How we use your information

Show sub-pages

How we use your information

North Somerset Clinical Commissioning Group (CCG) is responsible for securing, planning, designing and paying for your NHS services, including planned and emergency hospital care, mental health, rehabilitation, community and primary medical care (GP) services. This is known as commissioning.

We need to use information about you to enable us to do this effectively, efficiently and safely.

You can find out more on the About Us page.

Cover for National Fraud Initiative – Level 2 Fair Processing Notice

National Fraud Initiative – Level 2 Fair Processing Notice

As part of the fair processing notification, participating organisations are required to publish a level 2 notice.

What is this Privacy Notice about?

This Privacy Notice tells you about information we collect and hold about you, what we do with it, how we will look after it and who we might share it with.

It is part of how we ensure we are open and transparent in the data processing activities we carry out in order to meet our commissioning obligations.

It covers information we collect directly from you or receive from other individuals or organisations.

This notice is not exhaustive. However, we are happy to provide any more information or explanation needed. Please contact us using the contact details at the end of this notice.

Our Commitment to data privacy and confidentiality issues

We are committed to protecting your privacy and will only process personal confidential data in accordance with the Data Protection Act 1998, the Common Law Duty of Confidentiality and the Human Rights Act 1998.

North Somerset CCG is a Data Controller under the terms of the Data Protection Act 1998. We are legally responsible for ensuring that all personal information that we process i.e. hold, obtain, record, use or share about you, is done in compliance with the 8 Data Protection Principles.

All data controllers must notify the Information Commissioner’s Office (ICO) of all personal information processing activities. Our ICO Data Protection Register number is Z3621146 and our entry can be found in the Data Protection Register on the Information Commissioner’s Office website.

ICO.gov.uk

Everyone working for the NHS has a legal duty to keep information about you confidential.

The NHS Care Record Guarantee and NHS Constitution provide a commitment that all NHS organisations and those providing care on behalf of the NHS will use records about you in ways that respect your rights and support your health and wellbeing.

If you are receiving services from the NHS, we share information that does not identify you (anonymised) with other NHS and social care partner agencies for the purpose of improving local services, research, audit and public health.

We would not share information that identifies you unless we have a fair and lawful basis such as:

  • You have given us permission;
  • To protect children and vulnerable adults;
  • When a formal court order has been served upon us;
  • and/or
  • When we are lawfully required to report certain information to the appropriate authorities e.g. to prevent fraud or a serious crime;
  • Emergency Planning reasons such as for protecting the health and safety of others;
  • When permission is given by the Secretary of State or the Health Research Authority on the advice of the Confidentiality Advisory Group to process confidential information without the explicit consent of individuals.

All information that we hold about you will be held securely and confidentially.

We use administrative and technical controls to do this including strict procedures and encryption. We use strict controls to ensure that only authorised staff are able to see information that identifies you. Only a limited number of authorised staff have access to information that identifies you where it is appropriate to their role and is strictly on a need-to-know basis.

All of our staff, contractors and committee members receive appropriate and on-going training to ensure they are aware of their personal responsibilities and have contractual obligations to uphold confidentiality, enforceable through disciplinary procedures.

We will only use the minimum amount of information necessary about you.

We will only keep information in accordance with the schedules set out in the Records Management Code of Practice for Health and Social Care 2016. When appropriate we will confidentially and securely dispose of information in accordance with the Code of Practice.

Overseas transfers

Your information will not be sent outside of the United Kingdom where the laws do not protect your privacy to the same extent as the law in the UK. We will never sell any information about you.

Your rights

You have certain legal rights, including a right to have your information processed fairly and lawfully and a right to access any personal confidential data we hold about you.

You have the right to privacy and to expect the NHS to keep your information confidential and secure.

You also have a right to request that your confidential information is not used beyond your own care and treatment and to have your objections considered.

These are commitments set out in the NHS Constitution, for further information please visit the GOV.UK website.

GOV.UK

You have the right to withdraw consent to us sharing your personal information.

If you do not agree to certain information being processed or shared with us, or by us, or have any concern, then please let us know. We will explain the possible effect this could have on our ability to help you and discuss the alternative arrangements that are available to you.

You have the right to refuse/withdraw consent to information sharing at any time. The possible consequences can be fully explained to you and could include delays in receiving care. If you wish to discuss withdrawing consent please contact us using the contact details at the end of this notice.

What is the patient opt-out?

The NHS Constitution states "You have the right to request that your confidential information is not used beyond your own care and treatment and to have your objections considered".

There are several forms of opt- outs available at different levels. These include for example:

A. Information directly collected by the CCG:

Your choices can be exercised by withdrawing your consent for the sharing of information that identifies you, unless there is an overriding legal obligation.

B. Information not directly collected by the CCG, but collected by organisations that provide NHS services:

Type 1 opt-out

If you do not want personal confidential information that identifies you to be shared outside your GP practice, for purposes beyond your direct care, you can register a ‘Type 1 opt-out’ with your GP practice.

This prevents your personal confidential information from being used other than in particular circumstances required by law, such as a public health emergency like an outbreak of a pandemic disease.

Patients are only able to register the opt-out at their GP practice.

Records for patients who have registered a ‘Type 1 opt-out’ will be identified using a particular code that will be applied to your medical records that will stop your records from being shared outside of your GP Practice.

Type 2 opt - out

NHS Digital (previously the Health and Social Care Information Centre, HSCIC) collects information from a range of places where people receive care, such as hospitals and community services.

Patients within England are able to opt out of their personal confidential data being shared by NHS Digital for purposes other than their own direct care, this is known as a 'Type 2 opt-out'

If you do not want your personal confidential information to be shared outside of NHS Digital, for purposes other than for your direct care, you can register a ‘Type 2 opt-out’ with your GP practice.

Patients are only able to register the opt-out at their GP practice.

Further Information and Support about Type 2 opt-outs:

For further information and support relating to Type 2 opt-outs, please contact NHS Digital contact centre at enquiries@nhsdigital.nhs.uk referencing 'Type 2 opt-outs - Data requests' in the subject line; or call them on 0300 303 5678.

NHS Digital

Circumstances in which you may be unable to opt-out

Where there is an overriding legal obligation for us to process your personal confidential information you will not be able to opt-out, these circumstances would include:

  • To protect children and vulnerable adults; 
  • When a formal court order has been served upon us;
  • When we are lawfully required to report certain information to the appropriate authorities e.g. to prevent fraud or a serious crime; 
  • Emergency Planning reasons such as for protecting the health and safety of others; 
  • When permission is given by the Secretary of State or the Health Research Authority to process confidential information without the explicit consent of individuals.

Complaints or questions

We try to meet the highest standards when collecting and using personal information. For this reason, we take any complaints we receive about this seriously.

We encourage people to bring concerns to our attention if they think that our collection or use of information is unfair, misleading or inappropriate.

We would also welcome any suggestions for improving our procedures. Please see our Making a complaint page for more information.

For independent advice about data protection, privacy and data-sharing issues, you can contact the:

Information Commissioner, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF.
Phone: 08456 30 60 60 or 01625 54 57 45 

ICO.org.uk

Complaints may also be made directly to the Information Commissioner’s Office.

Subject access requests

Individuals can find out if we hold any personal information by making a ‘subject access request’ under the Data Protection Act 1998. If we do hold information about you we will:

  • Give you a description of it;
  • Tell you why we are holding it;
  • Tell you who it could be disclosed to; and
  • Let you have a copy of the information in an intelligible form.

To make a request for any personal information we may hold you need to put the request in writing to our contact address provided at the end of this notice.

If we do hold information about you, you can ask us to correct any mistakes.

Confidentiality advice and support

North Somerset CCG has a Caldicott Guardian who is a senior person responsible for protecting the confidentiality of service user and service user information and enabling appropriate and lawful information-sharing.

The contact details of our Caldicott Guardian are as follows:

Dr Mary Backhouse, Chief Clinical Officer for North Somerset CCG
Email: enquiries@northsomersetccg.nhs.uk (mark messages for the attention of Dr Mary Backhouse, Caldicott Guardian)

Personal information we collect and hold about you

As a commissioner, we do not routinely hold or have access to your medical records. However, we may need to hold some personal information about you, for example:

  • If you have made a complaint to us about healthcare that you have received and we need to investigate
  • If you ask us to provide funding for Continuing Healthcare services
  • If you are using our referral support service
  • If you ask us for our help or involvement with your healthcare, or where we are required to fund specific specialised treatment for a particular condition that is not already covered in our contracts with organisations that provide NHS care.
  • If you ask us to keep you regularly informed and up-to-date about the work of the CCG, or if you are actively involved in our engagement and consultation activities or service user groups.

Our records may include relevant information that you have told us, or information provided on your behalf by relatives or those who care for you, or from health professionals and other staff directly involved in your care and treatment.

Our records may be held on paper or in a computer system. The types of information that we may collect and use include the following:

Personal Confidential Data: This includes:

  • Personal information: in accordance with the Data Protection Act definition this includes information which relate to a living individual and includes expression of opinion, the definition has been extended to include information relating to deceased individuals as well.
  • Sensitive Personal Data: in accordance with the Data Protection Act definition this includes information about an individual’s: Racial or ethnic origin; political opinions; religious beliefs; trade union membership; health; sexual life; alleged criminal activity; or court proceedings.
  • Confidential Information including both information ‘given in confidence’ and ‘that which is owed a duty of confidence’ this also includes and is adapted to include ‘sensitive’ as defined in the Data Protection Act.

Personal Confidential Data may include: your name, address, postcode, date of birth and NHS number; information about your appointments and clinic visits; reports and notes about your health, treatment and care; relevant information about people who care for you, such as next-of-kin and other health professionals.

Pseudonymised Information: This is data that has undergone a technical process that replaces your identifiable information such as NHS number, postcode, date of birth with a unique identifier, which obscures the ‘real world’ identity of the individual patient to those working with the data.

Anonymised Information: This is data rendered into a form which does not identify individuals and where there is little or no risk of identification.

The data used may relate to Primary or Secondary care. Primary Care data relates to primary care services such as GPs, pharmacists and dentists, including military health services and some specialised services.

Secondary care services include planned hospital care, rehabilitative care, urgent and emergency care community health services, mental health services and learning disability services.

Reviews of and changes to our Privacy Notice

We will keep our privacy notice under regular review. This privacy notice was last reviewed in September 2016.

Contact us

If you have any questions or concerns about how we use your information, please contact us.

For independent advice about data protection, privacy and data-sharing issues, you can contact the:

Information Commissioner Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF.
Phone: 08456 30 60 60 or 01625 54 57 45

ICO.gov.uk

Further information

Further information about the way in which the NHS uses personal confidential data and your rights can be found in: