NHS Stockport Clinical Commission Group Privacy Notice
Who we are
NHS Stockport Clinical Commissioning Group are committed to ensuring that we’re transparent about the ways in which we use your personal information and that we have the right controls in place to ensure it is used responsibly and is kept safe from inappropriate access, theft or misuse.
We are responsible for securing, planning, designing and paying for your NHS services, including planned and emergency hospital care, mental health services, rehabilitation and community services. This is known as commissioning. We need to use information about you to enable us to do this effectively, efficiently and safely.
This privacy notice is part of our programme to make transparent the data processing activities we carry out in order to deliver our commissioning activities.
This privacy notice explains how we use your personal information and tells you about your privacy rights and how the law protects you.
Our Commitment to Data Protection and Confidentiality.
Stockport CCG is committed to protecting your privacy and will only process personal confidential data in accordance with the Data Protection Act 2018, the Common Law Duty of Confidentiality and the Human Rights Act 1998
Everyone working for the NHS has a legal duty to keep information about you confidential. The NHS Care Record Guarantee and NHS Constitution provide a commitment that all NHS organisations and those providing care on behalf of the NHS will use records about you in ways that respect your rights and promote your health and wellbeing.
If you are receiving services from the NHS, we share information that does not identify you (anonymised) with other NHS and social care partner agencies for the purpose of improving local services, research, audit and public health.
We would not share information that identifies you unless we have a fair and lawful basis such as:
All information that we hold about you will be held securely and confidentially. We use administrative and technical controls to do this. We use strict controls to ensure that only authorised staff are able to see information that identifies you. Only a limited number of authorised staff have access to information that identifies you where it is appropriate to their role and is strictly on a need-to-know basis.
All of our staff, contractors and committee members receive appropriate and on-going training to ensure they are aware of their personal responsibilities and have contractual obligations to uphold confidentiality, enforceable through disciplinary procedures.
We require our service providers to implement appropriate industry standard security measures. We only permit them to process your personal information for specified purposes in accordance with our contractual instructions
We will only retain information in accordance with the schedules set out in the Records Management Code of Practice for Health and Social Care 2016.
Personal information can be anything that identifies and relates to a living person. This can include information that when linked with other information, allows a person to be uniquely identified. For example, this could be your name and contact details.
The law treats some types of personal information as ‘special’ because the information requires more protection due to its sensitivity. This information consists of:
Pseudonymised Information: This is data that has undergone a technical process that replaces your identifiable information such as a NHS number, postcode, date of birth with a unique identifier, which obscures the ‘real world’ identity of the individual patient to those working with the data. Anonymised Information: This is data rendered into a form which does not identify individuals and where there is little or no risk of identification (identification is not likely to take place)
Purposes of processing personal information
As a commissioner, we do not routinely hold or have access to your medical records. However, we may need to hold some personal information about you, for example:
Our records may include relevant information that you have told us, or information provided on your behalf by relatives or those who care for you and know you well, or from health professionals and other staff directly involved in your care and treatment. Our records maybe held on paper or in a computer system. The types of information that we may collect and use include the following:
Pseudonymised Information: This is data that has undergone a technical process that replaces your identifiable information such as a NHS number, postcode, date of birth with a unique identifier, which obscures the ‘real world’ identity of the individual patient to those working with the data. Anonymised Information: This is data rendered into a form that does not identify individuals and where there is little or no risk of identification, (identification is not likely to take place).
The Information we process and share.
Your personal information may also be shared with other organisations, such as those who assist us in providing services and those who perform technical operations on our behalf.
These practical arrangements and the laws governing the sharing and disclosure of personal information often differ from one service to another.
The following table lists the purposes and rationale for why we collect and process information.
Further information regarding service specific processing activities includes the following:
Stockport CCG data sharing projects
|Purpose for processing||Legal Basis / Rationale|
|Complaints||To process your personal information if it relates to a complaint where you have asked for our help or involvement|
|Funding of Treatments||We will collect and process your personal information where we are required to fund specific treatment for you for a particular condition that is not already covered in our contracts|
|Continuing Healthcare||We will collect and process your identifiable information where you have asked us to undertake assessments for Continuing Healthcare (a package of care for those with complex medical needs) and commission resulting care packages.|
|Safeguarding||We will collect and process identifiable information where we need to assess and evaluate any safeguarding concerns|
|Human Resources||We will collect and process identifiable information in relation to CCG employees.|
|Risk stratifications||This is a process that allows the CCG to identify and manage patients who are at high risk of emergency hospital admission.|
|Invoice Validation||A small amount of information that could identify you is used within a special secure area within the commissioning environment, known as a Controlled Environment for Finance (CefF), so that the organisations that have provided care for you can be paid|
Confidentiality Advice and Support
The CCG has a Caldicott Guardian who is a senior person responsible for protecting the confidentiality of service user and service user information and enabling appropriate and lawful information sharing.
The contact detail of our Caldicott Guardian is as follows:
Antia Rolfe, Executive Nurse.
Detect and prevent fraud or crime
By law, we have to protect the public funds we administer. We may use any of the information you provide to prevent and detect fraud. We may share this information with organisations responsible for auditing or administering public funds including the Audit Commission, the Department for Work and Pensions, other local authorities, HM Revenue and Customs, and the Police.
We may use data matching to identify errors and potential frauds and we take part in national data matching exercises undertaken by the Audit Commission where permitted under the Data Protection Act.
We may share the information we hold with organisations such as the Police to prevent or detect crime, apprehend or prosecute offenders or prevent the risk of harm to an individual.
Data Transfers beyond European Union
Your information will not be sent outside of the United Kingdom where the laws do not protect your privacy to the same extent as the law in the UK. We will never sell any information about you.
We will only keep your personal information for as long as the law specifies. Where the law does not specify this, we will keep your personal information for the length of time determined by our business requirements. This is available in the individual privacy notices.
How we keep your information safe
We are committed to ensuring your personal information is safe and protected from accidental loss or alteration, inappropriate access, misuse or theft.
As well as technical, physical and organisational controls, we recognise that a ‘well trained’, informed and security alert workforce minimises privacy risks from human error and/or threats.
We require our service providers to implement appropriate industry standard security measures. We only permit them to process your personal information for specified purposes in accordance with our contractual instructions.
You have certain legal rights, including a right to have your information processed fairly and lawfully and a right to access any personal data we hold about you.
You may exercise the rights listed below in relation to our use of your personal information. Some rights are absolute and others are not.
To find out more about how these rights apply in particular circumstances, please refer to our Guide to exercising you rights Data Subject Rights. For more information about your rights, visit the Information Commissioner’s web site at www.ico.org.uk
To raise a concern about the handling of your personal information by the Stockport CCG, please contact us Data Protection Officer (DPO)
Telephone: 0161 426 9900
To request any of the following, please write to NHS Stockport Clinical Commissioning Group, 4th Floor Stopford House, Piccadily , Stockport, SK1 3XE. Whether you are exercising your rights or raising a concern, you will normally need to include documents that prove your identity as well as a clear and precise description of your request/concern.
We will process requests in accordance within the legislative framework and the statutory time scales and inform you should an extension of time be necessary.
Individuals can find out if we hold any personal information by making a ‘subject access request’ under the Data Protection Act 2018. If we do hold information about you, we will:
To make a request to any personal information we may hold you need to put the request in writing to our contact address provided further below.
Rectification & Erasure:
You may request that we rectify or delete any of your personal information if you consider it is incomplete, factually incorrect, processed unlawfully or, is unnecessary or no longer needed.
Review of automated decision-making:
Our Guide to exercising you Rights [link] outlines the procedure to ask us for an automated decision to be reviewed by an appropriate officer.
You may object, at any time, to your personal information being processed.
This applies to processing:
Restriction of Processing:
You may request restriction of processing (quarantining) of your personal information reasons, such as, for example:
In defined circumstances, either where the processing relies on your consent or arises out of a legal contract, you may request we supply a copy of personal information that you have provided to us in a portable and machine-readable format.
Right to Withdraw Consent / Opt-Out
NHS Digital is developing a new system to support the national data opt-out that will give users more control over how identifiable health and care information is used. This will effectively opt out of confidential patient information being used for reasons other than their individual care and treatment. It will be available from 25 May 2018. To read more visit the website https://digital.nhs.uk/services/national-data-opt-out-programme
If you are not satisfied with the way we have answered a request from you or handled your personal information, you have the right to make a complaint to the Information Commissioner https://ico.org.uk/global/contact-us/
This right is not dependant on you raising a complaint with us first but we would encourage you to contact us by emailing email@example.com so we can consider your concerns as quickly as possible.
We may update or revise this privacy notice at any time so please refer to the version published on our website for the most up to date details.