NHS North Cumbria Clinical Commissioning Group are required to provide you with a fair processing notice to inform you what information we collect about you, how we use it, who we may share your information with and who you can contact should you have any questions or concerns. 

NHS North Cumbria CCG is responsible for buying (also known as ‘commissioning’) health services from providers of healthcare such as hospitals and community services (e.g. District Nurses), and suppliers who offer non-standard services for the people of north Cumbria.

All GP practices in north Cumbria are members of the CCG. Our role is to make sure that appropriate care is in place for the people of north Cumbria today and in the coming years.

To help us to model and plan services to best meet your future healthcare needs, NHS North Cumbria Clinical Commissioning Group needs to understand the health, social and general well-being issues that people are facing today. The only way that we can achieve this is by using the information that your GP, your clinician or your social worker enter into your care record. This information may exist on paper or in electronic format and each is kept safe in an appropriate way.

There are strict rules around who can see that information and what it can be used for. The CCG uses the local safe haven within the North of England Commissioning Support Unit (NECS) which has been accredited by NHS Digital and ensuring that confidential patient data can be transmitted and stored securely. 

Everyone working for the NHS is subject to the Common Law Duty of Confidence. Information provided in confidence will only be used for the purposes advised with consent given by the patient, unless there are other circumstances covered by the law.

Under the NHS Confidentiality Code of Conduct, all our staff are also required to protect your information, tell you of how your information will be used, and allow you to decide if and how your information can be shared.

The NHS Care Record Guarantee for England sets out the rules that govern how patient information is used in the NHS and what control the patient can have over this. It covers people's access to their own records; controls on others' access; how access will be monitored and policed; options people have to further limit access; access in an emergency; and what happens when someone cannot make decisions for themselves.

Everyone who works for the NHS, or for organisations delivering services under contract to the NHS, has to comply with this guarantee.

Access to identifiable information is strictly controlled and it is only used when it is absolutely necessary to use identifiable information. The CCG currently pseudonymises this information for non-direct health care purposes. Pseudonymisation is a process that removes the NHS number and any other identifiable information such as name, date of birth or postcode, and replaces it with an artificial identifier, or pseudonym. Data which is pseudonymised is effectively anonymous to the people who receive and hold it but allows the association of multiple events with one patient, allowing us to better understand the experience of patients accessing health services.

In the circumstances where we are required to hold or receive personal information we will only do this if:

  • The information is necessary for the direct healthcare of patients
  • We have received explicit consent from individuals to be able to use their information for a specific purpose
  • There is an overriding public interest in using the information e.g. in order to safeguard an individual, or to prevent a serious crime
  • There is a legal requirement that will allow us to use or provide information (e.g. a formal court order or legislation)
  • We have permission to do so from the Secretary of State for Health to use certain confidential patient information when it is necessary for our work and whilst changes are made to our systems that ensure de-identified information is used for all purposes other than direct care.

 

NHS Digital has published a guide to confidentiality in health and social care that explains the various laws and rules about the use and sharing of confidential information.

We will only retain information in accordance with the schedules set out in the Records Management Code of Practice for Health and Social Care 2016. The CCG’s Records Management Policies include guidance around the secure destruction of information in line with the Code of Practice.

Your information will not be sent outside of the United Kingdom where the laws do not protect your privacy to the same extent as the law in the UK. We will never sell any information about you.

In carrying out some of these roles we may collect information about you which helps us respond to your queries or secure specialist services.

We may keep your information in written form and/or in digital form. The records may include basic details about you, such as your name and address. They may also contain more sensitive information about your health and also information such as outcomes of needs assessments.

NHS North Cumbria CCG has in place safeguards to prevent staff from identifying individuals from the data that we receive.

Information from your health records is received into our Safe Haven and any information that might allow others to identify you is removed. This means that, outside of the safe haven, no one can know, for example:

  • Your name
  • Your date of birth (is replaced with year of birth or age)
  • Your postcode (is replaced with standard area called Lower Super Output area – the name reflects a national standard that is based on the total population and number of houses in an area)

Your NHS number is replaced with a pseudonym and kept along with your GP practice and treatment details so that information from each service can be linked together without us being able to identify individuals. This gives us a fuller picture of the health of people in Cumbria and the services required to support them to stay healthy. We use this information to provide and improve health services. This data also enables health professionals to target patients who may benefit from additional preventive care. 

Further information 

Further information about the way in which the NHS uses personal confidential data and your rights in that respect can be found in:


What we use your information for

Your GP uses your data to provide the best care they can for you. As part of this process, your GP will use your personal and health data to undertake risk stratification, also known as case finding.

Risk stratification tools use a mix of historic information about patients such as age, gender, diagnoses and patterns of hospital attendance and admission as well as data collected in GP practices.

NHS Digital provides information, identifiable by your NHS Number, about hospital attendances. GP Practices provide information from GP records also identifiable by your NHS Number. Both sets of information are sent via secure transfer to the risk stratification system where they are immediately pseudonymised and linked to each other. The risk stratification system uses a formula to analyse the pseudonymised data to produce a risk score. These risk scores are available to the GP practice you are registered with, where authorised staff that are responsible for providing direct care to you are able to see these scores in a format that identifies you. This will help the clinical team make better decisions about your future care, for example you may be invited in for a review or if they think you may benefit from a referral to a new service they will discuss this with you. The CCG is provided with reports containing aggregate information, which do not identify you, to ensure we are commissioning and planning for these services as required by the population we serve.

To identify those patients individually from the patient community registered with your GP would be a lengthy and time-consuming process which would by its nature potentially not identify individuals quickly and increase the time to improve care.

Your GP surgery uses the services of a health partner, North of England Commissioning Support Unit (NECS) to identify those most in need of preventative or improved care. This is arranged by NHS North Cumbria CCG.

NHS North Cumbria CCG will not at any time have access to your personal or confidential data. They act on behalf of your GP to organise this service with appropriate contractual and security measures only.

NECS will process your personal and confidential data. Typically this will process your data using indicators such as your age, gender, NHS number and codes for your medical health to identify those who will benefit from clinical intervention. Processing takes place automatically and without human or manual handling. Data is extracted from your GP computer system, automatically processed and only your GP is able to view the outcome, matching results against patients on their system.

We have implemented strict security controls to protect your confidentiality and recommend this as secure and beneficial service to you. However, if you wish, you can ask your GP for your data not to be processed for this purpose and your GP will mark your record as not to be extracted so it is not sent to NECS for risk stratification purposes.

Where care is provided and the CCG is responsible for it, we will need to provide payment to the care provider. In most cases limited data is used to make such payments. In some instances information to confirm that you are registered at a GP within the CCG is needed to make such payments. This is done in line with the Who Pays Invoice Validation Guidance issued by NHS England. This automated process for validating GP registration is carried out within the secure safe haven in NECS and NHS North Cumbria CCG do not have access to your personal or confidential data.

CCGs and NHS England, which includes Commissioning Support Units, do not have a legal right to access personal confidential data (PCD) for the purpose of validating invoices. NHS North Cumbria CCG uses record level by non-identifiable data to validating invoices, meaning that we can see some of the details of the care provided but not who received the care.  This invoice validation process supports the delivery of patient care across the NHS by:

  • Ensuring that service providers are paid for the patient’s treatment
  • Enabling services to be planned, commissioned, managed, and subjected to financial control enabling commissioners to confirm that they are paying appropriately for the treatment of patients for whom they are responsible
  • Fulfilling commissioners’ duties of fiscal probity and scrutiny
  • Enabling invoices to be challenged and disputes or discrepancies to be resolved 

If you make an application for Continuing Healthcare (CHC) funding, NHS North Cumbria CCG will use the information you provide and where needed request further information from care providers to identify eligibility for funding. If agreed, arrangements will be put in place to arrange and pay for the agreed funding packages with appointed care providers. This process is nationally defined and we follow a standard process and NHS North Cumbria CCG use standard information collection tools to decide whether someone is eligible.

If you make an Individual Funding Request (IFR) to fund specialist drugs or rare treatments, NHS North Cumbria CCG will use the information you provide and where needed request further information from care providers to identify eligibility for funding. If agreed, arrangements will be put in place to arrange and pay for the agreed funding packages with appointed care providers.

CCGs support local GP practices with prescribing queries which generally don’t require identifiable information.

Where specialist support is required, e.g., to order a drug that comes in solid form in gas or liquid the medicines management team may order this on behalf of a GP to support your care. 

Advice and guidance is provided to care providers to ensure that adult and children’s safeguarding matters are managed appropriately. Access to identifiable information will be shared in some limited circumstances where it’s legally required for the safety of the individuals concerned. 

The CCG monitors the quality of services provided to the people of Cumbria.  Quality concerns are normally systemic issues, generally affecting a service, or the ability to deliver a high quality service. We identify them using a range of information, including aggregate performance statistics, public and patient survey responses, complaints, concerns raised by clinicians and other healthcare staff, and serious reportable incidents. NHS North Cumbria CCG’s Quality Team will always use aggregate or anonymised information wherever possible.  The CCG has a statutory duty to support NHSE with the continuous quality improvement of primary medical services as set out in the HSCA 2012 and the Primary Medical Services assurance framework as well as the ensuring the quality of all the services we commission. 

Clinical Commissioning Groups collaborate closely with the organisations involved in providing patient care, to jointly identify and agree the possible causes of, or factors that contributed to a patient’s infection.

CCGs will lead the Post Infection Review in the circumstances set out in the Post Infection Review Guidance, issued by NHS England. They will be able to use the results of the Post Infection Review to inform the mandatory healthcare associated infections reporting system. 

NHS North Cumbria CCG is accountable for effective governance and learning following all Serious Incidents (SIs) and work closely with all provider organisations as well as commissioning staff members to ensure all SIs are reported and managed appropriately. The Francis Report (February 2013) emphasised that commissioners, as well as providers had a responsibility for ensuring the quality of health services provided. 

In order for NHS North Cumbria CCG to perform its commissioning functions, information (mostly anonymised) is shared from various organisations which include: General practices, acute and mental health hospitals, other CCGs, community services, walk-in centres, nursing homes, directly from service users and many others. 

We may share your information for health purposes and for your benefit with other organisations such as Health Authorities, NHS Trusts, General Practitioners, etc. We may also need to share information with our partner organisations.

Information may also need to be shared with other non-NHS organisations, from which you are receiving care, such as Cumbria County Council, and other providers from which we commission services. Where information sharing is required with these third parties, we will always have a relevant Data Sharing Agreement/Data Processing Agreement in place and will not disclose any health information unless there is a legal basis to do so such as when the health or safety of others is at risk or where the law requires it or to carry out a statutory function.

Our guiding principle is that we are holding your records in strictest confidence.

We are required by law to report certain information to the appropriate authorities. This is only provided after formal permission has been given by a qualified health professional.

We may be asked to share basic information about you, such as your name and address which does not include sensitive information. This would normally be to assist them to carry out their statutory duties. In these circumstances, where it is not practical to obtain your explicit consent, we will inform you through a Fair Processing Notice, under the Data Protection Act.

Your information may be used to help assess the needs of the general population and make informed decisions about the provision of future services. Information can also be used to conduct health research and development and monitor NHS performance.

Where information is used for statistical purposes, stringent measures are taken to ensure individual patients cannot be identified. Anonymous statistical information may also be passed to organisations with a legitimate interest, including universities, community safety units and research institutions.

Where it is not sufficient to use anonymised information, person-identifiable information may be used, but only for essential NHS purposes. This may include research and auditing services. This will only be done with your consent, unless the law requires information to be passed on to improve public health. 

NHS North Cumbria CCG has in place a Caldicott Guardian and Senior Information Risk Owner who have oversight of the handling of information within the CCG or by any support organisations we may buy services from. The Caldicott Guardian is a senior person responsible for protecting the confidentiality of service users and service user information and enabling appropriate and lawful information sharing.  Each NHS organisation is required to have a Caldicott Guardian.  This became an NHS requirement in 1999.

The contact details of our Caldicott Guardian are as follows:

Dr David Rogers - Medical Director

NHS North Cumbria CCG has commissioned North Cumbria Integrated Care NHS Foundation Trust to provide Information Governance advice and administrative support.

You can visit their website for further information here

If you would like to find out about what national initiatives may affect you, visit:

The NHS Constitution sets out rights for patients, public and staff. It outlines NHS commitments to patients and staff, and the responsibilities that the public, patients and staff owe to one another to ensure that the NHS operates fairly and effectively. All NHS bodies and private and third sector providers supplying NHS services are required by law to take account of the Constitution in their decisions and actions.

The Health Research Authority protects and promotes the interests of patients and the public in health and social care research.  They work to make the UK a great place to do research where more people have the opportunity to participate in health and social care research and continue to feel safe when they do.

At any time you have the right to refuse/withdraw consent, in full or in part, to information sharing. The possible consequences will be fully explained to you to allow you to make an informed decision.

You also have a right to request that your confidential information is not used beyond your own care and treatment and to have your objections considered. These commitments are set out in the NHS Constitution.

If you do not want your personal information being shared and used for purposes other than your care and treatment, then you should contact the GP Practice you are registered with and ask for further information about how to register your objections. This should not affect the care and treatment you receive. See section on Patient Control of Information for further details.

You may want to prevent confidential information about you from being shared or used for any purpose other than providing your care.There are two choices available to you:

  • You can object to information about you leaving a GP Practice in an identifiable form for purposes other than your direct care, which means confidential information about you will not be shared with the CCG, NHS Digital or other organisation for any non-direct care purpose. This is referred to as a ‘type 1′ objection; or;
  • You can object to information about you leaving NHS Digital in identifiable form, which means confidential information about you will not be sent to anyone outside NHS Digital. This is referred to as a ‘type 2′ objection.

Information from other places where you receive care, such as hospitals and community services is collected nationally by NHS Digital.

If you do not want information that identifies you to be shared outside your GP practice, please speak to a member of staff at your GP practice to ask how to “opt-out”.

The Practice will add the appropriate code to your records to prevent your confidential information from being used for non-direct care purposes. Please note that these codes can be overridden in special circumstances required by law, such as a civil emergency or public health emergency.

If you do not want your personal confidential information to be shared outside of NHS Digital, for purposes other than for your direct care you can register a type 2 opt-out with your GP practice.

Patients are only able to register the opt-out at their GP practice.

For further information and support relating to type 2 opt-outs please contact  NHS Digital contact centre at enquiries@nhsdigital.gov.uk referencing ‘Type 2 opt-outs — Data requests’ in the subject line; or

Alternatively, call NHS Digital on (0300) 303 5678; or

Alternatively visit the NHS Digital website here.

In both cases, it is still necessary for NHS Digital to hold information about you in order to ensure data is managed in accordance with your expressed wishes. Please see “Patient Objections Management” on NHS Digital website for further information.

If you have questions about this, please speak to staff at your GP practice, check NHS Digital frequently asked questions, or call their dedicated patient information line on 0300 456 3531.

The CCG directly collects and processes personal data for IFR, CHC, Safeguarding and Complaints.  The CCG requires either explicit consent from you or a statutory basis (in some safeguarding cases) to do this.  If you no longer want your data to be used (‘Opt-out’) for these purposes, please contact the individual services involved. They will be able to explain the implications of your choice and will ensure that your data is treated appropriately.

Information may be withheld if the organisation believes that releasing the information to you could cause serious harm to your physical or mental health. We do not have to tell you that information has been withheld.

Information may also be withheld if another person (i.e. third party) is identified in the record, and they do not want their information disclosed to you. However, if the other person was acting in their professional capacity in caring for you, in normal circumstances they could not prevent you from having access to that information.

We have a duty to ensure your information is accurate and up to date to make certain we have the correct contact and treatment details about you.

If your information is not accurate and up-to-date, you can ask us to correct the record. If we agree that the information is inaccurate or incomplete, it will be corrected. If we do not agree that the information is inaccurate, we will ensure that a note is made in the record of the point you have drawn to the organisation’s attention.

If you would like to know more about how we use your information, or if (for any reason) you do not wish to have your information used in any of the ways described above, please contact:

NHS North Cumbria Clinical Commissioning Group
4 Wavell Drive
Rosehill, Carlisle
Cumbria
CA1 2SE
  • Telephone no: 01768 245 486

For independent advice about data protection, privacy and data-sharing issues, you can contact:

The Information Commissioner
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF

NHS North Cumbria CCG is a ‘Data Controller’ under the Data Protection Act 1998. This means we are legally responsible for ensuring that all personal data that we hold and use is done so in a way that meets the data protection principles. We must also tell the Information Commissioner about all of our data processing activity. Our registration number is Z3582415 and our registered entry can be found on the Information Commissioner’s website.

All of our staff receive training to ensure they remain aware of their responsibilities. They are obliged in their employment contracts to uphold confidentiality, and may face disciplinary procedures if they do not do so. A limited number of authorised staff have access to personal data where it is appropriate to their role.

We have entered into contracts with other organisations to provide services for us. These organisations include:

  • North of England Commissioning Support Unit — Risk Stratification, Invoice Validation, Commissioning Intelligence analysis, HR & Payroll, Individual Funding Requests, Continuing Healthcare
  • North Cumbria Integrated Care NHS Foundation Trust – IT Provider

This includes holding and processing data including patient information on our behalf. These services are subject to the same legal rules and conditions for keeping personal information confidential and secure. We are responsible for making sure that staff in those organisations are appropriately trained and that procedures are in place to keep information secure and protect privacy. These conditions are written into legally binding contracts, which we will enforce if our standards of information security are not met and confidentiality is breached.

We will not share, sell or distribute any of your personal information to any third party (other person or organisation) without your consent, unless required by law. Data collected will not be sent to countries where the laws do not protect your privacy to the same extent as the law in the UK, unless rigorous checks on the security and confidentiality of that data are carried out in line with the requirements of the Data Protection Act (Principle 8). 

Under the Data Protection Act 1998 you have the right to see or be given a copy of personal data held about you. To gain access to your information you will need to make a Subject Access Request (SAR) to NHS North Cumbria CCG.

North of England Commissioning Support Unit (NECS) handles these requests on our behalf.  You should therefore be aware that, your request will be forwarded to NECS in order that it can be actioned.  With your permission, NECS staff will access relevant records and information regarding your request and share this with the CCG.

We may charge a reasonable fee for the administration of the request, set down in law as follows:

  • If the information is only held electronically we may charge up to £10 for complying
  • If the information is only held wholly or partly in paper format we may charge up to £50 for complying.

If you wish to make a SAR please contact the NECS at:

Subject Access Requests
Freedom of Information Office
John Snow House
Durham
DH1 3YG

You can also email: NECSU.NorthCumbriaIG@nhs.net

Note: In order to deal with a SAR, NHS North Cumbria CCG will need to share information with NECS. 

The Freedom of Information Act (2000) gives every Individual the right to request information held by Government Agencies. Private Companies are not subject to this act.

Please note that a Freedom of Information Request is not a Subject Access Request.

For postal requests, please send to the Freedom of Information Team at:

Freedom of Information Act Requests
NHS North Cumbria CCG Headquarters
4 Wavell Drive
Rosehill, Carlisle
Cumbria
CA1 2SE

You can also email your request to foi@northcumbriaccg.nhs.uk

Your request for information must be made in writing and you are entitled to a response within 20 working days.

The CCG will retain legal responsibility for the information held about you until it is formally dissolved or until agreements are put in place to transfer responsibility. 

If you have a complaint about NHS North Cumbria CCG or a service we commission, we will use your information to communicate with you and investigate any complaint if it’s the responsibility of the CCG.

The Clinical Quality Team at the North of England Commissioning Support Unit (NECS) handles complaints on our behalf. You should therefore be aware that, your complaint will be forwarded to NECS in order that it can be investigated.  With your permission, NECS staff will access relevant records and information regarding your complaint and share this with the CCG.

Please contact:

The Complaints Team
North of England Commissioning Support (NECS)
John Snow House
University Science Park
Durham
DH1 3YG

Should you have any concerns about how your information is to be used or if you do not wish your information to be shared by the CCG with NECS then please email your complaint via enquiries@northcumbriaccg.nhs.uk. Please let us know when you make your complaint.

If you are not happy with our responses and have exhausted all the avenues in the CCG Complaints Process and wish to take your complaint to an independent body, you can do this by contacting the Information Commissioner's Office in writing to the following address:

Wycliffe House
Water Lane
WILMSLOW
Cheshire
SK9 5AF
  • You can also telephone their helpline on 0303 123 1113 (local rate) or 01625 545 745 if you prefer to use a national rate number.
  • Or email: casework@ico.org.uk

This is Version 2.0 of the NHS North Cumbria CCG Fair Processing Notice and was published on 27th July 2018. This version will be reviewed in October 2018 unless there are significant changes to the use and processing of information in the CCG before that date.

  • Appendixes A and B are included on the linked document at the top of the page. They include Glossary and Legal basis table.