Our privacy and fair notice policy
Our privacy and fair processing policy aligns to the Data Protection Act 1998 (DPA).
This privacy statement only covers the CCG as the data controller (the organisation which and does not cover any other organisations or organisations that can be linked to from this site.
It is important you are aware when you are moving to the site of, or engaging in correspondence with another organisation that you read the privacy statement of that organisation.
Who We Are and What We Do
The CCG is responsible for implementing the commissioning roles as set out in the Health and Social Care Act 2012. CCGs are groups of GP Practices that are responsible for commissioning health and care services for the local community, for example hospital services, nursing in the community and mental health services. We ensure the care providers offer safe, high quality care which includes responding to concerns from our citizens. Please see below for details of how to make comments and complaints.
As a CCG we have many other functions, but these do not generally need data that may identify a person.
Read more about us here.
The Data Protection Act
Under DPA the CCG is required to register with the Information Commissioners Office detailing all purposes for which personal identifiable data is collected, held and processed.
Personal data means information which relates to a living individual who can be identified from the data, or from that data and other information, which is in or likely to come into our possession.
The CCG has a legal duty to protect any information we collect from you. We use leading technologies and encryption software to safeguard your data and keep strict security standards to prevent any unauthorised access to it.
The CCG will not pass on your details to any third party or other government department unless you consent to this or when it is necessary and we are allowed or required to by law.
The Information Commissioners Office maintains a public register of organisations that process personal identifiable data. The NHS Hull Clinical Commissioning Group’s registration number is Z3526939. View the CCG’s Notification online. The entry sets down:
- The purpose for which the personal data are held, such as the management of personnel, provision of health services to the local community, marketing or research;
- Categories of individuals, such as employees, services users, CCG members;
- Categories of personal data held, such as name, address, medical history;
- To whom the personal data will be disclosed, such as NHS England, Central Government;
- Whether personal information will be transferred overseas.
Information we collect and how we use it
For the majority of our work we do not need to know individually who lives in our community, and this is our preferred way of working. It should be noted that information which cannot identify an individual does not come under the DPA.
The CCG uses information for statistical purposes to allow it to better plan and commission health services for the local area. This could include:
- Monitoring of quality and efficiency of services commissioned
- Statistical analysis of the local populations illnesses
- Preparing national data submissions for quality and cost
The CCG does not directly provide health care services and therefore does not routinely create or hold any clinical records about any individuals as it does not provide direct care. If you wish to have sight of your own personal health care records you will need to apply to your GP Practice, or the NHS Hospital or NHS organisation which provided your healthcare.
We have been granted an exemption under Section 251 of the NHS Act 2006 which allows us to process personal information for limited purposes including: Understanding the local population needs and planning for future requirements, which is known as “Risk Stratification for Commissioning”
Information from health and social care records is looked at by the CCG to identify groups of patients who would benefit from some additional help from their GP or care team. The aim is to prevent ill health and possible future hospital visits, rather than wait for you to become more poorly. Only your GP/care team is able to see who actually requires additional help and there are strict rules in place to ensure this. Typically, we only use the NHS number or postcode to identify patients for this purpose
Ensuring that the CCG is billed accurately for the treatment of its patients, which is known as “Invoice Validation”
Where we pay for care, particularly where different providers are caring for the same person, we may ask for evidence before paying, or we may design a service where the payment is all or partly based on the providers ensuring the service user’s health improves. When processing invoices for payment of treatment or procedures you have received – information such as NHS number, name, address and date of treatment might be used by the CCG. Where this happens, these details are held within a secure environment and kept confidential; such information is only used to validate invoices and not shared for any other purpose
Section 251 was introduced because it was recognised that there were essential activities of the NHS, and important medical research, that required the use of identifiable patient information – but, because patient consent had not been obtained to use people’s personal and confidential information for these other purposes, there was no secure basis in law for these uses.
We currently use the following organisation to help carry out this work:
North of England CSU (NECS)
Other functions for which we do currently process personal identifiable data after gaining an individual’s consent include:
- If a complaint is made about a service we have commissioned, we might need to look at the complainant’s clinical record to understand the impact on that person’s health. Please see below for further information on how to make a complaint
- Individual Funding or High Cost Drug requests require identifiable data to allow requests for care that is not normally funded to be reviewed and if appropriate approved. Sometimes, to assess the request, we will have to speak to the care providers about the patient
- Continuing Health Care Assessments to allow packages of care to be assessed and agreed
- To enable referrals for specific specialities to be assessed by a specialist clinician to ensure the most appropriate care pathway has been identified patients
There are some circumstances where we are legally required to process personal information or share it with partner organisations without seeking consent, including:
- Investigating and reporting infectious diseases. The CCG is required to investigate the causes of an infection, sometimes contagious, which may cause risk to the public (Post Infection Review). We do not always need to ask permission to access a person’s record if there is a risk to the public
- To allow the organisation to fulfil its obligations to safeguarding children and vulnerable adults, this is a statutory obligation on all NHS Organisations
- As part of an investigation into serious crimes
- Where instructed to by a court order
From time to time the CCG may collect information about you in order to perform its duties or answer queries, enquiries or complaints you have raised and it applies to:
- Visitors to our website
- People who use the CCG’s services.
- Staff of the CCG
Visitors to our Website
When someone visits the CCG’s website, www.hullccg.nhs.uk information is collected in a standard internet log to enable the CCG to monitor how the website is used. This is done to find out things such as the number of visitors to the various parts of the site. This information is collected in such a way that does not identify people who have visited our websites.
From time to time, you may be asked to submit personal information about yourself (e.g. name and email address) in order to receive or use services on our website. Such services include bulletins, email updates, website feedback, requesting investigation of complaints and any other enquiries.
By entering your details in the fields requested or sending us an email, you enable the CCG and its service providers to provide you with the services you select. Any information you provide will only be used by the CCG, or our agents or service providers, and will not be disclosed to other parties unless we are obliged or permitted to do so.
We will hold your personal information on our systems for as long as you use the service you have requested, and remove it in the event the purpose has been met or when you no longer wish to continue your subscription.
You can read more about how cookies work on the CCG website at: Cookies
People who email us
Any email sent to the CCG, including any attachments, may be monitored and used by the CCG for reasons of security and for monitoring compliance with office policy.
Email monitoring or blocking software may also be used. Please be aware that you have a responsibility to ensure that any email you send to us is within the bounds of the law.
If you post or send offensive, inappropriate or objectionable content anywhere on www.hullccg.nhs.uk or otherwise engage in disruptive behaviour on this website we may use whatever information is available to us, about you, to stop such behaviour.
National Fraud Initiative
This organisation is required by law to protect the public funds it administers. It may share information provided to it with other bodies responsible for; auditing, or administering public funds, or where undertaking a public function, in order to prevent and detect fraud.
The Cabinet Office is responsible for carrying out data matching exercises.
Data matching involves comparing computer records held by one body against other computer records held by the same or another body to see how far they match. This is usually personal information. Computerised data matching allows potentially fraudulent claims and payments to be identified. Where a match is found it may indicate that there is an inconsistency which requires further investigation. No assumption can be made as to whether there is fraud, error or other explanation until an investigation is carried out.
We participate in the Cabinet Office’s National Fraud Initiative: a data matching exercise to assist in the prevention and detection of fraud. We are required to provide particular sets of data to the Minister for the Cabinet Office for matching for each exercise, as detailed here.
The use of data by the Cabinet Office in a data matching exercise is carried out with statutory authority under Part 6 of the Local Audit and Accountability Act 2014. It does not require the consent of the individuals concerned under the Data Protection Act 1998.
Data matching by the Cabinet Office is subject to a Code of Practice.
View further information on the Cabinet Office’s legal powers and the reasons why it matches particular information.
For further information on data matching at this authority contact us.
Making a complaint to us
When we receive a complaint from anyone we will need to make up a file containing details of the complainant and the complaint they are making. How we use a complainant’s information to investigate a complaint is explained further on our Compliments and Complaints Page here.
Keeping Information Secure and Confidential
Everyone working for the NHS is subject to the Common Law Duty of Confidentiality and all staff are trained to keep information confidential and have contractual obligations in respect of confidentiality, which are enforceable through disciplinary procedures. Information provided in confidence will only be used for the purposes advised and consented to by the patient, unless there are circumstances covered by the law.
The NHS Confidentiality Code of Conduct applies to all of our staff, and they are required to protect your information, inform you of how your information will be used, and allow you to decide if and how your information can be shared.
We also have a duty to show that the systems and processes we use are secure and that legal agreements are put in place to maintain security.
We ensure external data processors that support us are legally and contractually bound to operate and prove security arrangements are in place where data that could or does identify a person are processed.
Partner Organisations With Whom We May Share Your Personal Data
We work with and commission a number of partner organisations (both within and outside the NHS) to provide healthcare services to you. We will only share personal information where there is valid legal basis to do so. We may also share anonymised statistical information with them for the purpose of improving local services, for example understanding how health conditions spread across our local area compared against other areas.
These partners include:
- NHS Trusts
- General Practitioners (GPs)
- Local Authorities (including Social Care and Public Health and Education Services)
- Ambulance Trusts
- Clinical Commissioning Groups (CCGs)
- Data Processors working on the CCGs behalf including:
Planning and Improving Healthcare
The CCGs uses anonymised and pseudonymised patient information to design and commission care services across its area as well as to identify gaps in healthcare services.
Anonymised information is data about you, but from which you cannot be personally, individually identified
Pseudonymised information is where any identifiable information (e.g. names) have been removed and replaced with a unique code (to represent each individual) so that specific people cannot easily be identified from the remaining data.
This code still allows information from several sources to be linked together, without seeing the identity of the patient. This de-identification and linking work is carried out by NHS Digital (previously Health and Social Care Information Centre) who are a public body granted additional legal rights to carry out the work.
Information across the following sources (national and local) may be used and linked to help manage the health and social care needs of Hull and its surrounding area.
- Primary Care data. This information is extracted from individual GP practices
- Providers Trusts (collected nationally by NHS Digital): Inpatient, Outpatient, Accident and Emergency, Out of Hours, Urgent Care, Community Nursing, Community Mental Health,
- Provider Trusts (collected locally): other local patient level activity provided directly to the hosted by Data Services for Commissioners (DSCRO) NECS (North East of England Commissioning Support Unit).
- Other datasets as agreed and approved by the Caldicott Guardian – e.g. social care activity data sets provided by the local council
The CCG handles pseudonymised data as if it were sensitive personal data.
The CCG’s Use of Your Information …Your Right To Opt-Out
You have the right in law and additionally in the NHS Constitution, to request that your confidential information is not used beyond your own care and treatment and to have your objections considered, and where your wishes cannot be followed, to be told the reasons including the legal basis.
If you wish to exercise your right to opt-out, or to speak to somebody to understand what impact this may have, if any, please contact us
Opt-Out (Stopping) Information About You Across The NHS Being Used Outside Of Direct Care
If you do not want the NHS to use information about you, collected by your GP or other parts of the NHS then you can opt-out by completing an opt-out form and returning it to your GP practice. There are different types or levels of opt-out available, further information about these types are available from NHS Digital.
Depending on the type of opt out you may choose, this will prevent your information being shared outside of your GP practice or NHS Digital for purposes beyond your direct care (except in special circumstances allowed by law, such as when there is a public health emergency or safeguarding issue).
The possible consequences of opting-out will be fully explained to you and could include problems and delays in identifying and providing the most appropriate care or making additional care resources available.
Access to Personal Information
Everybody has the right to see, or have a copy, of data we hold that can identify you, with some exceptions. You do not need to give a reason to see your data. If we do hold any information about you we will:
- Give you a description of that information
- Tell you why we are holding it
- Tell you who it could be disclosed to
- Let you have a copy
If you want to access your data you must make the request in writing. Under special circumstances, some information may be withheld. To make a request to NHS Hull CCG for any personal information we may hold, you will need to put the request in writing and send it to:
By Post to: Subject Access Requests, NHS Hull Clinical Commissioning Group, 2nd Floor Wilberforce Court Alfred Gelder Street Hull HU1 1UY or contact us.
How Long Do You Hold Confidential Information For?
All records held by the CCG will be kept for the duration specified by national NHS guidance (see Records management code of practice for Health and Social Care 2216 retention schedule for further information). At the end of the retention period, data will be reviewed as to whether it can then be securely destroyed.
Links to Other Websites
This privacy notice does not cover the links within this site linking to other websites. We encourage you to read the privacy statements on the other websites you visit.
Changes to this Privacy Notice
How to contact us.
Telephone us on 01482 344700 or Email General Enquiries at: HULLCCG.email@example.com
For independent advice about protection, privacy or data sharing issues, you can contact: The Information Commissioner, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF or www.ico.gov.uk