When CCG mergers took place in April 2020 we were at the start of the pandemic and standard methods of communicating with patients and the public were halted; this included any type of communication about organisational change which would have included, amongst many other things, assurance regarding the transfer of patient data. In those exceptional circumstances guidance was given to include an additional ‘strap line / notice’ on the CCG websites to provide added assurance to patients regarding the management of their data. This was in addition to having privacy notices.
We are now largely back to normal and I can confirm that normal practice is now resumed and what this means is that all organisations will need to have privacy notices on their website. This is the recognised method of communicating how patient data is held securely etc. As responsible data controllers, ICBs will be required to undertake a review of their processing activities and provide their own privacy notices in order to ensure transparency and transfer of data controller responsibilities.
The above requirement is included in the due diligence checklist - see tab 5 ‘information governance & data security protection tool’ and the following prompts:
- 5.33 Privacy notices updated or drafted for any new processing
- 5.37 Privacy notices published
These actions apply to the CCG, during transition and also apply to the ICB. As the due diligence checklist is largely used by CCGs, the prompts on tab 5 have also been widely communicated to the information governance teams in regions and systems to ensure that requirements are clear. They are also contained in the DSP toolkit.
In summary, this matter is covered by:
- the requirement for the CCG site to be closed and signposted to the new ICB site; and
- the requirement for the ICB to have a privacy notice on its site from the moment the site goes live