How we use your information

The purpose of this notice is to tell you what information we – NHS Leeds Clinical Commissioning Group – collect and hold about you, what we do with it, how we will look after it and who we may share it with. We also explain your rights in respect of your information and the choices you can make about the way your information is used and how you can opt out of any sharing arrangements that may be in place.

The notice covers information we collect directly from you, or collect indirectly from other people or organisations for CCG registered population; how that information is used, the legal basis for using the information, who we may share that information with, and how we keep it secure and confidential.

This notice applies to all information held by the CCG relating to individuals, whether you are a patient, service user or a member of staff. This notice was last reviewed August 2021.

This information is not exhaustive. We are happy to provide any additional information or explanation needed.

Please click on the highlighted text within the notice for links to further information. Click the link for a Glossary of definitions used throughout this notice.

The NHS Leeds Clinical Commissioning Group (CCG) was established on 1 April 2018 following the merger of Leeds North, Leeds West and Leeds South and East CCGs.  The work of the CCG is overseen by NHS England.

The CCG is responsible for planning and designing local health services in Leeds, arranging unplanned care services for our registered patients and for commissioning services for any unregistered patients who live in Leeds. All General Practices in Leeds belong to our Clinical Commissioning Group.

We do this by ‘commissioning’ or buying health and care services including:

• Planned hospital care
• Unplanned care (urgent care)
• Rehabilitation  care
• Community Health Services
• Mental Health and learning disability services

We manage the performance of services that we commission to make sure that they are safe, provide high quality care and meet the needs of local people. Part of this performance management role includes responding to any concerns from our patients about these services.

The CCG has a legal duty to ensure that it makes arrangements for the provision of high quality, safe, effective and efficient healthcare for people who are registered with one of its member practices where this is not purchased centrally by NHS England. The CCG also has a duty to ensure that patients have equal access to services and are able to achieve the same outcomes, regardless of differences in their personal situation. The CCG has a duty to involve patients, their relatives and carers in any decisions about the prevention and diagnosis of illness and their care and treatment and, wherever possible, enable patients to make choices about the healthcare provided to them.

Data Controller: NHS Leeds Clinical Commissioning Group

Address: Suites 2 – 4, Wira House

Wira Business Park

Leeds

LS16 6EB

Telephone: 0113 221 7777

Data Protection Officer (DPO)

The DPO acts independently and is responsible for informing and advising the CCG and our staff of their obligations under data protection related legislation. The DPO is also responsible for the provision of advice and monitoring the CCG’s compliance with all European and UK data protection law and the CCG’s data protection related policies.

Contact details: 

Data Protection Officer

NHS Leeds Clinical Commissioning Group

Suites 2-4 Wira House

Wira Business Park

Leeds

LS16 6EB

Email:  Leedsccg.dpo@nhs.net

Information Governance team

The Information Governance team is responsible for supporting the Data Protection Officer in ensuring that your personal information is collected, used and shared appropriately, securely and in line with the law.

Contact details: Information Governance Team

Suites 2 – 4, Wira House

Wira Business Park

Leeds

LS16 6EB

Email: Leedsccg.dpo@nhs.net

We need to use information about you in various forms and will only use the minimum amount of information necessary for that purpose. Where possible we will use information that does not identify you.

The CCG uses and processes several different types of information:

• Personal confidential data /identifiable – information which contains personal details that identifies you such as name, address, email address, NHS Number, full postcode, date of birth.
• Anonymised data – all data or information which could identify who you are will have been removed.
• Pseudonymised data /information – data which is about you, but does not tell us who you are because any identifiers will have been replaced with something which would not identify you e.g. a coded reference.
• Aggregated data / information – data or information is grouped together to show general trends or values without identifying individuals.

Use of Anonymised Data

We use anonymised data to plan health care services including:

• Checking the quality and efficiency of the health services we commission;
• Preparing performance reports on the services we commission;
• Working out what illnesses people will have in the future, so we can plan and prioritise services and ensure these meet the needs of patients;
• Reviewing the care being provided to make sure it is of the highest standard.

Use of Pseudonymised (De-identified) Information

We use de-identified information in our role as commissioner to:

• plan, design, purchase and pay for the best possible care available for you;
• look at the care provided by different providers across our area to make sure that together they support the needs of the local population; performance manage contracts;
• prepare statistics on NHS performance to understand health needs and support service redesign, modernisation and improvement;
• help us plan future services to ensure they continue to meet our local population needs
• identify groups of patients who would benefit from some additional help from their GP or care team. The aim is to prevent ill health and possible future hospital stays, rather than wait for you to become sick. Only de-identified information is accessible to the CCG in order to help us plan the most appropriate health services for our population, this is called Risk Stratification

Use of Personal confidential data /identifiable (Identifiable) Information

As a CCG we do not routinely hold medical records or confidential patient data, however there are some limited exceptions.

There are some categories of personal data for which special safeguards are required by law, known as special category or sensitive data. This includes records relating to health, sex life, race, ethnicity, political opinions, trade union membership, religion, genetics and biometrics.

Below is a list of where we collect and use personal information. Please understand reference to the GDPR to mean UK GDPR.

Please select the relevant link for information on the purpose, the type of information used, the legal basis identified for the collection and use of the information, how we collect and use the information required.

• Complaints
• Individual Funding Requests (IFR)
• Continuing Healthcare
• Personal Health Budgets (PHBs)
• Communications and Engagement
• Infection Prevention and Control
• Serious Incident reports
• Freedom of Information requests
• Subject Access Request
• National Fraud Initiative
• Recruitment
• Staff Record
• Invoice Validation
• Responding to Member of Parliament
• Responding to Patients and Carers
• Safeguarding
• Commissioning
• Declaration of Interest, Gifts and Hospitality Publication
• Risk Stratification
• Auditing and monitoring of the system
• Community support register
• Patient use of Pulse Oximeter for self-management

The Health and Social Care Act (2012) requires health and social care organisations to work collaboratively to ensure you receive the best possible service from different organisations. To achieve this we need to ensure that relevant information is shared securely and in a timely manner between different health and social care organisations that provide you with care.

Information Sharing Agreements and contracts will be in place ensuring these arrangements meet the requirements of:

• The Health and Social Care Act 2012;
• UK General Data Protection Regulations and the Data Protection Act 2018;
• The Common Law Duty of Confidence and;
• The Human Rights Act 1998

To ensure your confidentiality, data protection and human rights are not breached, whenever we make a new arrangement to share information externally, we will undertake a Data Protection Impact Assessment Screening to identify any data processing which could result in a high risk to your privacy, to the protection of your data, or your confidentiality. If we find that any of the planned processing is likely to be high risk, we will conduct a full Data Protection Impact Assessment, to ensure that the risks are reduced. We also make sure that a legal basis has been identified for sharing the information before we share it.

The CCG is actively working with health and social care partners to ensure that where you receive a referral, for example for community services, all the relevant information that organisation requires in order to offer you the right service is available. We are also working with the hospitals that provide services to our population to ensure that if you find yourself in an emergency situation, relevant and potentially lifesaving information from your GP record will be available, showing any latest tests and any allergies you may suffer from, which the hospital clinicians will need to know.

The staff privacy notice is available on the extranet.

For your benefit, we may also need to share information we hold about you with other non-NHS organisations that are providing care to you, such as external organisations providing healthcare services to the NHS. We may also share your information, subject to strict agreements with social services, education services, local authorities and voluntary sector providers. 

There are certain circumstances where we are legally required to share your information, this includes information requested under a court order, information requested for safeguarding purposes, information requested for the prevention or detection of crime and for the notification of infectious diseases.

If we are asked to share information with a non-NHS organisation that does not directly relate to your care, we will always ask for your agreement prior to any information being shared. If you choose not to agree to this when asked, we will record your decision to ensure that we do not share your information with that organisation.

If information is shared, we will only share the minimum amount of information necessary for them to provide the service or comply with their legal duty. We also ensure that an agreement is put in place which tells them what they can and can’t do with your information and how they must protect it.

We will also, in the course of our business, work with third party suppliers who process information on our behalf. The CCG will work with partner organisations to ensure that appropriate Data Processing Agreements and contracts are in place, setting out the security standards and legal obligations required to protect your information.  Only the minimum necessary information for the purpose will be shared, and only where Pseudonymised/Anonymised data cannot be used.

We are committed to protecting your privacy and will only process personal confidential data in accordance with the UK General Data Protection Regulation, the Common Law Duty of Confidentiality, Professional Codes of Practice and the Human Rights Act 1998.

In the circumstances where we are required to use personal identifiable information we will only do this if:

• The information is necessary for your direct healthcare, or
• We have received explicit consent from you to use your information for a specific purpose, or
• There is an overriding public interest in using the information:
• In order to safeguard an individual,
• To prevent a serious crime or in the case of Public Health or other emergencies, to protect the health and safety of others, or
• There is a legal requirement that allows or compels us to use or provide information (e.g. a formal court order or legislation), or
• We have permission from the Secretary of State for Health and Social Care to use certain confidential patient identifiable information when it is necessary for our work

Everyone working for the NHS has a legal and contractual duty to keep information about you confidential.

All identifiable information that we hold about you will be held securely and confidentially. We use administrative and technical controls to do this.

Our staff, contractors and committee members receive appropriate and ongoing training to ensure that they are aware of their personal responsibilities and have contractual obligations to uphold confidentiality, enforceable through disciplinary procedures.

Your information will not be sent outside of the United Kingdom where the laws do not protect your privacy to the same extent as the law in the UK. We will never sell any information about you.

The CCG maintains a set of regularly updated policies and procedures covering all aspects of information governance. These can be found here:

https://www.leedsccg.nhs.uk/about/policies/organisational-policies/

Under the UK General Data Protection Regulation all individuals have certain rights in relation to the information which the CCG holds about them. Not all rights apply equally to all our processing activity as certain rights are not available depending on the lawful basis for the processing.

Examples of where rights may not apply – where our lawful basis is:

• Processing is necessary for the performance of a task carried out in the exercise of official authority vested in the controller – then rights of erasure, portability do not apply.
• Legal Obligation – then rights of erasure, portability, objection, automated decision making and profiling do not apply.

If you require further detail each link below will take you to the Information Commissioner’s Office’s website where further detail is provided in section ‘When does the right apply’.

These rights are:

• The right to be informed about the processing of your data
• The right of access to the data held about you
• The right to have that information amended in the event that it is not accurate
• The right to have the information deleted
• The right to restrict processing
• The right to have your data transferred to another organisation (data portability)
• The right to object to processing
• Rights in relation to automated decision making and profiling

Under the NHS Constitution you have the right to privacy and to expect the NHS to keep your information confidential and secure.

There is a new national opt-out that allows people to opt out of their confidential patient information being used for reasons other than their individual care and treatment. The system offers patients and the public the opportunity to make an informed choice about whether they wish their personally identifiable data to be used just for their individual care and treatment or also used for research and planning purposes. Details of the national patient opt out can be found here: https://www.nhs.uk/your-nhs-data-matters/

If you want to obtain a copy of any records we hold about you, you can make a written or oral request, providing enough information to help us find the records you are asking for. Please tell us which parts of your record you would like access to when you request your records, for example, records relating to a specific period of time. To make sure that we don’t give your information to someone else, we will also need you to provide us with proof of your identity which needs to be either:

• Two forms of photo ID (for example a current passport and photo driving licence) and one official document confirming your current address (for example a utility bill – not a mobile phone bill), letter from HMRC or DWP, which must be dated within the last six months), (or council tax bill, or mortgage statement, which must be dated within the last 12 months), or;
• One form of photo ID (see examples above) and two official documents confirming your current address (see examples above).

Please send requests to the Information Governance team using the postal address, or email Leedsccg.DPO@nhs.net

How much does it cost?

There will be no charge for access to your records, unless the request is repeated or manifestly unfounded, in which case we can charge a reasonable fee to cover the costs of providing the information requested, or alternatively to refuse the request. For further information about your rights under the UK General Data Protection Regulation see “Your rights”.

All records are retained in line with the Leeds CCG Retention and Disposal Schedule and the Records Management Code of Practice 2021 – see link: Code of Practice.

The process for Retention and Disposal is managed thorough the Asset Register, retention periods can be confirmed on request.

If you have any questions or complaints regarding the information we hold about you or the use of your information, please contact:

Leedsccg.dpo@nhs.net

Our Data Protection Officer (DPO) will assist us to monitor internal compliance, inform and advise on data protection obligations and act as a contact point for data subjects (members of the public and employees) where there are concerns or queries regarding Data Protection.  The DPO will also act as a contact point for communication with the Information Commissioner’s Office.

For independent advice about data protection, privacy and data-sharing issues, or to make a complaint about our handling of your information you can contact:

The Information Commissioner

Wycliffe House

Water Lane

Wilmslow

Cheshire

SK9 5AF

Phone: 0303 1231113 or 01625 545745

Website: https://ico.org.uk/