How we use your information
How we use your information
Bath and North East Somerset, Swindon and Wiltshire Integrated Care Board (BSW ICB) is responsible for securing, planning, designing and paying for your NHS services, including planned and emergency hospital care, mental health, rehabilitation, community and primary care services. This is known as commissioning. We need to use information about you to enable us to do this effectively, efficiently and safely. For further information please refer to the About us section.
The ICB is required by law to protect the public funds it administers. It may share information provided to it with other bodies responsible for auditing, or administering public funds, or where undertaking a public function, in order to prevent and detect fraud. The Cabinet Office is responsible for carrying out data matching exercises.
Data matching involves comparing computer records held by one body against other computer records held by the same or another body to see how far they match. This is usually personal information. Computerised data matching allows potentially fraudulent claims and payments to be identified. Where a match is found it may indicate that there is an inconsistency which requires further investigation. No assumption can be made as to whether there is fraud, error or other explanation until an investigation is carried out.
We participate in the Cabinet Office’s National Fraud Initiative: a data matching exercise to assist in the prevention and detection of fraud. We are required to provide particular sets of data to the Minister for the Cabinet Office for matching for each exercise, as detailed on the Gov.uk website.
The use of data by the Cabinet Office in a data matching exercise is carried out with statutory authority under Part 6 of the Local Audit and Accountability Act 2014. It does not require the consent of the individuals concerned under the Data Protection legislation.
- Data matching by the Cabinet Office is subject to a Code of Practice. Find out more about the Code of Practice on the Gov.uk website.
- View more information on the Cabinet Office's legal powers and the reasons why it matches particular information
This fair processing notice is part of our programme to make the data processing activities we are carrying out in order to meet our commissioning obligations transparent. This fair processing notice tells you about information we collect and hold about you, what we do with it, how we will look after it and who we might share it with.
It covers information we collect directly from you or receive from other individuals or organisations. This notice is not exhaustive. However, we are happy to provide any additional information or explanation needed.
Reviews of and changes to our fair processing notice
We will keep our fair processing notice under regular review. This notice was last reviewed in August 2023.
We are committed to protecting your privacy and will only process personal confidential data in accordance with the Data Protection legislation, the Common Law Duty of Confidentiality and the Human Rights Act 1998.
Personal Confidential Data (PCD) describes personal information about identified or identifiable individuals, which should be kept private or secret and includes deceased as well as living people.
Examples of PCD are:
- Name
- Address
- Postcode
- Date of Birth
- NHS Number
Personal data means data which relates to a living individual who can be identified:
(a) from that data, or;
(b) from that data and other information which is in the possession of, or is likely to come into the possession of, the data controller, and includes any expression of opinion about the individual and any indication of the intentions of the data controller or any other person in respect of the individual.
Sensitive personal data is different from Personal Data. Sensitive personal data means personal data consisting of information as to:
(a) the racial or ethnic origin of the data subject;
(b) their political opinions;
(c) their religious beliefs or other beliefs of a similar nature;
(d) whether a member of a trade union (within the meaning of the Trade Union and Labour Relations (Consolidation) Act 1992);
(e) their physical or mental health or condition;
(f) their sexual life;
(g) the commission or alleged commission of any offence, or;
(h) any proceedings for any offence committed or alleged to have been committed, the disposal of such proceedings or the sentence of any court in such proceedings.
BSW ICB is a Data Controller under the terms of the Data Protection legislation. We are legally responsible for ensuring that all personal information that we process i.e. hold, obtain, record, use or share about you, is done in compliance with the 8 Data Protection Principles.
All data controllers must notify the Information Commissioner’s Office (ICO) of all personal information processing activities. Our ICO Data Protection Register number is ZB524371 and our entry can be found in the Data Protection Register on the Information Commissioner’s Office website.
Everyone working for the NHS has a legal duty to keep information about you confidential. The NHS Care Record Guarantee and NHS Constitution provide a commitment that all NHS organisations and those providing care on behalf of the NHS will use records about you in ways that respect your rights and promotes your health and wellbeing.
If you are receiving services from the NHS, we share information that does not identify you (anonymised) with other NHS and social care partner agencies for the purpose of improving local services, research, audit and public health. We would not share information that identifies you unless we have a fair and lawful basis such as:
- You have given us permission;
- To protect children and vulnerable adults;
- When a formal court order has been served upon us;
and/or
- When we are lawfully required to report certain information to the appropriate authorities e.g. to prevent fraud or a serious crime;
- Emergency Planning reasons such as for protecting the health and safety of others (including Public Health arrangements);
- When permission is given by the Secretary of State or the Health Research Authority on the advice of the Confidentiality Advisory Group to process confidential information without the explicit consent of individuals.
All information that we hold about you will be held securely and confidentially. We use administrative and technical controls to do this. We use strict controls to ensure that only authorised staff are able to see information that identifies you. Only a limited number of authorised staff has access to information that identifies you where it is appropriate to their role and is strictly on a need-to-know basis.
The ICB uses information technology solutions to manage and process data. NHS Digital is the national information and technology partner to the health and social care system and has responsibility for standardising, collecting and publishing data and information from across the health and social care system in England. The ICB is utilising solutions and platforms advised by NHS Digital that facilitated changed working arrangements during the Covid-19 pandemic and since. These include video conferencing tools.
All of our staff, contractors and committee members receive appropriate and on-going training to ensure they are aware of their personal responsibilities and have contractual obligations to uphold confidentiality, enforceable through disciplinary procedures.
We will only use the minimum amount of information necessary about you. We will only retain information in accordance with the schedules set out in the Records Management Code of Practice 2021.
The normal destruction method used within the ICB for confidential / sensitive information is shredding. All confidential waste will be placed in the allocated confidential waste bins / sacks. Shredding of confidential information is carried out on and off site using an accredited mobile shredding company. A certificate is issued once the paper has been collected and/or once the shredding is completed.
Your information will not be sent outside of the UK where the laws do not protect your privacy to the same extent as the law in the UK. BSW ICB will never sell any information about you.
GDPR provides the following rights for the individual:
- The right to be informed
- The right of access
- The right to rectification
- The right to erasure
- The right to restrict processing
- The right to data portability
- The right to object
- Rights in relation to automated decision making and profiling.
Visit the ICO site for more information on your rights:
https://ico.org.uk/your-data-matters/
You have the right to privacy and to expect the NHS to keep your information confidential and secure. You also have a right to request that your confidential information is not used beyond your own care and treatment and to have your objections considered.
These are commitments set out in the NHS Constitution.
You have the right to withdraw consent to us sharing your personal information if you do not wish us to process or share your information.
If you do not agree to certain information being processed or shared with us, or by us, or have any concern, then please let us know. We may need to explain the possible impact this could have on our ability to help you and discuss the alternative arrangements that are available to you.
You have the right to refuse/withdraw consent to information sharing at any time. The possible consequences can be fully explained to you and could include delays in receiving care. If you wish to discuss withdrawing consent please contact the Complaints and PALS Service:
Email: scwcsu.palscomplaints@nhs.net or, call 0300 561 0250 for advice.
What is the patient opt-out?
The NHS Constitution states "You have the right to request that your confidential information is not used beyond your own direct care and treatment and to have your objections considered". For further information please visit: https://www.gov.uk/government/publications/the-nhs-constitution-for-england
Direct care is defined as a clinical, social or public health activity concerned with the prevention, investigation and treatment of illness and the alleviation or suffering of an individual.
Indirect care is defined as work within the health and social care environment which does not involve the direct treatment or support of individuals e.g. research, commissioning and much of the work done in public health.
There are several forms of opt-outs available at different levels. These include for example:
A. Information directly collected by the ICB:
Your choices can be exercised by raising any concerns or objections you have about the sharing of information that identifies you, unless there is no overriding legal obligation.
B. Information not directly collected by the ICB, but collected by organisations that provide NHS services:
Your right to opt out of data sharing and processing.
Type 1 Opt-Out
If you do not want personal confidential information that identifies you to be shared outside your GP practice you can register a ‘Type 1 opt-out’ with your GP practice. This prevents your personal confidential information from being used except for your direct health care needs and in particular circumstances required by law, such as a public health emergency like an outbreak of a pandemic disease. Patients are only able to register the opt-out at their GP practice and your records will be identified using a particular code that will stop your records from being shared outside of your GP Practice.
National data opt-out
The national data opt-out was introduced on 25 May 2018 and replaces the previous ‘type 2’ opt-out. NHS Digital collects information from a range of places where people receive care, such as hospitals and community services. The new programme provides a facility for individuals to opt-out from the use of their data for research or planning purposes. For anyone who had an existing type 2 opt-out, it will have been automatically converted to a national data opt-out from 25 May 2018 and will receive a letter giving them more information and a leaflet explaining the new national data opt-out. The national data opt-out choice can be viewed or changed at any time by using the online service at www.nhs.uk/your-nhs-data-matters.
It is also important to note that by exercising your right to “Opt Out”, there could be consequences. These situations will be discussed with you by your GP or by NHS Digital depending on whether you choose Type 1 Opt-Out or National data opt-out
Complaints or questions
We try to meet the highest standards when collecting and using personal information. For this reason, we take any complaints we receive about this very seriously. We encourage people to bring concerns to our attention if they think that our collection or use of information is unfair, misleading or inappropriate. We would also welcome any suggestions for improving our procedures. For further information, please see our Complaints and PALS page on our website.
Subject access requests (Exercising the Right of Access)
Individuals can find out if we hold any personal information about them by making a request under the Rights of Access of the GDPR, more commonly called a ‘Subject Access Request’. If we do hold information about you we will:
- Give you a description of it;
- Tell you why we are holding it;
- Tell you who it could be disclosed to; and
- Let you have a copy of the information in an intelligible format.
To make a request for any personal information we may hold or to request that we correct any mistakes in the information we hold, you need to contact us by letter or telephone at the contact details further below or email us on bswicb.sar@nhs.net.
Confidentiality advice and support
A Caldicott Guardian plays a key role in ensuring that NHS, Councils with Social Services responsibilities and partner organisations satisfy the highest practical standards for handling patient identifiable information.
The ICB has a Caldicott Guardian who is a senior person responsible for protecting the confidentiality of service users’ information and enabling appropriate and lawful information-sharing.
NHS and Social Care Caldicott Guardians are required to be registered on the publicly available National Register of Caldicott Guardians.
Our Caldicott Guardian:
- Gill May, Chief Nurse, NHS BaNES, Swindon and Wiltshire Integrated Care Board.
Email: Gill.may@nhs.net
The ICB has a Data Protection Officer (DPO) responsible for monitoring compliance with the GDPR and other Data Protection legislation, the organisation’s data protection policies, awareness-raising, training and audits. The DPO acts as a contact point for the ICO, our staff and the public. They co-operate with the ICO and will consult on any other matters relevant to Data Protection.
Our DPO
- Anett Loescher, Deputy Director of Corporate Affairs, NHS BaNES, Swindon and Wiltshire Integrated Care Board.
Email: anett.loescher@nhs.net
As a commissioner, we do not routinely hold or have access to your medical records. However, we may need to hold some personal information about you, for example:
- If you have made a complaint to us about healthcare that you have received and we need to investigate
- If you ask us to provide funding for Continuing Healthcare services
- If you ask us for our help or involvement with your healthcare, or where we are required to fund specific specialised treatment for a particular condition that is not already covered in our contracts with organisations that provide NHS care.
- If you ask us to keep you regularly informed and up-to-date about the work of the CCG, or if you are actively involved in our engagement and consultation activities or service user/patient participation.
Our records may include relevant information that you have told us, or information provided on your behalf by relatives or those who care for you and know you well, or from health professionals and other staff directly involved in your care and treatment. Our records may be held on paper or in a computer system. The types of information that we may collect and use include the following:
- Personal data: is defined in Data Protection Legislation as data or information about a living person, which also identifies that person or allows that person to be identified when combined with other information held by the organisation. Identifying information includes name, address, date of birth, postcode and NHS number.
- Special Category Data: is defined in Data Protection Legislation as information about an identifiable individual’s race, ethnic origin, Politics, religion, trade union membership, genetic, biometrics, health, sex life, sexual orientation or criminal offences.
- Confidential Information: includes information ‘given in confidence’ and is adapted to include ‘special category data’ as defined in the Data Protection Legislation.
Personal Confidential Data may also include information about your appointments and clinic visits; reports and notes about your health, treatment and care; relevant information about people who care for you, such as next-of-kin and other health professionals.
Pseudonymised Information
This is data that has undergone a technical process that replaces your identifiable information (such as NHS number, post code, date of birth) with a unique identifier, which obscures the ‘real world’ identity of the individual patient to those working with data.
Anonymised Information
This is data rendered into a form which does not identify individuals and where there is little or no risk of identification.
Our uses of information
Although this is not an exhaustive detailed listing, the following section lists key examples of the purposes and rationale for why we collect and process information:
To process your personal information if it relates to a complaint where you have asked for our help or involvement.
Legal basis
The ICB has a duty as to the improvement in quality of services under section 14R NHS Act 2006 and will rely on your explicit consent as the basis to undertake such activity.
Complaint processing activities
When we receive a complaint from a person, this is looked into by the Patient Advice & Complaints Team at South Central & West Commissioning Support Unit (SCWCSU) on our behalf. They make up a file containing the details of the complaint. This normally contains the identity of the complainant and any other individuals involved in the complaint. We will only use the personal information we collect to process the complaint and to check on the level of service being provided.
We usually have to disclose the complainant’s identity to whoever the complaint is about. This is inevitable where, for example, the accuracy of a person’s record is in dispute. If a complainant doesn’t want information identifying him or her to be disclosed, we will try to respect this. However, it may not be possible to handle a complaint on an anonymous basis and we will inform you of this.
We will keep personal information contained in complaint files (electronic or paper) in line with the NHS retention policy. Information will also be kept on the Complaints database. Information will be retained in a secure environment and access to it will be restricted according to the ‘need to know’ principle.
We may use upheld complaints, but always anonymously, as learning tools at our Quality and Outcomes Committee. The complaints will provide a summary of the concern, service improvements identified and how well the complaints procedure has been applied. Consent will always be sought from the service user and carer or both before we use the complaint in this way.
We may ask permission from a service user or carer to present their story at the Board meeting. The service user or carer can be present to tell their story themselves.
Retention Period
Information Relating to complaints will be retained for 10 years after which time the information will be reviewed and if no longer necessary will be destroyed.
As the NHS worked to manage the pandemic healthcare organisations, GPs, local authorities and arm's length bodies needed to share information to support efforts against coronavirus (COVID-19).
Information has been collected and shared by the ICB for purposes including protecting public health, providing healthcare services to the public and monitoring and managing the COVID-19 outbreak and incidents of exposure.
Retention Period
Information will usually be retained in line with the Records Management Code of Practice 2021 dependent on the type of information, however, the ICB is currently retaining all relevant information to support the NHS Public Enquiry.
Legal basis
During the pandemic, under Regulation 3(4) of the Health Service (Control of Patient Information) Regulations 2002 (COPI), we were permitted to process confidential patient information for purposes set out in Regulation 3(1) of COPI. This notice expired on 30 June 2022.
We will collect and process your personal information where we are required to fund specific treatment for you for a particular condition that is not already covered in our contracts.
This may be called an “Exceptional Funding Request” (EFR).
Retention Period
Information relating to funding requests will be retained for a maximum of 8 years (or eight years after their 18th birthday for children) after which time the information will be reviewed and if no longer necessary will be destroyed.
Legal basis
The clinical professional who first identifies that you may need the treatment will explain to you the information that we need to collect and process in order for us to assess your needs and commission your care and will ask for your informed consent for personal clinical information to be shared with the ICB.
Find out more about what we do and don’t fund
We will collect and process your identifiable information where you have asked us to undertake assessments for Continuing Healthcare (a package of care for those with complex medical needs) or Funded Nursing Care and commission resulting care packages. The ICB may share relevant information with partner organisations under brokerage arrangements to facilitate this.
Retention Period
Information relating to Continuing Healthcare will be retained for 8 years after which time the information will be reviewed and if no longer necessary will be destroyed.
Continuing Healthcare currently use the Swyx telephony system but will be using the X-on telephony system provided by Storacall Technology Ltd later in 2023/24. Calls will be recorded and held by X-on for 36 months and then deleted.
Legal basis
The clinical professional who first identifies that you may need the treatment will explain to you the information that we need to collect and process in order for us to assess your needs and commission your care, and will ask for your informed consent for personal clinical information to be shared with the ICB.
Find out more about Continuing Healthcare
Your General Practice has appointed the ICB as the Data Processor to process Clinical Concerns on their behalf and have a Data Processing Agreement in place which identifies General Practice as the Data Controller and the ICB as the Data Processor. The Data Processing Agreement details the boundaries of sharing information.
In order to facilitate the investigation of Clinical Concerns, your General Practice will provide the ICB with your NHS Number. The ICB will share this with the relevant healthcare providers involved in your care and treatment in order for them to investigate. The ICB will not use the NHS number given for any other purpose.
Retention Period
The ICB will hold your information for a period of 10 years following the closure of a clinical concern. Before records are destroyed we will review information held and take into account any serious incident retentions which may require us to hold the information for a further period of time. Each case will be reviewed on an individual basis.
Legal basis
The General Practice will rely on GDPR Articles 6(1)(e) and 9(2)(h) and the Health & Social Care Act (duty to share) as a legal basis to raise a Clinical Concern. The General Practice will provide you with comprehensive information by way of a Fair Processing Notice which clearly details the data sharing relationship with the ICB.
The ICB will rely on the NHS Act 2006 Section 13R and 14Q as a legal basis to support their enactment of the following commissioning duties:
- Information on safety of services provided by the health service
- Duty as to effectiveness and efficiency
- Duty as to the improvement in the quality of services.
The ICB and NHS England are working together to deliver the MNISA service.
For the purposes of data protection laws, the ICB and NHS England are “joint controllers” for the use (processing) of your personal information in this notice. This means that we have both worked together to decide why and how your personal data is processed. It also means we are jointly responsible to you under the law for that processing.
To confirm:
- The ICB is responsible for handling your personal information regarding any engagement you have with the MNISA service.
- NHS England has responsibility for providing the reporting system that the MNISA service (operated by the ICB) uses to handle your personal information. For example, securely storing any information you provide when engaging with the service. NHS England will also process your de-identified and anonymised data to ensure the service works, can improve and adapt to any changing requirements.
Whilst the ICB and NHS England are joint controllers for your information, the ICB have taken responsibility to be the point of contact for any data protection queries.
Contact us at bswicb.information.governance@nhs.net.
For further information about NHS England, including how to contact us, please see our privacy notice.
The type of personal information we collect
We collect and process the following information:
- Your contact information (name, telephone number, email address)
- Health related information
- Date and details relating to your experiences
- Racial or ethnic origin
How we get the personal information and why we have it
The personal information is provided directly by you, if you chose to engage with the MNISA service, for one of the following reasons:
- We use the personal data, you provide us with, in order to give you relevant support in relation to your experience. This includes:
- Engaging with the healthcare setting you are involved with to seek improvement, dialogue or understand issues
- Providing you with any signposting for other support relevant to your situation
- NHS England use your personal data to assess the viability of the service and ensure improvement in services; for both the MNISA and maternity services
- This includes using de-identified information to help understand themes and trends raised, scope and reach of the service, to be able to report progress of the pilot and to help understand the impact of the MNISA work.
You may ask us specifically to access on your behalf any healthcare setting records regarding your experience.
We may share your information with the healthcare setting you have told us about.
We will talk with you about what information we feel may be necessary to share in order to seek improvement or engage in discussions with them about your experiences.
We may share de-identified information with the ICB immediate line manager of your MNISA for the purposes of supervision.
How we store your personal information
Your personal information is stored securely on NHS England’s Case Record Management IT system. Your personal information will not be routinely accessed by anyone in the ICB or NHS England, apart from the MNISA themselves unless a technical issue arises with the IT system and it is necessary for NHS England to assess the issue to maintain the security and functionality of the system and its data. Or, your advocate is absent and your case, with your agreement, is transferred.
Your MNISA may securely store a limited amount of information on the ICB IT system to manage their caseload and be supervised by their immediate Line Manager.
Retention Period
The ICB and NHS England will retain and dispose of your personal information in line with the Records Management Code of Practice 2021.
Legal basis
Under the UK General Data Protection Regulation (UK GDPR), the lawful bases the ICB and NHS England rely on for processing your information under this service are:
- Article 6(1)(e) We need it to perform a public task.
- Article 9(2)(h) For the provision and management of our health or social care system
We will collect and process identifiable information where we need to assess and evaluate any safeguarding concerns.
Retention Period
The ICB will hold your information for a period of 8 years following the closure of a case. Before records are destroyed we will review information held and take into account any serious incident retentions which may require us to hold the information for a further period of time. Each case will be reviewed on an individual basis.
Legal basis
The ICB has a statutory responsibility under the Children Act 2004, Care Act 2014 and safeguarding provision within the Data Protection Act 2018 (Schedule 1, Part 2, Subsections 18 and 19) to ensure the safety of all children, and the safety of adults at risk of abuse and neglect.
The Learning Disabilities Mortality Review (LeDeR) Programme aims to review the death of any person who lived with learning disabilities, identifying any health and social care factors relating to the death where things could have been done differently, and seeking to ensure that where care and treatment have not been at the expected standard this is not repeated elsewhere. The programme is co-ordinated by the University of Bristol in partnership with NHS England. BaNES, Swindon and Wiltshire ICB participates in the programme by co-ordinating reviews at a local level.
The LeDeR programme office (University of Bristol) can be told about the death of a person with learning disabilities by anyone holding that information. This could be, for example, a health or care professional, a relative, a service manager or another person with learning disabilities. When the death is notified to the programme, via a secure web portal, personal information about the person who has died is collected. This information is then shared with the ICB in the locality where the patient had been registered with their GP. The ICB co-ordinates the review at the local level, and is therefore privy to all of the information about the case communicated from the LeDeR programme office. The information is communicated via a secure web platform.
The ICB appoints a trained reviewer who then seeks further information about the person who has died from health or care professionals who have been involved in supporting that person. The reviewer may ask them questions about the health and care of the person, their diagnosis and treatments, and the circumstances leading up to their death. The reviewer will also make contact, when possible, with those closest to the person, including their families and/or carer, so that they can contribute to the review, should they wish to do so. The personal identifiable information collected for LeDeR reviews is uploaded, stored and communicated via a secure web platform hosted by the University of Bristol and covered by rigorous processes that meet NHS information governance requirements.
The information that the LeDeR programme gathers about people with learning disabilities who have died includes:
- Personal details: (name, date of birth, date of death, gender, ethnicity, postcode, NHS number). These details help to identify the person who has died so that a local reviewer can trace their service contacts and conduct a review into their death.
- Information about the circumstances leading to the person’s death, that is held in health or social care records, in order to review the person’s care, assess best practice and identify where service improvements may be required.
- Information about the person’s relative or next of kin (name, contact details, relationship), in order to invite them to contribute their views to the review.
- Information about the person’s cause of death. The central LeDeR programme office will share the NHS number (or any other information that could identify the person, e.g. date of birth and date of death) with NHS Digital. NHS Digital link this to information about cause of death held by the Office for National Statistics and send back to the LeDeR programme office the coding for the causes of death for people with learning disabilities whose deaths have been reviewed.
Reports shared with local steering groups and other forums for the promotion of improvement and learning are shared in anonymised form with personal identifiers redacted.
Retention Period
Information relating to LeDeR reviews is retained by the University of Bristol for a period of 10 years from the completion of a review. The ICB will not retain personal identifiable information relating to reviews locally, but will keep on file for 10 years anonymised review reports.
Legal basis
The LeDeR Programme has obtained Section 251 approval from the Health Research Authority’s Confidentiality Advisory Group (CAG 251), on behalf of the Secretary of State, allowing it to handle identifiable data without consent in order to conduct a review of a death, and to link it to NHS Digital cause of death data. The reference number for this is: 16/CAG/0056. CAG 251 allows data to be stored for the purpose of the programme for 10 years.
NHS BSW ICB is receiving information from the Police in regard to missing children and young people in the BaNES area. The ICB will pass this information on to the relevant GP practice where the child or young person is registered so that the GP can update the patient record.
Retention Period
The information will be held until the child or young person reaches the age of 26 years.
Legal basis
This sharing is supported by Safeguarding- Working Together- Children's Act sections 17, 20 & 47.
NHS BSW ICB is supporting GP practices to provide an alternative route for patients to order their repeat prescriptions.
The POD is staffed by dedicated, experienced and fully trained prescribing clerks and clinical members of the Medicines Optimisation team at the NHS BSW ICB. They will be able to access all repeat prescription records and have immediate access to your GP practice should the need arise.
If your GP practice has joined the POD service, and if you choose to contact the POD service to arrange for a repeat prescription, you will be asked for your permission to access your medical record, which will be done via your GP’s record system (either “TPP SystmOne” or “EMIS web”). The POD team will log into the relevant GP practice system, access your patient record and ask you some questions to confirm your identity.
The POD member of staff will have access to part of your patient record needed to complete your request for a repeat prescription. Clinical members of the POD staff may be asked to join the call to advise on prescribing. These staff will also ask for explicit consent before accessing any other parts of your GP patient record.
No records are transferred to or held by the ICB as part of this service.
POD use the X-on telephony system provided by Storacall Technology Ltd. Calls will be recorded and held by X-on for 36 months and then deleted.
Legal basis
Under GDPR Article 6(1)(e) for personal data; and Article 9(2)(h) for Special Categories of Personal Data.
ICBs collaborate with Public Health service (both UK Health Security Agency and Office for Health Improvement and Disparities and the Local Authority) and NHS England and work closely with provider organisations involved in patient care to jointly identify and agree the possible causes of, factors that contributed to, and learning related to the prevention and reduction of infections. We will process personal information (e.g. name, address, date of birth) and special category information (e.g. healthcare).
Information may be shared with Primary and Secondary healthcare providers and with the Local Authority who are responsible for Public Health within the ICB boundary. Information may also be shared with NHS England.
Pandemic Management
During a pandemic the ICB will undertake roles as described by the Public Health Services and NHS England to manage the pandemic situation.
Retention Period
Post infection reviews may be kept up to eight years. A Public Inquiry will require documentation to be retained for a longer period.
Legal basis
Under the Health & Social Care Act 2008: Code of Practice for the NHS for the Prevention and Control of Healthcare Associated Infections (revised January 2015) and Regulation 3 of The Health Service (Control of Patient Information) Regulations 2002 the ICB has a statutory legal basis for collecting and processing information for the purposes of Infection Control and will rely on GDPR Articles 6(1)(e) and 9(2)(i) where processing is necessary for reasons of public interest.
The Referral Support Centre (RSC) is a local service available for all BaNES, Swindon and Wiltshire GP practices provided by NHS BSW ICB. The aim of the RSC is to support patients and practices through the referral process using the National Booking System, known as eReferrals or e-RS. Find out more about the NHS e-Referral Service and Privacy Statement here.
The RSC have a team of local clinicians who review the referrals sent to the ICB via e-RS. Based on their advice, the RSC will offer appropriate services to patients and, where possible, offer them a choice of appointment dates, times and locations. By offering alternatives to the traditional hospital based consultant appointments we are aiming to help more patients to be treated in the most appropriate setting based on their clinical condition.
The RSC is staffed by experienced call handlers aware of local booking / commissioning instructions to help ensure patients are seen in the right place first time. In order to do this efficiently they will have access to details such as your name, DOB, address, telephone number, NHS number and your patient referral information. Dependent on the referral for treatment, the RSC staff may ask you to provide additional health information to ensure that you are treated at the most appropriate facility.
The RSC are also able to provide patients with additional information, such as directions or local transport links, which is not available from the national telephone appointment line.
The RSC currently use the Swyx telephony system but will be using the X-on telephony system provided by Storacall Technology Ltd later in 2023/24. Calls will be recorded and held by X-on for 36 months and then deleted.
From time to time the RSC may send out surveys to ask for feedback on their service from patients. Personal data will be used to contact individuals and participation in the survey is on a voluntary basis. Returned surveys will be anonymous.
Legal basis
Under GDPR Article 6(1)(e) for personal data; and Article 9(2)(h) for Special Categories of Personal Data and Health & Social Care Act 2012 - Provision of healthcare to patients.
What is Population Health Management?
Population Health Management (or PHM for short) is aimed at improving the health of an entire population. It is being implemented across the NHS in a programme organised by NHS England.
PHM is about improving the physical and mental health outcomes and wellbeing of people and making sure that access to services is fair, timely and equal. It helps to reduce the occurrence of ill-health and looks at all the wider factors that affect health and care.
The PHM approach requires health care organisations to work together with communities and partner agencies, for example, GP practices, community service providers, hospitals and other health and social care providers.
These organisations will share and combine information with each other in order to get a view of health and services for the population in a particular area. This information sharing is subject to robust security arrangements.
What is the Population Health Management programme?
This ICB is working with GP practices, local hospitals and other providers, local authorities, South Central & West (SCWCSU) Commissioning Support Unit and NHS England to generate PHM information.
How will my Personal Data be used?
The information used will include personal data about your health care from your GP and other health and care providers. This information will be combined by SCW and anything that can identify you (like your name or NHS Number) will be removed and replaced with a unique code (pseudonymised).
This means that the people working with the data will only see the code and cannot see which patient the information relates to. The information could then be used for a number of healthcare related activities including:
- improving the quality and standards of care provided
- research into the development of new treatments
- preventing illness and diseases
- monitoring safety
- planning services.
Looking at the combined data might also show that an individual could benefit from some additional care or support. We cannot see which patient the information relates to so we will send the information back to your GP or hospital provider and they will use the code to identify you and offer you relevant services.
Who will my Personal Data be shared with?
Your GP and other care providers will send the information they hold on their systems to the South Central & West (SCW) Commissioning Support Unit. SCW are part of NHS England. More information can be found here
SCW will link all the information together and remove information that identifies you. This is an automated process. The linked and pseudonymised information will be shared with the ICB, who engages with Microsoft as a data processor (supplier) to store its data in its data warehouse through the supplier's cloud based storage platform, MS Azure. Your GP, other care providers and BaNES, Swindon and Wiltshire ICB will then review this information and make decisions about the whole population.
As part of the review, we might identify that a group of individuals or a single individual could benefit from some additional care or support. The information will be sent back to the GP and they will use the unique code to identify you and offer you relevant services (direct care).
Both SCW and the ICB are legally obliged to protect your information and maintain confidentiality in the same way as your GP or hospital provider.
Is using my Personal Data in this way lawful?
Health and Social Care Providers are permitted by data protection law to use personal information where it is ‘necessary for medical purposes’. This includes caring for you directly as well as management of health services more generally.
Some of the work that happens at a national level with your personal information is enabled by other legislation. Sharing and using your information in this way helps to provide better health and care for you, your family and future generations. Confidential patient information about your health and care is only used like this where allowed by law and, in the majority of cases, anonymised data is used so that you cannot be identified.
For more information, you can email the ICB Data Protection Officer or your GP Practice Data Protection Officer who will be happy to help with any queries you may have.
Can I object to my Personal Data being used as part of the Personal Health Management programme?
You have a right to object to your personal information being used in this way. If you do choose to ‘opt out’ please contact the GP Practice Data Protection Officer in the first instance. If you are happy for your personal information to be used as part of this programme then you do not need to do anything further. Although you do have the right to change your mind at any time and object to the use of your data, once the data has been extracted for PHM and given a unique identifier, we will not be able to remove it from the information to be reviewed.
You also have a number of other rights relating to how your personal information is used as detailed at the beginning of this Fair Processing Notice.
If you still have concerns, you can also contact the Information Commissioner’s Office directly.
Risk stratification is a process for identifying and managing patients who are at high risk of a number of factors such as ‘risk of emergency hospital admission’.
Benefits
ICBs and GPs, encouraged by NHS England, use risk stratification tools as part of their local strategies for supporting patients with long-term conditions and to help and prevent avoidable admissions. Typically this is because patients have a long term condition such as Chronic Obstructive Pulmonary Disease.
Knowledge of the risk profile of our population will help the ICB to commission appropriate preventative services and to promote quality improvement in collaboration with our GP practices.
This link provides a short video describing how we use Eclipse: https://library.prescribingservices.org/dpia/Vista.mp4
Legal basis
NHS England has gained approval from the Secretary of State, through the Confidentiality Advisory Group (CAG), for its application for the disclosure of commissioning data sets and GP data for risk stratification purposes to data processors working on behalf of GPs which provides a statutory legal basis under Section 251 of the NHS Act 2006 to process data for risk stratification purposes. The ICB is currently applying for CAG reapproval for risk stratification. We are committed to conducting risk stratification effectively, in ways that are consistent with the laws that protect your confidentiality.
Data processing activities for risk stratification
Risk stratification tools use various combinations of historic information about patients, for example, age, gender, diagnoses and patterns of hospital attendance, admission and primary care data collected in GP practice systems.
The ICB will use pseudonymised versions of this information to understand the local population needs, whereas GPs will be able to identify (by NHS number) which of their patients are at risk in order to offer a preventative service to them.
The ICB has contracted Prescribing Services Ltd to provide a risk stratification tool, known as Eclipse, that will provide pseudonymised data to the ICB and identifiable data to GPs.
This processing takes place under contract following the below steps:
- provides data identifiable by your NHS Number about your acute hospital attendances for risk stratification purposes and has signed a Data Sharing Contract for the Secondary Use Services data.
- The ICB works with Prescribing Services Ltd to extract primary care data identifiable by your NHS Number for those patients that have not objected to Risk Stratification or where no Type 1 objection has been made by an individual.
- Within the landing stage, the risk stratification system automatically links and pseudonymises the identifiable data from GPs and no identifiable data of any patient is seen by the ICB.
Prescribing Services Ltd has set up a formula to analyse the data in pseudonymised form to produce a risk score for each patient and send red and amber alerts to the GPs where patients are potentially at high risk.
The alerts are only made available to authorised clinicians (or administrator acting on behalf of) with a care relationship with the patient via secure access to the Eclipse system.
This portal allows only the GPs to view the alerts for the individual patients registered in their practice in identifiable form. The outputs can be made available across grouped practices if Practices are working as a Primary Care Network (PCN), locality, federation or super practice and this access is agreed by the Caldicott Guardian for each Practice.
If you do not wish information about you to be included in our risk stratification programme, please contact your GP Practice. They can add a code to your records that will stop your information from being used for this purpose. It should be noted that opting out may affect the care that we are able to offer you. Alternatively you can register with the NHS National Data Opt-out. It should be noted that opting out may affect the care that we are able to offer you.
Legal basis
The use of identifiable data by ICBs and GPs for risk stratification has been approved by the Secretary of State, through the Confidentiality Advisory Group of the Health Research Authority (CAG) of the Health Research Authority and this approval has been extended to September 2023 which gives us a statutory legal basis under Section 251 of the NHS Act 2006 to process data for risk stratification purposes which sets aside the duty of confidentiality.
In response to the Health and Care Act 2022, the ICB will now be considered the Data Controller for Risk Stratification and is applying to CAG for approval to continue this processing.
We are committed to conducting risk stratification effectively, in ways that are consistent with the laws that protect your confidentiality.
The Invoice Validation process ensures that care providers who provide you with care and treatment can be paid for the services they provide.
Care providers submit their invoices to NHS Shared Business Services (NHS SBS) who process invoices on behalf of NHS BSW ICB. NHS SBS do not require and should not receive any patient confidential data to provide their services.
There are situations where patient identifiable data is required to ensure that the correct service provider is paid.
In such cases service providers are required to send patient identifiable data to a Controlled Environment for Finance (CEfF) which is a secure restricted area within the ICB who process this data on our behalf and indicate which invoices we can validate (authorise) for payment. NHS England has published guidance on how invoices must be processed and Commissioners have a duty to detect, report and investigate any incidents where a breach of confidentiality has been made.
Find out more about invoice validation on NHS England's website.
Legal basis
The legal basis to receive personal identifiable data for the purposes of invoice validation is provided by Section 251 of the NHS Act 2006 and will rely on GDPR Articles 6(1)(e) and 9(2)(h).
We commission a number of organisations to provide primary and secondary healthcare services to you. These organisations may be within the NHS or outside the NHS.
Primary Care services cover GP Practices, Dental Practices, Community Pharmacies and high street Optometrists. Secondary Care services are usually (but not always) delivered in a hospital or clinic with the initial referral being received from Primary Care.
These organisations may share identifiable, pseudonymised, anonymised, aggregated, personal confidential and sensitive personal data information with us for the following purposes:
- To look after the health of the general public such as notifying central NHS groups of outbreaks of infectious diseases
- To undertake clinical audit of the quality of services provided
- To carry out risk profiling to identify patients who would benefit from proactive intervention
- To perform case management where the NHS offers intervention and integrated care programmes involving multiple health and social care providers
- To report and investigate, complaints, claims and untoward incidents
- To prepare statistics on our performance for the Department of Health
- To review our care to make sure that it is of the highest standard.
Through sharing information ethically and lawfully the NHS is able to improve its understanding of the most important health needs and the quality of the treatment and care provided.
Legal basis
The Health & Social Care Act 2012 allows us to collect your information and it is only accessed by authorised persons and not disclosed unless necessary. We will never share your personal information unless a legal basis has been identified for the different purposes of sharing or we have obtained your explicit consent.
To provide the most appropriate care for our patients, BSW ICB works alongside Bath and North East Somerset Council, Swindon Borough Council and Wiltshire Council to provide integrated care. The ICB manages Better Care Funds (BCF) jointly with the Local Authorities. The BCF is governed by a Section 75 agreement between the ICB and each council and overseen by Health and Wellbeing Boards. Some staff members are shared between the ICB and the local authority and may be party to identifiable, pseudonymised, anonymised, aggregated, personal confidential and sensitive personal data information for the following purposes:
- To commission appropriate care
- To undertake clinical audit of the quality of services provided
- To perform case management where the NHS offers intervention and integrated care programmes involving multiple health and social care providers
- To report and investigate, complaints, claims and untoward incidents
- To prepare statistics on our performance for the Department of Health
- To review our care to make sure that it is of the highest standard.
Through sharing information ethically and lawfully the NHS is able to improve its understanding of health needs and improve the quality of the treatment and care provided.
Legal basis
The Health & Social Care Act 2012 allows us to collect your information and it is only accessed by authorised persons and not disclosed unless necessary. We will never share your personal information unless a legal basis has been identified for the different purposes of sharing or we have obtained your explicit consent.
If you have asked us to keep you regularly informed and up to date about the work of the ICB or if you are actively involved in our engagement and consultation activities or patient participation groups, we will collect and process personal confidential data which you share with us.
The ICB currently uses Zoom for some virtual meetings and, where you have opted to join these meetings, your name and email address will be uploaded to the Zoom system.
On occasion the ICB will contract with South Central and West Commissioning Support Unit (SCW) to assist with communications and engagement activities. On these occasions contact lists held by the ICB may be shared with SCW and your information may be stored on their secure systems. SCW will never use your information for marketing or for any purpose other than that instructed by the ICB.
Where you submit your details to us for involvement purposes, we will only use your information for this purpose. You can opt out at any time by contacting us using our contact details at the end of this document.
Retention Period
Where you have provided us with your contact details for us to keep in touch, when we contact you periodically we will check you are still happy for us to hold these details.
Legal basis
We will rely on your explicit consent for this purpose.
To collect NHS data about service users for whom we are responsible.
Legal basis
Our legal basis for collecting and processing information for this purpose is statutory under the Health and Social Care Act.
Processing activities
Hospitals and community organisations that provide NHS-funded care must submit certain information to NHS Digital about services provided to our service users.
This information is generally known as commissioning datasets. The ICB obtains these datasets from NHS Digital and they relate to service users registered with GP Practices that are members of the ICB.
These datasets are then used in a format that does not directly identify you, for wider NHS purposes such as managing and funding the NHS, monitoring activity to understand and plan the health needs of the population, and to gain evidence that will improve health and care through research.
The datasets include information about the service users who have received care and treatment from those services that we are responsible for funding. The ICB is unable to identify you from these datasets. They do not include your name, home address, NHS number, post code or date of birth. Information such as your age, ethnicity and gender, as well as coded information about any clinic or accident and emergency attendances, hospital admissions and treatment will be included.
The specific terms and conditions and security controls that we are obliged to follow when using these commissioning datasets can also be found on the NHS Digital website.
Read more information about how this data is collected on the NHS Digital website. We also receive similar information from GP Practices within our ICB membership that does not identify you. We use these datasets for a number of purposes such as:
- Performance managing contracts
- Reviewing the care delivered by providers to ensure service users are receiving quality and cost effective care
- To prepare statistics on NHS performance to understand health needs and support service re-design, modernisation and improvement
- To help us plan future services to ensure they continue to meet our local population needs
- To reconcile claims for payments for services received in your GP Practice
- To audit NHS accounts.
If you do not wish your information to be included in these datasets, even though it does not directly identify you to us, please contact your GP Practice and they can apply a code to your records that will stop your information being included.
Regulations allow responders to an emergency situation to share information with one another in connection with the performance of their functions under the Civil Contingencies Act. In addition, the Bath and North East Somerset (BaNES), Swindon and Wiltshire Together, Local Health Resilience Partnership has sharing arrangements in place to share the personal information of vulnerable people amongst partners during an ‘emergency,’ to enable vulnerable people to be identified and their needs effectively supported.
Legal basis
The Civil Contingencies Act 2004 and the Civil Contingencies Act (Contingency Planning) Regulations 2005 create an information-sharing regime for Category 1 and 2 Responders. Regulation 44A of the Regulations allows responders to share information with one another in connection with the performance of their functions under the Act.
BSW ICB hosts the BSW Training Hub. The Training Hub manages training and career opportunities for primary care colleagues. The site is relevant to all members of the primary care team or those looking to develop a career within primary care.
Read more information about the training Hub here and access the Privacy Notice here.
The below tables outline the organisations we use, services they provide and legal basis for processing your information:
NHS South Central and West Commissioning Support Unit | ||
Purpose | Type of Data | Legal Basis |
Freedom of Information Requests | Personal | Consent |
Subject Access Requests | Personal and sensitive | Consent |
Risk Stratification | Personal and sensitive | S251 NHS Act 2006 |
Communications and Engagement | Personal | Consent |
Innovation in Health Inequalities Dashboard | Personal and sensitive | NHS Act 2006 as part of NHSE |
Assurance:
|
NHS South Central and West Comissioning Support Unit – DSCRO |
||
Purpose | Type of Data | Legal Basis |
Invoice validation | Personal | S251 NHS Act 2006 |
Risk Stratification | Personal and sensitive | S251 NHS Act 2006 |
Secondary Use Service (SUS) | Personal, sensitive and pseudonymised | S251 NHS Act 2006
Health and Social Care Act 2012 |
Local Flows from Acute, Ambulance, Demand for Service, Diagnostic Services, Emergency Care, Experience, Quality & Outcomes, Mental Health, Population, Primary Care, Public Health Screening |
Personal, sensitive and pseudonymised
|
Health and Social Care Act 2012 |
Mental Health Services | Sensitive and pseudonymised | Health and Social Care Act 2012 |
Improving Access to Psychological Therapy | Sensitive and pseudonymised | Health and Social Care Act 2012 |
Maternity | Sensitive and pseudonymised | Health and Social Care Act 2012 |
Mental Health Learning Disability | Sensitive and pseudonymised | Health and Social Care Act 2012 |
Diagnostic Imaging | Sensitive and pseudonymised | Health and Social Care Act 2012 |
Child and Young People Health Service | Sensitive and pseudonymised | Health and Social Care Act 2012 |
Additional assurance:
|
Data Linkage
Data may be de-identified and linked by organisations so that it can be used to improve health care and development and monitor NHS performance. Where data is used for these statistical purposes, stringent measures are taken to ensure individual patients cannot be identified. When analysing current health services and proposals for developing future services it is sometimes necessary to link separate individual datasets to be able to produce a comprehensive evaluation.
This may involve linking primary care GP data with other data such as secondary uses service (SUS) data (inpatient, outpatient and A&E). In some cases there may also be a need to link local datasets which could include a range of acute-based services such as radiology, physiotherapy, audiology etc., as well as mental health and community-based services such as Improving Access to Psychological Therapies, district nursing, podiatry etc.
When carrying out this analysis, the linkage of these datasets is always done using a unique identifier that does not reveal a person’s identity as the ICB does not have any access to patient identifiable data.
National Registries (such as the Learning Disabilities Register) have statutory permission under Section 251 of the NHS Act 2006, to collect and hold service user identifiable information without the need to seek informed consent from each individual service user.
To support research oriented proposals and activities in our commissioning system.
Researchers can provide direct benefit to individuals who take part in medical trials and indirect benefit to the population as a whole. Service user records can also be used to identify people to invite them to take part in clinical trials, other interventional studies or studies purely using information from medical records.
Legal basis
Your consent will be obtained by the organisation holding your records before identifiable information about you is disclosed for any research. Sometimes research can be undertaken using information that does not identify you. The law does not require us to seek your consent in this case, but the organisation holding your information will make notices available on the premises and on the website about any research projects that are undertaken.
Processing activities
Where identifiable data is needed for research, service users will be approached by the organisation where treatment was received, to see if they wish to participate in research studies.
If you do not wish your information to be used for research, whether identifiable or non-identifiable, please let your GP Practice know. They will add a code to your records that will stop your information from being used for research.
Further information
Further information about the way in which the NHS uses personal confidential data and your rights in that respect can be found in NHS Digital: How we look after your health and care information.
The Information Commissioner’s Office offers independent advice and guidance on the law and personal data, including your rights and how to access your personal information.
Data Protection Impact Assessments (DPIA)
We undertake DPIAs for any processing of personal data that is likely to result in a high risk to individuals. We also undertake DPIAs for any other major project which requires the processing of personal data.
The following Information Governance Policies are used by ICB colleagues:
Information Governance Framework
Acceptable Use of IT Policy
Confidentiality and Safehaven Policy
Data Quality Policy
Individual Rights Policy
Information Security Policy
Management of Vexatious Applicants Policy
Records Management Policy
Risk Stratification Policy
Contact us
Information Governance, NHS BaNES, Swindon and Wiltshire Integrated Care Board (BSW ICB)
Email: bswicb.information.governance@nhs.net
For independent advice about data protection, privacy and data-sharing issues, you can contact the Information Commissioners Office on 0303 123 1113 or online at https://ico.org.uk/make-a-complaint/
NHS Bath and North East Somerset, Swindon and Wiltshire ICB
Registered Headquarters:
Jenner House Avon Way
Langley Park
Chippenham
Wiltshire
SN15 1GG
Engaging with local people, representative groups and stakeholders helps us to understand the needs of those living across BSW and ensure that health and care services are best designed to meet these needs. There are a number of ways you can get involved - find out more here.
Facts, figures and intelligence about our local area, communities and population can be found in the Joint Strategic Needs Assessments (JSNA).
There are three JSNAs for our area and we use the data from them, along with local knowledge and feedback from the community, to understand how health and care services should look.
The JSNAs have been developed by Bath and North East Somerset, Swindon and Wiltshire Councils and can be found here:
We carry out equality impact assessments as part of every project so that we can assess how a proposed policy, service or decision could affect local people. This helps us ensure that we don’t discriminate against people based on their protected characteristics.
By carrying out equality impact assessment on all relevant developments, we are able to identify potential problems before they arise, helping us to ensure equality for all.
The Equality Act 2010 introduced the Public Sector Equality Duty.
As a public sector organisation, our general duties include eliminating unlawful discrimination, harassment and victimisation; advancing equality of opportunity between different groups of people; and removing or minimising disadvantages suffered by people due to their protected characteristics.
In the context of the Public Sector Equality Duty, protected characteristics are:
- Age
- Disability
- Gender reassignment
- Marriage and civil partnership
- Pregnancy and maternity
- Race (this includes ethnic or national origins, colour or nationality)
- Religion or belief (including lack of belief)
- Sex (male or female)
- Sexual orientation
Our specific duties require us to set equality objectives once every four years and to annually publish relevant, proportionate information, demonstrating our compliance with the Equality Duty.
As an NHS body, we are required to meet the Accessible Information Standard in full.
The information on our website can all be made available in a range of languages, Easy Read, Braille or audio tape. To request an alternative format, please email ✉ BSWICB.communications@nhs.net