One Health and Care Privacy Notice

Please note: Information that has been held previously by NHS Staffordshire and Stoke-on-Trent CCG was transferred to NHS Staffordshire and Stoke-on-Trent Integrated Care Board (ICB) on 1 July 2022, who became the new data controller.

At NHS Staffordshire and Stoke-On-Trent ICB we are committed to protecting and respecting your privacy.

The Integrated Care Board (ICB) has various roles and responsibilities, but a major part of our work involves making sure that:

· Contracts are in place with local health service providers,

· Routine and emergency NHS services are available to patients,

· Those services provide high quality care and value for money; and

· Paying those services for the care and treatment they have provided.

This is called “commissioning”.

Accurate, timely and relevant information is essential for our work to help us to design and plan current and future health and care services, evidence and review our decisions and manage budgets.

As a commissioning organisation, our purpose is not to provide direct care and so we do not routinely hold or receive information about patients and service users in relation to your care. We do however sometimes hold information from which people can be identified to enable us to fulfil our responsibilities as outlined above and this is explained in this notice.

Data Protection Notification

The ICB is a ‘Data Controller’ under the Data Protection Act 2018. We have notified the Information Commissioner that we process personal data and the details are publicly available from the:

Information Commissioner’s Office Wycliffe House Water Lane, Wilmslow SK9 5AF

ico.org.uk/ESDWebPages/Search

Registration number: ZB342466

A privacy notice is a statement that describes how an organisation collects, uses, retains and discloses personal information. Different organisations sometimes use different terms and it can be referred to as a privacy statement, a fair processing notice or a privacy policy.

To ensure that we process your personal data fairly and lawfully we are required to inform you:

• Why we need your data
• How it will be used
• Who it will be shared with

This information also explains what rights you have in controlling how we use your information. The key laws are:

• The Data Protection Act 2018 (DPA)
• UK General Data Protection Regulation 2021 (UK GDPR)
• The Human Rights Act 1998 (HRA)
• The Common Law Duty of Confidentiality

Within these pages we describe instances where the ICB is the ‘Data Controller’, for the purposes of the Data Protection Act 2018, and where we direct or commission the processing of patient data to help deliver better healthcare, or to assist the management of healthcare services.

The ICB recognises the importance of protecting personal and confidential information in all that we do, whilst taking great care to ensure our legal obligations are met.

We only collect and use your information for the lawful purposes of administering the business of the ICB.

We process personal information to enable us to support the provision of healthcare services to patients, maintain our own accounts and records, promote our services, and to support and manage our employees. To enable us to do this effectively we are often required to process personal data i.e. that which identifies a living individual.

We also process special category data. This is personal data which the Data Protection Act 2018 says is more sensitive, and so needs more protection:

· Racial and ethnic origin

· Offences (including alleged offences), criminal proceedings, outcomes and sentences

· Trade union membership

· Religious or similar beliefs

· Employment tribunal applications, complaints, accidents, and incident details.

· Health data

· Sexual orientation

This information will generally relate to our staff.

In terms of patient information, the special category data we process includes:

· Physical or mental health details

· Racial and ethnic origin

· Sexual orientation

· Details of care

· Religious or similar beliefs

Whenever you use a health or care service, such as attending Accident & Emergency or using Community Care services, important information about you is collected to help ensure you get the best possible care and treatment.

The information collected about you when you use these services can also be provided to other approved organisations for purpose beyond your individual care, for instance to help with:

· improving the quality and standards of care provided

· research into the development of new treatments

· preventing illness and diseases

· monitoring safety

· planning services

This may only take place when there is a clear legal basis to use this information. All these uses help to provide better health and care for you, your family and future generations. Confidential patient information about your health and care is only used like this where allowed by law.

Most of the time, anonymised data is used for research and planning so that you cannot be identified in which case your confidential patient information isn’t needed.

You have a choice about whether you want your confidential patient information to be used in this way. If you are happy with this use of information you do not need to do anything. If you do choose to opt out your confidential patient information will still be used to support your individual care. To find out more or to register your choice to opt out, please visit www.nhs.uk/your-nhs-data-matters. You can change your mind about your choice at any time.

Data being used or shared for purposes beyond individual care does not include your data being shared with insurance companies or used for marketing purposes and data would only be used in this way with your specific agreement.

Although the ICB generally does not have access to identifiable information, they have been instrumental in developing a shared care record which joins data safely across health and social care settings, both to improve direct care for individual patients and service users, and to underpin population health and effective system management.

The regionally branded One Health and Care (OHC) Shared Care Record (ShCR) is an information exchange system to support the development of integrated health and social care across Staffordshire and Stoke-on-Trent, Shropshire and Telford and Wrekin, and the Black Country.

The OHC ShCR provides health and social care professionals with access to information they need to deliver safe and efficient ‘seamless’ care, whilst empowering individuals to control elements of their care. Whether individuals are being treated by their GP, in a community-based service or in hospital, their shared digital care record will be accessible 24/7, with appropriate access permissions.

The OHC ShCR forms the basis of an analytics platform to provide a robust and secure means of generating reports and dashboards to improve direct care delivery and improve health and social care planning. The analytical data is segmented into two analytical views:

1) An Identifiable data view to Health and Social Care professionals to support referrals and the instigation and delivery of specific direct care activity as a result of:

1. Case finding and stratification
2. Care delivery and quality improvements, e.g., clinical audits

2) An Anonymised data view used to support secondary use and transformation projects including but not limited to system capacity, population health management, modelling and planning of demand, commissioning planning, contract management, service procurement, and service performance management.

Lawful basis

Under the UK GDPR, the lawful basis we rely on to process your personal data is:

· Article 6 (1) (b) for the performance of a contract

· Article 6 (1) (c) legal obligation

· Article 6 (1) (d) vital interests

· Article 6(1) (e) public interest or in the exercise of official authority vested in the controller

Under the UK GDPR, the lawful basis we rely on to process your special category data is:

· Article 9 (2) (c) vital interests

· Article 9 (2) (g) substantial public interest

· Article 9 (2) (h) ‘necessary for the purposes of preventative or occupational medicine for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services...’

· Article 9 (2) (i) processing is necessary for reasons of public interest in the area of public health

· Article 9 (2) (j) ‘...necessary for archiving purposes in the public interest, or scientific and historical research purposes or statistical purposes’

Sources of data

To create a shared care record, an individual’s data is extracted from source provider systems such as Acute Care, Community Care, Mental Health, Primary Care (includes GP Practices), Adult and Children’s Social Care (includes Public and Private Sector Providers), in line with the approved data specifications for each partner.

This data is linked to form the shared care record thereby aiding the delivery of effective and sustainable services by providing health and social care professional a single point of access to individual information.

Any Care Homes and Hospices that are onboarded will have view only access, however it is a future ambition to also include their source data into the OHC ShCR. This privacy notice will be updated once this happens.

Categories of data

Personal information: name, address and post code, NHS number, email address, date of birth.

Special category (sensitive) information: racial/ethnic origin, religious/philosophical beliefs, health information, sexual life or orientation.

Recipients of data

Data is accessed by parties mentioned under ‘sources of data’ above.

ICBs do not have access to identifiable information held in the OHC ShCR.

Further information on data sources and data recipients can be found on the OHC ShCR website Shared health and care records - Staffordshire and Stoke-on-Trent, ICS (staffsstokeics.org.uk).

We hold data securely in accordance with the Records Management Code of Practice 2021.

We take our duty to protect your personal information and confidentiality seriously. We are committed to taking all reasonable measures to ensure the confidentiality and security of personal data for which we are responsible, whether computerised or on paper. All data is held within the UK.

Alongside the Data Protection Officer (DPO), we have appointed a Senior Information Risk Owner (SIRO) who is accountable for the management of all information assets and any associated risks and incidents, and a Caldicott Guardian who is responsible for the management of patient information and patient confidentiality.

All staff are required to undertake annual information governance training and are provided with an information governance handbook that they are required to read and agree to adhere to. The handbook ensures that staff are aware of their information governance responsibilities and follow guidelines ensuring the necessary safeguards and appropriate use of person-identifiable and confidential information.

Under the NHS Confidentiality Code of Practice, all our staff are also required to protect your information and inform you of how your information will be used. This includes, in most circumstances, allowing you to decide if and how your information can be shared.

Everyone working for the NHS is subject to the common law duty of confidentiality. Information provided in confidence will only be used for the purposes advised and consented to by the service user, unless it is required or permitted by the law.

You have a number of rights under data protection law and these are listed below. To exercise any of these rights, please contact us:

Head of Governance

NHS Staffordshire & Stoke-On-Trent Integrated Care Board

New Beacon Group

Stafford Education & Enterprise Park

Weston Road

Stafford

ST18 0BF

The right to be informed

You have the right to be informed about the collection and use of your personal data. This privacy notice is one of the ICB’s key methods for providing you with this information. In addition to this notice, we will provide you with more specific information at the time we collect personal data from you, such as when you apply for Continuing Healthcare or make a complaint to us.

The right of access

You have the right to ask us for confirmation of whether we process data about you and if we do, to have access to that data.

You can make your own application to see the information we hold about you, or you can authorise someone else to make an application on your behalf, for example, a child’s parent or guardian, a patient representative, or a person appointed by the court may also apply.

The right to rectification

You are entitled to have personal data that we hold about you rectified if it is inaccurate or incomplete. If we have passed the data concerned on to others, we will contact each recipient and inform them of the rectification – unless this proves impossible or involves disproportionate effort. If this is the case, we will explain to you why.

The right to erasure

You have the right to have personal data we hold about you erased and to prevent processing in specific circumstances:

· Where the personal data is no longer necessary in relation to the purpose for which it was originally collected/processed.

· If you withdraw your consent for us to process your data (if this was the legal basis on which it was collected).

· The personal data was unlawfully processed (i.e. a breach of UK data protection laws).

· The personal data has to be erased in order to comply with a legal obligation.

However, if we have collected and are processing data about you to comply with a legal obligation for the performance of a public interest task or exercise of official authority, i.e. because we have a legal duty to do so in our functioning as an ICB, then the right to erasure does not apply.

The right to restrict processing

You have the right to ‘block’ or suppress processing of your personal data which means that if you exercise this right, we can still store your data but not to further process it and will retain just enough information about you to ensure that the restriction is respected in future.

You can ask us to restrict the processing of your personal data in the following circumstances:

· If you contest the accuracy of the data we hold about you we will restrict the processing until the accuracy of the data has been verified.

· If we are processing your data as it is necessary for the performance of a public interest task and you have objected to the processing, we will restrict processing while we consider whether our legitimate grounds for processing are overriding.

· If the processing of your personal data is found to be unlawful but you oppose erasure and request restriction instead; or

· If we no longer need the data we hold about you, but you require the data to establish, exercise or defend a legal claim.

If we have disclosed the personal data in question to others, we will contact each recipient and inform them of the restriction on the processing of the personal data – unless this proves impossible or involves disproportionate effort. If asked to, we must also inform you about these recipients.

We will inform you if we decide to lift a restriction on processing.

The right to data portability

The right to data portability allows you to obtain and reuse your personal data for your own purposes across different services. It allows you to move, copy or transfer personal data easily from one IT environment to another in a safe and secure way, without hindrance to usability although it only applies where we are processing your personal data based on your consent for us to do so or for the performance of a contract and where the processing is carried out by automated means. This means that currently, the ICB does not hold any data which would be subject to the right to data portability.

The right to object

Where the ICB processes personal data about you on the basis of being required to do so for the performance of a task in the public interest/exercise of official authority, you have a right to object to the processing.

You must have an objection on grounds relating to your particular situation.

If you raise an objection, we will no longer process the personal data unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms or the processing is for the establishment, exercise or defence of legal claims.

The right to withdraw consent

If the ICB processes data about you on the basis that you have given your consent for us to do so, you have the right to withdraw that consent at any time. Where possible, we will make sure that you are able to withdraw your consent using the same method as when you gave it.

If you withdraw your consent, we will stop the processing as soon as possible.

Rights in relation to automated decision making and profiling

The ICB does not use profiling or automated individual decision-making1 as standard practice. However, the Prescription Ordering Direct (POD) service can use automated decision-making for support on determining suitability for a certain medication.

The right to complain

Should you have a Complaint about how we use your personal information, then in the first instance, you should contact:

Staffordshire and Stoke on Trent ICB New Beacon Building Stafford Education and Enterprise Park Weston Road Stafford

ST18 OBF

Tel: 0808 196 8861 Email: patientservices@staffsstoke.icb.nhs.uk

If, however, you are not satisfied that your complaint has been resolved, you have the right to contact the Information Commissioner to lodge a complaint:

Information Commissioner’s Office Wycliffe House Water Lane Wilmslow SK9 5AF ico.org.uk Tel: 0303 123 1113Tel: 0303 123 1113

Please contact us via our Data Protection Officer if you have any questions about our privacy notice or information we hold about you:

Paul Winter Data Protection Officer & Deputy Director of Corporate Services and Governance Email: paul.winter@staffsstoke.icb.nhs.uk

We keep our privacy notice under regular review and we will place any updates on this web page. This notice was last updated August 2023.