told us, or information provided on your behalf by relatives or those who care for you and know you well, or from health professionals and other staff directly involved in your care and treatment. Our records may be held on paper or in a computer system.
We use the following types of information/data:
- Personal Confidential Information - this term describes personal information or data about identified or identifiable individuals, which should be kept private or secret. For the
purposes of this notice ‘personal’ includes the Data Protection Act definition of personal data, but it is adapted to include deceased as well as living people. ‘Confidential’ includes both information ‘given in confidence’ and ‘that which is owed a duty of confidence’ and is adapted to include ‘sensitive’, as defined in the Data Protection Act.
- Pseudonymised - this is data that has undergone a technical process that replaces your identifiable information such as NHS number, postcode, date of birth with a unique identifier, which obscures the ‘real world’ identity of the individual patient to those working with the data
- Anonymised – this is data about individuals but with identifying details removed so that there is little or no risk of the individual being re-identified
- Aggregated - anonymised information that is grouped together so that it doesn't identify individuals
What do we use your Personal Confidential Data for?
There are some limited exceptions where we may hold and use personal confidential information about you. The areas where we regularly use personal confidential information include:
- Responding to your queries, compliments or concerns
- Where there is a provision permitting the use of confidential personal information under specific conditions, for example to:
- Understand the local population needs and plan for future requirements, which is known as “Risk Stratification for commissioning"
- The information is necessary for your direct healthcare needs
- We need to respond to patients, carers or Member of Parliament communications
- You have freely given your informed agreement (consent) for us to use your information for a specific purpose
- There is an overriding public interest in using the information e.g. in order to safeguard an individual, or to prevent a serious crime
- There is a legal requirement that will allow us to use or provide information (e.g. a formal court order).
- Where we have been asked to undertake analysis using your information on behalf of a CCG or other Healthcare Provider
What do we use non-identifiable data for?
We use pseudonymised, anonymised and aggregated data to help plan health care services. Specifically we use it to:
- Support CCGs and NHS England to check the quality and efficiency of the health services they commission and review the care being provided to make sure it is of the highest standard
- Prepare performance reports on the services CCGs and NHS England commission
- Help CCGs and Providers work out what illnesses people may have in the future, so they can plan and prioritise services and ensure these meet the needs of patients in the future.
Do we share your information with other organisations?
CCGs commission a number of organisations (both within and outside the NHS) to provide healthcare services to you. SCW CSU therefore share anonymised statistical information with them for the purpose of improving local services, research, audit and public health; for example understanding how health conditions spread across our local area compared against other areas.
We would not share information that identifies you unless we have a fair and lawful basis such as:
- You have given us permission;
- We need to act to protect children and vulnerable adults;
- When a formal court order has been served upon us;
- When we are lawfully required to report certain information to the appropriate authorities e.g. to prevent fraud or a serious crime;
- Emergency Planning reasons such as for protecting the health and safety of others;
- When permission is given by the Secretary of State or the Health Research Authority on the advice of the Confidentiality Advisory Group to process confidential information without the explicit consent of individuals
The law provides some NHS bodies, particularly NHS Digital, (formally the Health and Social Care Information Centre), ways of collecting and using patient data that cannot identify a person to help Commissioners to design and procure the combination of services that best suit the population they serve. We are permitted to process this information as the CCGs we support have asked NHS Digital to share this information with us so that we can undertake the data analysis for them. Agreements are in place between the CCGs and NHS Digital confirming this.
How we process information within SCW
Data may be anonymised and linked with other data so that it can be used to improve health care and development and monitor NHS performance. Where data is used for these statistical purposes, stringent measures are taken to ensure individual patients cannot be identified.
When we are asked to analyse current health services and proposals for developing future services it is sometimes necessary to link separate individual datasets to be able to produce a comprehensive evaluation. This may involve linking primary care data from your Doctor (GP) with other data such as hospital inpatient stays, outpatient appointments and A&E attendances; this type of data is called secondary uses service (SUS) data. In some cases there may also be a need to link local datasets which could include a range of other hospital based services such as radiology, physiotherapy, audiology etc., as well as mental health and community-based clinics and services such as district nursing, podiatry etc. When carrying out this analysis, the linkage of these datasets is always done using a unique identifier that does not reveal a person’s identity as the CSU does not have any access to identifiable data for these purposes.
A full list of details including the legal basis, any Data Processor involvement and the purposes for processing information can be found in Appendix A.
What safeguards are in place to ensure data that identifies you is secure?
We only use information that may identify you in accordance with the Data Protection Act 1998. The Data Protection Act requires us to process personal data only if there is a legitimate basis for doing so and that any processing must be fair and lawful.
Within the health sector, we also have to follow the common law duty of confidence, which means that where identifiable information about you has been given in confidence, it should be treated as confidential and only shared for the purpose of providing direct healthcare.
Everyone working for the NHS has a legal duty to keep information about you confidential. The NHS Care Record Guarantee and NHS Constitution provide a commitment that all NHS organisations and those providing care on behalf of the NHS will use records about you in ways that respect your rights and promote your health and wellbeing.
The NHS Digital Code of Practice on Confidential Information applies to all of our staff, and they are required to protect your information, inform you of how your information will be used, and allow you to decide if and how your information can be shared. All SCW CSU staff are expected to make sure information is kept confidential and receive annual training on how to do this. This is monitored by the SCW CSU and can be enforced through disciplinary procedures.
We also ensure the information we hold is kept in secure locations, restrict access to information to authorised personnel only, protect personal and confidential information held on equipment such as laptops with encryption (which masks data so that unauthorised users cannot see or make sense of it).
We ensure external data processors that support us are legally and contractually bound to operate and prove security arrangements are in place where data that could or does identify a person are processed.
SCW has a senior member of staff responsible for protecting the confidentiality of patient information. This person is called the Caldicott Guardian. The contact details of our Caldicott Guardian are as follows:
Liam Williams - Director of Commissioning
They are supported by another senior member of staff who is responsible for information risk and information security, this person is called the Senior Information Risk Owner (SIRO). The contact details of our SIRO are as follows:
Rod How – Chief Finance Officer
NHS England, who hosts SCW, is registered with the Information Commissioner’s Office (ICO) as a data controller and collects data for a variety of purposes. Their registration number is Z2950066 and a copy of the registration is available through the ICO website.
How long do we hold information for?
All records held by SCW will be kept for the duration specified by national guidance from NHS Digital, http://systems.digital.nhs.uk/infogov/iga/rmcop16718.pdf. Once information that we hold has been identified for destruction it will be disposed of in the most appropriate way for the type of information it is. Personal confidential and commercially sensitive information will be disposed of by approved and secure confidential waste procedures.
Your right to opt out of data sharing and processing
The NHS Constitution states ‘You have a right to request that your personal confidential information is not used beyond your own care and treatment and to have your objections considered’. For further information please visit: https://www.gov.uk/government/publications/the-nhs-constitution-for-england
You have the right to withdraw consent to us sharing your confidential and personal information if you do not wish us to process or share it.
There are several forms of opt- outs available at different levels. These include for example:
Information directly collected by SCW. Your choices can be exercised by withdrawing your consent for the sharing of information that identifies you, unless there is an overriding legal obligation. We will first need to explain how this may affect the care you receive but you can do this by writing to us.
Information not directly collected by SCW but collected by organisations that provide NHS services. These are known as Type 1 and Type 2 opt-outs and are described below:
Type 1 opt-out
If you do not want personal confidential information that identifies you to be shared outside your GP practice you can register a ‘Type 1 opt-out’ with your GP practice. This prevents your personal confidential information from being used except for your direct health care needs and in particular circumstances required by law, such as a public health emergency like an outbreak of a pandemic disease. Patients are only able to register the opt-out at their GP practice and your records will be identified using a particular code that will stop your records from being shared outside of your GP Practice.
Type 2 opt-out
NHS Digital collects information from a range of places where people receive care, such as hospitals and community services. To support NHS constitutional rights, patients within England are able to opt out of their personal confidential information being shared by NHS Digital for purposes other than their own direct care. If you do not want your personal confidential information to be shared outside of NHS Digital you can register a ‘Type 2 opt-out’ with your GP practice.
NHS Digital takes the responsibility for looking after care information very seriously. Please follow the NHS Digital links on how we look after information for more detailed documentation.
NHS England recognises the importance of protecting personal and confidential information in all that we do, all we direct or commission, and takes care to meet its legal duties. Follow the links on the How we use your information page for more details.
Gaining access to the data we hold about you
SCW does not directly provide health care services and therefore does not hold personal healthcare records. If you wish to have sight of, or obtain copies of your own personal health care records you will need to apply to your GP Practice, the hospital or NHS organisation which provided your health care.
Where information from which you can be identified is held by SCW CSU, you have the right to ask to:
• View this or request copies of the records by making a subject access request.
• request information is corrected
• have the information updated where it is no longer accurate
• ask us to stop processing information about you where we are not required to do so by law
Everybody has the right to see, or have a copy, of data we hold that can identify you, with some exceptions. You do not need to give a reason to see your data, but you may be charged a fee.
If you want to access your data you must make the request in writing. Under special circumstances, some information may be withheld. If you wish to have a copy of the information we hold about you, please note that there may be a charge for this (of up to £50).
You can do this by writing to us at:
SCW Commissioning Support Unit
What is the right to know?
The Freedom of Information Act 2000 (FOIA) gives people a general right of access to information held by or on behalf of public authorities, promoting a culture of openness and accountability across the public sector. You can request any information that SCW CSU holds, that does not fall under an exemption. You may not ask for information that is covered by the Data Protection Act under FOIA. However you can request this under a Subject Access Request – see section above ‘Gaining access to the data we hold about you’.
Your request must be in writing and can be either posted or emailed to:
Please write “Freedom of Information” in the subject line
Postal requests should be directed to:
Freedom of Information
PO Box 16738
Information Commissioners Office
For independent advice about data protection, privacy, data sharing issues and your rights you can contact:
Information Commissioner’s Office
Telephone: 0303 123 1113 (local rate) or 01625 545 745
Complaints or questions
We try to meet the highest standards when collecting and using personal information. If you have any concerns about this or feel that our collection or use of information is unfair, misleading or inappropriate. You can contact NHS England at:
Telephone: 0300 311 22 33
Please write “Complaints” in the subject line
Postal requests should be directed to:
NHS England Customer Contact Centre
PO Box 16738
For further information go to: https://www.england.nhs.uk/contact-us/complaint/complaining-to-nhse/
Links to other websites
This privacy notice does not cover the links within this site linking to other websites. We encourage you to read the privacy statements on the other websites you visit.
Changes to this privacy notice
We keep our privacy notice under regular review. This Fair Processing notice was last updated in March 2017.
Activity and Rationale
Complaints Purpose – To process your personal information if it relates to a complaint where you have asked for our help or involvement.
Legal Basis - We will need to rely on your explicit consent to undertake such activities.
Data Processor – We process this information ourselves.
Individual Funding Requests Purpose – We may need to process your personal information where we are required to process the application to fund specific treatment for you for a particular condition that is not already covered in existing healthcare provider contracts.
Legal Basis - The clinical professional who first identifies that you may need the treatment will explain to you the information that is needed to be collected and processed in order to assess your needs and commission your care; they will gain your explicit consent to share this with us.
Data Processor – We process this information ourselves.
Risk Stratification Purpose – Risk stratification is a process for identifying and managing patients who are at high risk of emergency hospital admission.
Risk stratification tools use various combinations of historic information about patients, for example, age, gender, diagnoses and patterns of hospital attendance and admission and primary care data collected from GP practice record systems.
SCW manages contracts with risk stratification software providers on behalf of the CCGs. These software systems will make available non-identifiable information to help the CCGs understand their local population needs, whereas GPs can use the software to be able to identify which of their patients are at risk in order to offer a preventative service to them.
Legal Basis - The use of data by CCGs for risk stratification has been approved by the Secretary of State, through the Confidentiality Advisory Group of the Health Research Authority and this approval has been extended to April 2017
NHS England encourages CCGs and GPs to use risk stratification tools as part of their local strategies for supporting patients with long-term conditions and to help and prevent avoidable hospital admissions.
Knowledge of the risk profile of the population can help the CCG to commission appropriate preventative services and to promote quality improvement in collaboration with the GP practices.
SCW assist CCGs in providing Risk Stratification tools and they have commissioned The Sollis Partnership Ltd. to provide a software system called Clarity Patients.
Data Processing activities for Risk Stratification - NHS Digital provides data about your hospital attendances (SUS) identifiable by your NHS Number and has signed a data sharing agreement with the CCGs for the use of this data.
Your GP practice instructs its GP IT system supplier to provide primary care data identifiable by your NHS Number. This is sent via secure transfer, directly into the landing stage of Sollis’s system. Within the landing stage, the risk stratification system automatically links and pseudonymises the identifiable data from GP’s and NHS Digital.
Opting Out - If you do not wish information about you to be included in the risk stratification programme, please contact your GP Practice. They can add a code to your records that will stop your information from being used for this purpose. Further information about risk stratification is available from: https://www.england.nhs.uk/ourwork/tsd/ig/risk-stratification/
Invoice Processing Purpose – This process ensures that those who provide you with care and treatment can be paid.
Data Processors – SCW CSU and NHS Shared Business Services (SBS) process invoices on behalf of the CCGs. They do not require and should not receive any patient confidential data to provide these services.
NHS England has published guidance on how invoices must be processed. For more information see: https://www.england.nhs.uk/ourwork/tsd/ig/in-val/invoice- validation-faqs/
Commissioning, planning and contract monitoring Purpose – To collect NHS data about services the CCGs have commissioned to provide services to you.
Legal Basis - The legal basis for collecting and processing information for this purpose is statutory. The CCGs set out reporting requirements as part of their contracts with NHS service providers and do not ask them to give us identifiable data about you.
Data Processor – NHS Digital collect various data sets from NHS service providers that have been agreed locally. All identifying information about you is removed by NHS Digital before the information is made available to SCW CSU. For more information about the types of data that NHS Digital collect please use this link http://digital.nhs.uk/datasets.
National Registries National Registries (such as the Learning Disabilities Register) have statutory permission under Section 251 of the NHS Act 2006, to collect and hold service user identifiable information without the need to seek informed consent from each individual service user.
Research Purpose - To support research oriented proposals and activities in the commissioning system
Legal Basis - Your consent will be obtained by the organisation holding your records before identifiable information about you is disclosed for any research. If this is not possible then the organisation wishing to use your information will need to seek formal approval from the Data Access Advisory Group. This link will give you further details on this process http://digital.nhs.uk/daag
Surveys and asking for your feedback Sometimes SCW may offer you the opportunity to take part in a survey that the CCG is running to ask specific questions about a service, a proposal or other aspect of the work of the CCG or the wider health service. SCW will not generally ask you to give us any personal confidential information as part of any survey.
Legal Basis – you are under no obligation to take part and where you do, SCW consider your participation as consent to hold and use the responses you give us.
Data Processor - SCW use a company called SurveyMonkey to administer surveys. SCW have entered into a formal Data Processing Agreement with them. Details of SurveyMonkey can be found here https://www.surveymonkey.co.uk/
Other organisations who provide support services for us SCW will use the services of additional organisations (other than those listed above), who will provide additional expertise to support our work.
Legal Basis - We have entered into contracts with other organisations to provide some services for us or on our behalf. These organisations may process CCG data and could be identified as ‘data processors’. Information that we may hold about you will not be shared or made available to any of these organisations. Below are their details and a brief description of the functions they carry out on our behalf:
PHS Records Management – For storing archived records
Shred-It Limited – Confidential Waste Disposal Company