This privacy notice tells you about information we obtain, hold and use about you. It describes what we do with it, how we will look after it and who we share it with. It covers information we collect directly from you as well as information we may get from other organisations.
This notice does not provide exhaustive detail. However, we keep and maintain accurate and detailed records about how your information is used.
We can provide further detail and explanation should it be requested and without charge. Contact details for us can be found at the end of this page.
We keep our privacy notice under regular review. It was last updated in June 2022.
Our commitment to Data Protection and Confidentiality
We are committed to protecting your privacy and will only ‘process’ data (processing refers to how data is Held, Obtained, Recorded, Used and Shared), in accordance with Data Protection Legislation and NHS guidance.
This includes ensuring NEL complies with the UK General Data Protection Regulation (GDPR), the Data Protection Act (DPA) 2018, and any applicable national Laws as required.
In addition, consideration will also be given to all applicable Law concerning privacy, confidentiality, the processing and sharing of personal data including:
- the Human Rights Act 1998,
- the Health and Social Care Act 2012 as amended by the Health and Social Care (Safety and Quality) Act 2015,
- the Common Law Duty of Confidentiality, and the
- Privacy and Electronic Communications (EC Directive) Regulations
As a Data Controller, NEL has a duty to:
- keep sufficient information to provide services and fulfil our legal responsibilities
- keep your records secure and accurate
- only keep your information as long as is required
- collect, store and use the information you provide in a manner that is compatible with the UK General Data Protection Regulation and the Data Protection Act.
- Notify the Information Commissioner’s Office of all personal information processing activities. Our registration details can be found on the public register of Data Controllers .
All information that we hold about individuals will be held securely and confidentially. We use administrative and technical controls to do this.
All of our staff, contractors and committee members receive appropriate and on-going training to ensure they are aware of their personal responsibilities and have contractual obligations to uphold confidentiality.
We will only use the minimum and proportionate amount of personal information necessary. Where possible we will use information that does not directly identify individuals, but when it becomes necessary for us to know or use personal information a person, we will only do this when we have either a legal basis or have that person’s consent. We use strict controls to ensure that only authorised staff are able to access personal data. Only a limited number of authorised staff have access to information that identifies individuals, where it is appropriate to their role, and is strictly on a need-to-know basis.
NEL has a Data Protection Officer who plays key role in ensuring our accountability for Data Protection.
The Caldicott Guardian is the person responsible for protecting the confidentiality of patient information and enabling appropriate and lawful information sharing.
Why we process your information
For some of our services, we need to collect personal data so we can get in touch or provide the service. The ICB can use your personal data under many different laws. The main ones that apply are the NHS Act 2006, the Health and Social Care Act 2012, the Care Act 2014, the Data Protection Act 2018 and the General Data Protection Regulations.
In some cases, there is a statutory requirement to process your data and we can do so without your consent. For some services where individuals choose to engage with e.g., where someone wishes us to include them on our mailing list, NEL process this data by requesting your explicit consent.
Where NEL commissions a contract for the provision of a clinical service, the organisation which delivers that service are the Data Controller. These providers are subject to NHS contract and have to keep your details safe and secure and use them only to provide the service.
NEL has undertaken an assurance exercise, validated via the completion of the Data Security and Protection toolkit, which has assured the legal basis of processing for each of the ICB’s activities. NEL processes person identifiable data for the following purposes:
- Financial Transactions including processing applications for funding treatments
- Invoice validation
- Dealing with complaints
- Processing Safeguarding referrals
- Continuing Healthcare
- Risk Stratification
- Patient & public involvement
- National registries
- To ensure we meet our legal and statutory obligations
- Clinical audit
- GP data including performance and monitoring information
- Investigating and managing serious incidents
As an employer, NEL will process employee data for the following purposes:
- To ensure that the information we hold about you is kept up to date.
- To deal with any employee / employer related disputes that may arise.
- Employment and payroll purposes.
- For assessment and analysis purposes to help improve the operation and performance of NEL
- To enable the monitoring of protected characteristics in accordance with the Equality Act 2010 and ensure that we continue to meet equality standards.
- To prevent, detect and prosecute against fraud.
- To respond to requests made by a “relevant authority” under Section 29 of the Data Protection Act 2018, such as the police, government departments and local authorities with the regulatory powers to request access to personal data without the consent of the data subject for the purposes of the prevention or detection of crime.
- In accordance with the consent provided by you as part of your terms and conditions of employment; and
- To comply with our legal obligations as an employer, i.e., HMRC and pensions.
The types of information we use
For the majority of our work, we do not need to know the personal details of individuals who live in our community, and this is our preferred way of working. It should be noted that information which cannot identify an individual is not covered by data protection law. There are different types of information collected and used across the ICB as follows.
Identifiable – information which contains personal details that identify individuals such as name, address, email address, NHS Number, full postcode, date of birth.
Pseudonymised – individual level information where individuals can be distinguished by using a coded reference, which does not reveal their ‘real world’ identity
Anonymised – data which is about you but from which you cannot be personally identified.
Details of information used for specific purposes
Use of anonymised and aggregated data
We use anonymised and aggregated data to plan health care services, including:
- Checking the quality and efficiency of the health services we commission.
- Preparing performance reports on the services we commission.
- Working out what illnesses people will have in the future, so we can plan and prioritise services and ensure these meet the needs of patients.
- Reviewing the care being provided to make sure it is of the highest standard.
Use of pseudonymised (de-identified) Information
We use pseudonymised information in our role, including:
- Commissioning – to plan, design, purchase and pay for the best possible care available for you; look at the care provided by different providers across our area to make sure that together they support the needs of the local population; performance manage contracts; to prepare statistics on NHS performance to understand health needs and support service redesign, modernisation and improvement; to help us plan future services to ensure they continue to meet our local population needs.
- Risk Stratification – to identify groups of patients who would benefit from some additional help from their GP or care team. The aim is to prevent ill health and possible future hospital stays, rather than wait for you to become sick. Only de-identified information is accessible to the ICB in order to help us plan the most appropriate health services for our population.
Use of personal information
As an ICB, we do not routinely hold or have any access to medical records. The provider of your healthcare for example an Acute Trust, or GP would hold this information. However, we may need to hold some information about you, for example:
- If you have made a complaint to us about healthcare that you have received, and we need to investigate
- If access to specific treatments is regulated via eligibility criteria which include the Individual Funding Request process
- If you ask us to provide funding for Continuing Healthcare or Personal Health Budget services
- If you ask us for our help or involvement with your healthcare, or where we are required to fund specific specialised treatment for a particular condition that is not already covered in our contracts with organisations that provide NHS care
- If you ask us to keep you regularly informed and up to date about the work of NEL, or if you are actively involved in our engagement and consultation activities or service user participation groups
- In circumstances where our safeguarding staff are involved in the most serious cases.
- Where our Quality teams are undertaking monitoring visits, limited clinical information may be accessed in a de-identified form.
- Where information processing falls within NEL’s infection control oversight functions.
- Staff personal confidential information for employment purposes
Our records may include relevant information that you have told us, information provided on your behalf, by relatives or those who care for you and know you well, or from health professionals and other staff directly involved in your care and treatment. Our records may be held on paper or in a computer system.
Sharing your information with other organisations or individuals (third parties)
If you are receiving services from the NHS, we share information that does not identify you (anonymised) with other NHS and social care partner agencies for the purpose of improving local services, research, audit, and public health.
We would not share information that identifies you unless:
- You have given us permission
- This is anonymised and therefore non-personal data
- We are lawfully required to report information to the appropriate authorities e.g., to prevent fraud or a serious crime
- It is necessary to protect children and vulnerable adults from harm.
- A formal court order has been served upon us.
- For the health and safety of others, for example to report an infectious disease like meningitis or measles.
The legal basis for processing personal data
NEL is a public body established by the NHS Act 2006 as amended by the Health and Care Act 2022. As such our business is based upon statutory powers which underpin the legal bases that apply for the purposes of the GDPR.
NEL processes personal data under a variety of legal bases depending on the data being processed and the purposes it is processed. Below are examples of the most commonly used legal bases.
- The legal basis for the majority of our processing:
Article 6(1)(e) – processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
- For entering into and managing contracts with the individuals concerned, for example our employees the legal basis is:
Article 6(1)(b) – processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract.
- Where we have a specific legal obligation that requires the processing of personal data, the legal basis is:
Article 6(1)(c) – processing is necessary for compliance with a legal obligation to which the controller is subject.
- Where we process special categories data, for example data concerning health, racial or ethnic origin, or sexual orientation, we need to meet an additional condition in the UK GDPR. Where we are processing special category personal data for purposes related to the commissioning and provision of health services the condition is:
Article 9(2)(h) – processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services.
- Where we process special category data for employment or safeguarding purposes the condition is:
Article 9(2)(b) – processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment and social security and social protection law.
- We may also process personal data for the purpose of, or in connection with, legal proceedings (including prospective legal proceedings), for the purpose of obtaining legal advice, or for the purpose of establishing, exercising or defending legal rights. Where we process personal data for these purposes, the legal basis for doing so is:
Article 6(1)(e) – processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller; or
Article 6(1)(c) – processing is necessary for compliance with a legal obligation to which the controller is subject; or.
Where we process special category data for these purposes, the legal basis for doing so is:
Article 9(2)(f) – processing is necessary for the establishment, exercise or defence of legal claims; or
Article 9(2)(g) – processing is necessary for reasons of substantial public interest.
Section 251 of the NHS Act 2006
The Secretary of State for Health gives limited permission for ICBs (and other NHS commissioners) to use certain confidential patient information when it is necessary for our work for purposes other than direct care such as information from NHS Digital for commissioning, Risk Stratification and Invoice Validation.
This approval is given under Regulations made under Section 251 of the NHS Act 2006 and is based on the approval of the Health Research Authority’s Confidentiality and Advisory Group.
This allows the Secretary of State for Health to make regulations to set aside the common law duty of confidentiality for defined medical purposes. Section 251 came about because it was recognised that there were essential activities of the NHS, and important medical research, that required the use of identifiable patient information – but, because patient consent had not been obtained to use people’s personal and confidential information for these other purposes, there was no secure basis in law for these uses.
Section 251 was established to enable the common law duty of confidentiality to be overridden to enable disclosure of confidential patient information for medical purposes, where it was not possible to use anonymised information and where seeking consent was not practical, having regard to the cost and technology available.
More information about Section 251 is available from the Health Research Authority web site.
Notice under Regulation 3(4) of the Health Service Control of Patient Information (COPI) Regulations 2022
Under this regulation the Secretary of State for Health and Social Care has the power to issue healthcare organisations, GPs, local authorities and arms-length bodies with a notice requiring them to share confidential patient information with organisations entitled to process this under the COPI Regulations. Notices are issued for a specific purpose, the most recent being to support efforts against Covid 19.
The Covid 19 notice expired on the 30 June 2022.
NHS England is responsible for and is the data controllers for the COVID-19/Flu Vaccination programme. For the privacy notice relating to this programme please visit the NHS England privacy notice website.
Under the General Data Protection Regulation all individuals have certain rights in relation to the information the ICB holds about them. Not all rights apply equally to all our processing and are dependent on the lawful basis for processing. Further information can be found on the ICO site ‘Lawful Basis for Processing’ section.
If you require further detail each link below will take you to the Information Commissioner’s Office’s website where further detail is provided in section ‘When does the right apply’.
These rights are:
- The right to be informed about the processing of your data
- The right of access to the data held about you (Subject access request)
- The right to have that information amended in the event that it is not accurate
- The right to have the information deleted
- The right to restrict processing
- The right to have your data transferred to another organisation (data portability)
- The right to object to processing
- Rights in relation to automated decision making and profiling
Currently NEL does not use automated decision-making (making a decision solely by automated means without any human involvement).
These are commitments relating to your rights set out in the NHS Constitution, for further information please visit: https://www.gov.uk/government/publications/the-nhs-constitution-for-england
Data subject access requests and how to exercise other rights
Individuals can access personal information about them by making a ‘data subject access request’ under the UK General Data Protection Regulation. Click here to find out more information about how to make a request for any personal information we may hold and/or to exercise any of your other rights under Data Protection legislation
To make a request for any personal information we may hold and/or to exercise any of your other rights under Data Protection legislation please contact the Information Governance Team using details in the Subject Access Request Privacy Notice.
Confidential information can be used for improving health, care and services including:
- planning to improve health and care services
- research, for example to find a cure for serious illnesses.
If you do not wish to share or process your information for purposes beyond your direct care, or have any concerns then please let us know:
Type 1 opt-out
If you do not want personal confidential data to be shared outside your GP practice, for purposes beyond your direct care you can register a type 1 opt-out with your GP practice. Patients are only able to register the opt-out at their GP practice.
National Data Opt-Out: information held by NHS Digital
Previously you could tell your GP surgery if you did not want NHS Digital, to share confidential patient information that it collects from the across the health and care service for purposes other than your individual care. This was called a type 2 opt-out.
From 25 May 2018 the type 2 opt-out has been replaced by the National Data Opt-out. Any type 2 opt-outs recorded by your GP practice up to 11th October 2018 have been automatically converted to a National Data Opt-out.
Objections will be respected, except in very limited circumstances such as:
- You have given explicit permission for a particular use of data (e.g., a research project)
- Data is anonymised and therefore non personal data
- We are lawfully required to report certain information to the appropriate authorities e.g., to prevent fraud or a serious crime
- It is necessary to protect children and vulnerable adults from harm
- A formal court order has been served upon us
- For the health and safety of others, for example to report an infectious disease like meningitis or measles.
You have the right to refuse/ withdraw consent to information sharing at any time and your decision will not affect your individual care.
Further information on the National Data Opt-Out and how to set a National Data Opt-Out can be found here at: https://www.nhs.uk/your-nhs-data-matters/
The ICB has put procedures in place to review uses and disclosures of confidential patient information against the national data opt-out guidance. The ICB is currently compliant with the national data opt-out policy.
How long we hold information for and our destruction arrangements
All records held by the ICB will be kept for the duration specified by national guidance from NHS Digital found in the Records Management Code of Practice 2021
In all circumstances data will be retained in accordance with data protection requirements and ‘kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed’.
Once data is no longer required it will be destroyed securely:
- Paper records will be destroyed in line with international standards. Where external confidential waste suppliers are used these will be under contract and assurance that destruction meets the necessary legal requirements and standards.
- For digital media permanent destruction will be achieved by over writing the media a sufficient number of times or physical destruction of media by breaking it up into small pieces.
Our data processors
We ensure external data processors that support us are legally and contractually bound to operate and prove security arrangements are in place where data that could or does identify a person are processed. The ICB remains the data controller (the organisation responsible for determining the purposes for which and the manner in which personal data is used under Data Protection Legislation) of such information at all times. We use data processors to provide services such as HR and Information Technology.
Concerns about how we are using your information
We try to meet the highest standards when collecting and using personal information. For this reason, we take any complaints we receive about this very seriously. We encourage people to bring concerns to our attention if they think that our collection or use of information is unfair, misleading or inappropriate. We would also welcome any suggestions for improving our procedures.
For more information about Data Protection, or if you are unsatisfied with the way your personal information has been handled, you can contact the national regulator, the Information Commissioner’s Office, at