Privacy Notice
NHS Cambridgeshire and Peterborough Integrated Care Board (the ‘ICB’) purchase and manage services to provide patients in our area with the highest quality of healthcare. To enable us to do this, we keep records that contain information about you and your health, and the care and treatment we have provided or plan to provide to you. Further information on the ICB is available to read on our 'about us' page.
The ICB is registered with the Information Commissioner’s Office (ICO) as a data controller1. Details of our data protection registration are available through the ICO website, our registration number is ZB346048.
ICB Privacy Notice is available to download, alternatively all information within the Notice, is available via the individual drop down lists below.
ICB Children's Privacy Notice is available to download.
National Fraud Initiative (NFI) Privacy Notice [pdf] 61KB
1 See Appendix B ‘Key Definitions – Data Controller
What information do we hold and how do we use it
We are committed to protecting your privacy and will only use or process information collected lawfully[1] in accordance with the Data Protection Act 2018 (DPA). We undertake not to use any information we may hold about you for any purpose other than that for which it was collected, unless we have obtained your explicit consent[2]. This includes not sending your information overseas without permission. We do not sell personal information.
As a commissioning organisation not involved in direct patient care, the ICB does not routinely hold medical records, but may hold other personal or sensitive (special category) information[3] relating to complaints, investigations, independent funding requests you may make, continuing healthcare funding, or reviews that we are carrying out on your behalf. We also hold information centrally which is used for statistical purposes to allow the NHS to plan the services it provides. We may also use anonymised[4] or pseudonymised[5] data for research[6], audit and public health purposes.
Data may be anonymised and linked with other data so that it can be used to improve healthcare and development and monitor NHS performance. Where data is used for these statistical purposes, stringent and technical measures are taken to ensure individual patients cannot be identified.
The ICB contracts with other organisations to process data on our behalf. These organisations are known as ‘Processors’[7] and we ensure they are legally and contractually bound, providing sufficient guarantees to implement appropriate technical and organisational measures in such a manner that any processing will meet the requirements of the DPA and ensure the protection of the rights of the data subject.
[1] See Appendix A - ‘Lawful Bases for Processing Data’
[2] See section on ‘Information Sharing’ for instances where patients cannot opt out of their information being shared.
[3] See Appendix B ‘Key Definitions’ - Personal and Sensitive (Special Category) Data
[4] See Appendix B ‘Key Definitions’ - Anonymised Data
[5] See Appendix B ‘Key Definitions’ - Pseudonymised Data
[6] See Appendix C ‘Related Links and Documents’ - Health Research Authority
[7] See Appendix B ‘Key Definitions’ - Data Processors
What we need from you
Please tell us as soon as possible if there are any changes to your information, such as a change of name or a new address. This helps us to keep your information reliable and up to date.
Individuals’ Rights under GDPR and Access to your Health Records
The GDPR provides the following rights for individuals:
- The right to be informed about the collection and use of your personal data. This is a key transparency requirement under the GDPR.
- The right of access to your personal data, this is commonly referred to as subject access. If you would like to access your health records, please see contact details below.
- The right to rectification of your personal data or completed if it is incomplete. In certain circumstances a request for rectification may be refused.
- The right to erasure of your personal data. The right is not absolute and only applies in certain circumstances.
- The right to restrict or suppress processing of your personal data. This is not an absolute right and only applies in certain circumstances.
- The right to data portability allows individuals to obtain and reuse their personal data for their own purposes across different services. The right only applies to information an individual has provided to a data controller.
- The right to object to the processing of your personal data in certain circumstances.
- Rights in relation to automated decision making and profiling - The GDPR applies to all automated individual decision-making and profiling.
Access to your Health Records
Information on how to access your information is available on our 'access to records' page or by contacting the Information Governance Team.
Primary and secondary care data
The ICB has limited cause to process data as we are not involved in direct patient care, we do however receive anonymised and pseudonymised primary and secondary care data[1] processed on our behalf by the North of England Commissioning Support Unit, contracted by us under strict information governance and information security conditions. Receiving data of this type enables us to analyse current health services and proposals for developing future services. It is sometimes necessary for us to link separate anonymised individual datasets to be able to produce a comprehensive methodology for evaluation. This may involve linking primary care data with other non-identifiable data provided for secondary use (known as SUS[2] which includes inpatient; outpatient; A&E and other NHS services data).
[1] See Appendix B ‘Key Definitions’ - Primary and Secondary Care Data
[2] See Appendix B ‘Key Definitions’ – Secondary Uses Service
Risk Stratification
Your GP uses your data to provide the best care that they can for you. As part of this process, your GP will use your personal and health data to undertake risk stratification[1], also known as case finding.
Risk stratification tools use a mix of historic information about patients such as age, gender, diagnoses and patterns of hospital attendance and admission as well as data collected in GP practices.
NHS Digital provides information, identifiable by your NHS Number, about hospital attendances. GP Practices provide information from GP records also identifiable by your NHS Number. Both sets of information are sent via secure transfer to the risk stratification system where they are immediately pseudonymised[2] and linked to each other. The risk stratification system uses a formula to analyse the pseudonymised data to produce a risk score. These risk scores are available to the GP practice you are registered with, where authorised staff, responsible for providing direct care to you are able to see these scores in a format that identifies you. This will help the clinical team make better decisions about your future care, for example, you may be invited to attend your GP practice for a review or if a referral to a new service is more beneficial, this will be discussed with you. The ICB is provided with reports containing aggregated[3] data, which doesn’t identify you, to ensure that we are commissioning and planning for these services as required by the population we serve.
To identify those patients individually from the patient community registered with your GP would be a lengthy and time-consuming process which would by its nature potentially not identify individuals quickly and increase the time to improve care.
Your GP surgery uses the services of two health partners, North of England Commissioning Support Unit (NECS) and Prescribing Services Ltd (PSL) to identify those most in need of preventative or improved care. This is arranged by the ICB who will not at any time have access to your personal or confidential data. They act on behalf of your GP to organise this service with appropriate contractual and security measures only.
NECS and PSL will process your personal and confidential data. Typically, this will process your data using indicators such as your age, gender, NHS number and codes for your medical health to identify those who will benefit from clinical intervention. Processing takes place automatically, without human or manual handling. Data is extracted from your GP’s clinical computer system, automatically processed and only your GP is able to view the outcome, matching results against patients on their system.
The ICB has implemented strict security controls to protect your confidentiality and recommend this as a secure and beneficial service to you. However, if you wish, you can ask your GP for your data not to be processed for this purpose and your GP will mark your record as not to be extracted so it is not sent to NECS & PSL for risk stratification purposes.
[1] See Appendix C ‘Related Links and Documents’ – Risk Stratification
[2] See Appendix B ‘Key Definitions’ – Pseudonymised Data
[3] See Appendix B ‘Key Definitions’ – Aggregated Data
The legal bases for processing personal identifiable data under GDPR
The legal bases for processing personal identifiable data under GDPR and full details of the types of information processed within the ICB (including the purpose and any data processor involvement) can be found in Appendix A.
Confidentiality and information sharing
We will not share your information unless you ask us to do so, however, there are some instances where patients cannot ‘opt out’ of having their information shared and information may be shared without their explicit consent. These instances may include:
- Where the sharing is mandated by law or court order;
- Where there is sufficient safeguarding [1] or vulnerability concerns;
- In order to assist the police in the prevention and detection of crime;
- There is an overriding public interest in releasing or sharing information;
- We have special permission for health and research purposes (granted by the Health Research Authority)[2];
- For the health and safety of others, for example to report an infectious disease such as meningitis or measles.
We work with several NHS, partner agencies and other organisations[3] to provide healthcare and services for you. We may also share anonymised and pseudonymised statistical information with them for the purpose of improving local services, for example, understanding how conditions spread across our local area compared against other areas.
All NHS organisations have a senior person responsible for protecting the confidentiality of patient information to enable appropriate information sharing. This person is called the Caldicott Guardian, Carol Anderson is the ICB’s Caldicott Guardian.
All ICB staff have contractual obligations of confidentiality[4], enforceable through disciplinary procedures. Staff with access to patient identifiable information receive appropriate ongoing training to ensure they remain aware of their responsibilities. Our staff are granted access to personal or sensitive data strictly on a need-to-know basis only.
[1] See Appendix A ‘Types of Information Processed by the ICB’ - Safeguarding
[2] See Appendix B ‘Key Definitions’ – Section 251 and Appendix C ‘Related Links and Documents’ - Health Research Authority
[3] See Appendix C ‘Related Links and Documents’ - Cambridgeshire Information Sharing Framework
[4] See Appendix C ‘Related Links and Documents’ - Code of Practice for Handling Information in Health and Care
Opting out of Sharing your Confidential Patient Information
Confidential patient information is when 2 types of information from your health records are joined together.
The 2 types of information are:
- something that can identify you;
- something about your health care or treatment.
Identifiable information on its own is used by health and care services to contact patients and this is not confidential patient information.
There are two different opt-out types which both refer to information sharing for purposes other than that of direct patient care:
-
Type 1 opt-out: Applies to Medical Records held at your GP practice
You can tell your GP practice if you do not want your confidential patient information held in your GP medical record to be used for purposes other than your individual care. This is commonly called a type 1 opt-out. This opt-out request can only be recorded by your GP practice. -
National data opt-out: Applies across the Health and Care System in England
Information about you can also be used and provided to other organisations for purposes beyond your individual care, for research and planning to help provide better health and care for you, your family and future generations. This may only take place when there is a clear legal basis to use this information.
Most of the time, anonymised data is used for research and planning so that you cannot be identified in which case your confidential patient information isn’t needed.
You have a choice about whether you want your confidential patient information to be used in this way. If you are happy with this use of information you do not need to do anything. If you do choose to opt out, your confidential patient information will still be used to support your individual care.
To find out more or to register your choice to opt out, please visit Make your choice about sharing data from your health records - NHS (www.nhs.uk). You can also find out more about how patient information is used at: Patient information and health and care research - Health Research Authority (hra.nhs.uk) (which covers health and care research); and Introducing patient data | Understanding patient data (which covers how and why patient information is used, the safeguards and how decisions are made). You can change your mind about your choice at any time.
NHS Digital[1] monitors the number of patients applying their opt-out rights through aggregated[2] data sources. Whilst patients have the right to opt out of having their data shared for purposes other than direct patient care, sharing data allows the NHS to better understand the needs of patients. It also allows for more comprehensive performance monitoring of services and allows organisations to adequately benchmark themselves. This allows care providers and commissioners to work collaboratively to improve the quality of, and accessibility to local services.
Health and care organisations are required to put systems and processes in place by 31st July 2022 so they can be compliant with the National Data Opt-Out Policy and apply your choice to any confidential patient information they use or share for purposes beyond your individual care. NHS Cambridgeshire and Peterborough ICB is currently working towards compliance with the Policy.
[1] See Appendix B ‘Key Definitions’ – NHS Digital
[2] See Appendix B ‘Key Definitions’ - Aggregated Data
Records management
NHS records may be in electronic or paper format or a mixture of both, a combination of working practices and technology is used to ensure that your information is kept confidential and secure.
The NHS Records Management Code of Practice[1] sets out the required standards of practice in the management of records for those who work within or under contract to NHS organisations in England, based on current legal requirements and professional best practice.
Data held by the ICB is retained in line with the Code of Practice’s retention schedules and thereafter confidentially destroyed or disposed of. Detailed retention schedules, ie minimum periods for which various records that are created should be retained, in accordance to either their ongoing administrative and historical value or as a result of statutory requirement can be found in Appendix II of the Code of Practice.
[1] See Appendix C ‘Related Links and Documents’ - NHSx Records Management Code of Practice
Contacting us about your information
If you have any question or concerns regarding accessing your information; the information we hold on you or the use of your information, please contact the ICB’s Data Protection Officer, details below:
Data Protection Officer
NHS Cambridgeshire and Peterborough ICB
Gemini House
Cambridgeshire Business Park
Angel Drove
ELY
CB7 4EA
cpicb.dataprotectionofficer@nhs.net
For independent advice about data protection, privacy and data sharing issues, you can contact the Information Commissioner’s Office at:
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF
Phone: 0303 123 1113 (Monday to Friday, 9am to 5pm)
Website: www.ico.org.uk/
If you have a complaint or concern
In the first instance complaints should be directed to:
Patient Experience Team
NHS Cambridgeshire and Peterborough ICB
Gemini House
Cambridgeshire Business Park
Angel Drove
ELY
CB7 4EA
FREEPHONE: 0800 279 2535
Email: cpicb.pet@nhs.net
You do have the right to contact the Information Commisioner's Office
Appendix A
CONSENT |
The individual has given clear consent for the ICB to process their personal data for a specific purpose. |
CONTRACT |
The processing is necessary for a contract the ICB has with the individual, or because the individual has asked us to take specific steps before entering into a contract. |
LEGAL OBLIGATION |
The processing is necessary for the ICB to comply with the law (not including contractual obligations). |
VITAL INTERESTS |
The processing is necessary to protect someone’s life. |
PUBLIC TASK |
The processing is necessary for the ICB to perform a task in the public interest or for our official functions, and the task or function has a clear basis in law. |
LEGITIMATE INTERESTS |
The processing is necessary for legitimate interests or the legitimate interests of a third party unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests. (This basis does not apply to the ICB - public authorities process data to enable them to perform their official tasks.) |
Source: ICO Lawful Basis for Processing
Note : Relevant provisions in the General Data Protection Regulation (GDPR) for processing:
- Personal Identifiable Data – Article 6(1); Article 6(2) and Recital 40.
- Special Category Data - Conditions are listed in Article 9(2) of the GDPR
Activity |
Rationale |
---|---|
Complaints |
Purpose – To process your personal information if it relates to a complaint where you have asked for our help or involvement. Legal Basis - The ICB has a duty as to the improvement in quality of services under Section 14R NHS Act 2006 and will rely on your explicit consent as the basis to undertake such activities. Data Processor – We process this information ourselves. |
Freedom of Information (FOI) requests |
Purpose – To process personal information in relation to FOI requests made by an individual to enable response to be provided. For further information please visit the ICB’s FOI webpage. Legal Basis – Freedom of Information Act. Data Processor – We process this information ourselves. |
Safeguarding |
Purpose – Safeguarding means protecting individuals’ health, wellbeing and human rights, and enabling them to live free from harm, abuse and neglect. It is a key part of providing high-quality health and social care. The ICB will participate in Serious Case Reviews undertaken by either the local Children’s Safeguarding Boards or the Adult Safeguarding Boards for continued learning, to minimise risk and to improve services. Legal Basis - The ICB has a statutory responsibility under the Children Act 2004; Care Act 2014 and safeguarding provision within the Data Protection Act 2018 (Schedule 1, Part 2, subsections 18 and 19) to ensure the safety of all children, and the safety of adults at risk of abuse and neglect. Sharing information - Where there is a suspected or actual safeguarding issue the ICB will share information that we hold with other relevant agencies whether or not the individual or their representative agrees. Data Processor – We process this information ourselves, except in circumstances where there may be an external review involving a service delivered by us. Where this is the case, we would commission an appropriate external person to undertake the internal elements of the review for us. |
Individual Funding Requests |
Purpose – We process your personal information where we are requested to fund specific treatment for you for a particular condition that is not already covered within our contracts. For further details, please see the ICB’s Patient Leaflet on Funding Requests. Legal Basis –The National Health Service Commissioning Board and Clinical Commissioning Groups (Responsibilities and Standing Rules) Regulations 2012 part 7 (34) sets out the duty of a ICB in regard to funding and commissioning of drugs and other Treatments. The clinical professional who first identifies that you may need the treatment will explain to you the information that is needed to be collected and processed in order to assess your needs and commission your care; they will gain your explicit consent to share this. Data Processor – The ICB manages its funding requests via a web-based programme provided by Blueteq. Blueteq store the data on our behalf. |
Continuing Healthcare (CHC) |
Purpose – We process personal identifiable information whilst carrying out assessments for NHS Continuing Healthcare (a package of care for individuals with complex medical needs) funding. Where eligibility is established, this ensures that we commission the correct care package for you. Legal Basis - The National Health Service Commissioning Board and Clinical Commissioning Groups (Responsibilities and Standing Rules) Regulations 2012 section part 6 sets out the duty of an Integrated Care Board (ICB) in regard to the assessment and provision of NHS Continuing Healthcare. The clinical professional who first sees you to discuss your needs will explain to you the information that they need to evidence and process in order for your needs to be assessed and your care package to be commissioned. They will gain your explicit consent to undertake the CHC process and obtain and share relevant documentation with health and social care professionals utilising the data processing systems below. Data Processors – Adam (ICB Case Management System) and GP SystmOne (TPP) are the clinical systems that we use to access, process, evidence gather, store and share health data relating to NHS Continuing Healthcare. |
Infection Control (Review of pathway and advice for patients with healthcare associated infection) |
Purpose - Patient safety is key – we want to ensure correct recognition, treatment and care of HCAI in patients within our community. The Infection Prevention and Control team (IPCT) can monitor patient treatment and advise if this is not optimal for their type of infection. We can collect data regarding risk factors leading up to the infection and suggest mitigating actions for the future of the patient and so prevent on-going issues with infection. We can advise on actions to prevent and manage clusters and outbreaks of infection. We can identify learning to share with healthcare colleagues. Data collection will also support the identification of actions that can prevent infection for future patients through correct antimicrobial prescribing and recognition of risk factors. There are rising numbers of HCAI infections across the system and we therefore need to work together mapping the patient journey across in-patient and out-patient services to understand how prescribing, care and treatment impacts on the patient developing an infection Legal Basis - 6e Processing is necessary for a task carried out in the public interest OR in the exercise of official authority (Public Task) 9h We need it to comply with our legal obligations to provide or manage health or social care services.
The overriding public interest justification we are relying upon is Legitimate interest - It is likely to be most appropriate where you use people’s data in ways they would reasonably expect. The individual patient has developed an infection and they would reasonably expect advice to be given regarding their management and care relating to this. The Infection prevention and control team (IPCT) are the experts in HCAI and therefore the most appropriate people to give this advice to providers who do not have their own IPCT e.g. GPs and Care homes and other care providers. Equality of opportunity or treatment. Those patients not admitted to hospital with a HCAI currently have limited access to infection prevention and control in-put. By allowing access to the NCRS clinical data the ICB IPCT can address this balance and offer primary care and social care the same level of support and guidance for the care and treatment of patients with HCAI. Protecting the public - correct treatment of HCAI and investigation of clusters and outbreaks reduces risk of further transmission and patient harm from infections. Shared learning will ensure appropriate pathways are in place for future patients to support improved care management and treatment. Mandatory healthcare associated infection surveillance: data quality statement - GOV.UK (www.gov.uk) Data Processors – Microsoft (ICB Office 365), NHS England (NCRS system), UKHSA (National HCAI Data Capture System) Retention— Data will be kept in accordance with the ICB records management policy which suggests that 8 years minimum for patient records. Data for destruction will be reviewed, identified and discussed, signed off with senior manager within the Nursing and Quality Directorate and then discussion with IT on the safest method for destroying electronic records. Lists of records destroyed will be maintained. S ecure destruction (for example by shredding paper records or wiping hard drives with evidence of a certificate of destruction). The IPCT lead for HCAI will manage this record in accordance with the ICB records management policy. Information that forms part of the patient record will be destroyed, usually after 8 years, following review with a senior manager and in discussion with IT on safe processes for electronic record destruction. The HCAI surveillance lead within the IPCT will manage this process. International Transfers— None Updated— 22/7/2024 |
Invoice Validation |
Purpose – The Invoice Validation process ensures that care providers who provide you with care and treatment can be paid for the services they provide in a timely and efficient manner. There are situations where personal data is required to ensure that the correct service provider is paid. In such cases service providers are required to send patient identifiable data such as NHS Numbers to a Controlled Environment for Finance (CEfF). The CEfF is a restricted secure area where a limited number of authorised staff process the data to indicate which invoices can be validated (authorised) for payment. The ICB has approval for three individuals to have access to patient information for the purposes of the CEfF. NHS England has published guidance on how invoices must be processed and Commissioners have a duty to detect report and investigate any incidents where a breach of confidentiality has been made. For further information, please visit NHS England Invoice Validation FAQs. Legal Basis - GDPR Article 6(1)(e) and Article 9(2)(h). The use of personal confidential data by ICBs for invoice validation has been approved by the Secretary of State, through the Confidentiality Advisory Group of the Health Research Authority (approval reference (CAG 7-07)(a-c)/2013)). NHS England Invoice Validation gives us a statutory legal basis under Section 251[1] of the NHS Act 2006 to process data for invoice validation purposes which sets aside the duty of confidentiality. We are committed to conducting invoice validation effectively, in ways that are consistent with the laws that protect your confidentiality. Data Processor - NHS Shared Business Services (SBS) process invoices on behalf of the ICB. NHS SBS do not require and should not receive any personal data to provide their services. |
Patient and Public Involvement |
Purpose – If you have asked us to keep you regularly informed about the work of the ICB or if you are actively involved in our engagement and consultation activities or patient participation groups, we will collect and process data which you have agreed to share with us. Where you submit your details to us for involvement purposes, your information will only be used for this purpose and not shared with anyone without your explicit consent. You can opt out of involvement at any time by contacting the ICB’s Communications and Engagement Team at cpicb.contact@nhs.net Legal Basis – We will rely on your explicit consent for this purpose. Data Processor – We process this information ourselves. The ICB uses SurveyMonkey to collect responses to surveys. We do not store IP addresses from responses. If a survey asks for your Personal Confidential Data, it is not mandatory to provide this, these fields may be left blank. If you have completed a survey and given any personal confidential data, you can contact cpicb.contact@nhs.net quoting the survey to request your details and/or response to be removed. SurveyMonkey’s privacy agreement and cookie policy is available via their website at www.surveymonkey.com Legal Basis – Your explicit consent is required. Data Processors – The ‘ICB’ and Survey Monkey. |
Research |
Purpose – The ICB acts as a hosted advisory service to support research within primary care. Any research supported by the advisory service has regulatory approval by the Health Research Authority, who hold delegated legal responsibility for the regulation of research in health and social care. Legal Basis – Public task. GDPR Article (1)(e) applies i.e. it is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller. If explicit patient consent is required, this is arranged between the Sponsor and Primary Care. Data Processor – Participant study data is neither held nor processed by the ICB. |
Risk Stratification |
Purpose – Risk stratification tools are used by ICBs to analyse the overall health of a population using data which is anonymised in line with the Information Commissioner's Office (ICO) Anonymisation Code of Practice. The combined ICBs Secondary Use Service (SUS) data and GP data which contains an identifier (usually NHS number) is made available to clinicians with a legitimate relationship with their patients to enable them to identify which patients should be offered targeted preventative support to reduce those risks. Legal Basis – NHS England has gained approval from the Secretary of State, through the Confidentiality Advisory Group (CAG), for its application for the disclosure of commissioning data sets and GP data for risk stratification purposes to data processors working on behalf of GPs which provides a statutory legal basis under Section 251 of the NHS Act 2006 to process data for risk stratification purposes. We are committed to conducting risk stratification effectively, in ways that are consistent with the laws that protect your confidentiality. As regards compliance with the General Data Protection Regulation (GDPR), conditions relied upon for processing personal data are “Performance of a task in the public interest or the exercise of official authority” (article 6e) and special category data “Medical and Health diagnosis, treatment or management of health or social care systems and services” (article 9h). Data Processor – The ICB commissions one provider (data processor) to provide risk stratification and other population health analysis services. Currently this is Prescribing Services Ltd via their Eclipse product. |
Social media channels | Purpose – We use social media channels to share news and information with people in Cambridgeshire & Peterborough. We are a user of Facebook, Twitter, Instagram, YouTube, and LinkedIn.
We will only publish photos and names of individuals on our social media channels where they have given us express permission to do so, unless the photos in question are stock photos. For example, we may share photos and names of some of our nurses to mark International Day of the Nurse, or share a local person’s experience of health and care with their express consent. If you post a comment on our social media channels or send us a private or direct message, we will assume you give permission for us to respond. Comments that you post on our social media channels are publicly visible. We may share your comments with relevant teams in our organisation to help us better understand our audiences. We may also share your direct messages with relevant teams in order to answer your message, or to share feedback you have provided. Legal Basis – Public task. GDPR Article (1)(e) applies i.e. it is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller. Data Processor/Controllers – The social media platforms we use are the data controllers and processors of the information shared. Each of the social media platforms has its own privacy policy. You can read these policies via the links below.
Where we have entered data onto the platforms, we have the ability to control as so far as the terms and conditions of the companies allow. In some instances it may be necessary to contact the social media company directly to exercise rights under UK GDPR. |
[1]See Appendix B ‘Key Definitions’ - Section 251
Appendix B
Data ‘Controller’ |
A Data Controller is the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data. |
Data ‘Processor’ |
A Data Processor is the natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller. |
Personal Data
|
Personal data is any information relating to a person (a ‘data subject’) who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that person. |
Processing (in relation to Personal Data) |
Means any operation or set of operations which is performed on personal data or on sets of personal data (whether or not by automated means, such as collection, recording, organisation, structuring, storage, alteration, retrieval, consultation, use, disclosure, dissemination, restriction, erasure or destruction). |
Personal Sensitive Data (Special Categories) |
Special categories of personal data are related to an individual’s race; ethnic origin; political opinions; religious or philosophical beliefs; genetic data; biometric data (where this is used for identification purposes); health data; sex life; or sexual orientation. Personal data can also include information relating to criminal convictions and offences. |
Anonymised Data |
Anonymised data is any personal data which has been processed so that all identifiers are removed or obscured in a way which minimises the likelihood that the data will identify individuals. |
Pseudonymised Data |
Pseudonymisation is a technical process that replaces identifiable information such as an NHS number, postcode, and date of birth with a unique identifier, which obscures the identity of the individual patient to those working with the data. |
Aggregated Data |
The consolidation of data relating to multiple individuals, and therefore the data cannot be traced back to a specific individual. |
Primary Care Data |
Primary care refers to the work of health professionals who act as a first point of contact for patients such as GPs and pharmacists, primary care data is therefore data collected within GP Practices, dental practices, community pharmacies and high street optometrists. |
Secondary Care Data |
Secondary care is the health care provided by specialists who generally do not have first contact with patients, it includes hospital care, community care and mental health care, secondary care data is therefore data collected by hospital, mental health and community services. |
NHS Digital |
NHS Digital provides national information, data and IT systems for health and care services. They exist to help patients, clinicians, commissioners, analysts and researchers. Their goal is to improve health and social care in England by making better use of technology, data and information. |
Secondary Uses Service (SUS) | The Secondary Uses Service (SUS) is a single, comprehensive repository for healthcare data in England which enables a range of reporting and analyses to support the NHS in the delivery of healthcare services. Commissioners and providers of NHS-funded care use this data for secondary purposes other than direct or 'primary' clinical care, such as: Healthcare planning; Commissioning of services; National Tariff reimbursement and development of national policy. SUS is a secure data warehouse that stores this patient-level information in line with national standards and applies complex derivations which support national tariff policy and secondary analysis |
Section 251 | Section 251 of the 2006 NHS Act was created because it was recognised that there were essential activities of the NHS, and important medical research, that required the use of identifiable patient information – but, because patient consent had not been obtained to use people’s personal and confidential information for these other purposes, there was no secure basis in law for these uses. For further information regarding Section 251, see Appendix C ‘Related Links and Documents’ - Health Research Authority. |
Appendix C
Confidentiality |
Code of Practice for Handling Information in Health and Care |
Data Sharing |
|
Records Management |
|
Advice and Guidance on the Law and Personal Data |
|
Information Security Management |
|
Anonymisation |
Anonymisation: Code of Practice Anonymisation Standard for Publishing Health and Social Care Data |
Requesting Information Under the Data Protection or Access to Health Records Acts |
|
The National Care Record Guarantee |
|
Health Research Authority |
|
The NHS Constitution for England |
|
Cambridgeshire Information Sharing Framework |
Cambridgeshire Information Sharing Framework |
Risk Stratification |
ICS social media channels
The ICB is the data controller for ICS social media accounts. We use social media channels to share news and information with people in Cambridgeshire & Peterborough. We are a user of Facebook, Twitter, Instagram, YouTube, Nextdoor and LinkedIn.
We will only publish photos and names of individuals on our social media channels where they have given us express permission to do so, unless the photos in question are stock photos. For example, we may share photos and names of some of our nurses to mark International Day of the Nurse, or share a local person’s experience of health and care with their express consent.
If you post a comment on our social media channels or send us a private or direct message, we will assume you give permission for us to respond.
Comments that you post on our social media channels are publicly visible. We may share your comments with relevant teams in our organisation to help us better understand our audiences. We may also share your direct messages with relevant teams in order to answer your message, or to share feedback you have provided.
The social media platforms we use are the data controllers and processors of the information shared. Each of the social media platforms has its own privacy policy. You can read these policies via the links below.
- Facebook: Meta Privacy Policy - How Meta collects and uses user data (facebook.com)
- Instagram: Meta Privacy Policy – How Meta collects and uses user data | Privacy Centre | Manage your privacy on Facebook, Instagram and Messenger | Facebook Privacy
- LinkedIn: LinkedIn Privacy Policy
- Twitter: Twitter Privacy Policy
- YouTube: Privacy Policy – Privacy & Terms – Google
- Nextdoor: Privacy Policy (nextdoor.com)