Who we are
NHS Derby and Derbyshire CCG has responsibility for buying (or commissioning) services across our County.
A major part of our work is effective planning, buying and monitoring of services from healthcare providers, such as hospitals and GP Practices. This means making sure that the NHS services that people need locally are available and making sure that those services are high quality and value for money.
This privacy notice tells you about information we collect and hold about you, what we do with it, how we will look after it and who we might share it with. It covers information we collect directly from you or receive from other individuals or organisations.
This notice does not provide exhaustive detail, however, we are happy to provide any additional information or explanation needed.
We keep our privacy notice under regular review: it was last reviewed in April 2019.
Our Commitment to Data Privacy and Confidentiality Issues
We are committed to protecting your privacy and will only ‘process’ data (processing refers to how data is Held, Obtained, Recorded, Used and Shared) in accordance with Data Protection Legislation.
This includes ensuring the CCG comply with the General Data Protection Regulation (EU) 2016/679 (GDPR), the Data Protection Act (DPA) 2018, and any applicable national Laws as required.
In addition, consideration will also be given to all applicable Law concerning privacy, confidentiality, the processing and sharing of personal data including:
the Human Rights Act 1998,
the Health and Social Care Act 2012 as amended by the Health and Social Care (Safety and Quality) Act 2015,
the common law duty of confidentiality, and the
Privacy and Electronic Communications (EC Directive) Regulations
As a Data Controller, the CCG has a duty to:
keep sufficient information to provide services and fulfil our legal responsibilities
keep your records secure and accurate
only keep your information as long as is required
collect, store and use the information you provide in a manner that is compatible with the EU General Data Protection Regulation and the Data Protection Act.
Things you can do to help us:
Personal Information we hold about you
As a commissioner, we do not routinely hold or have any access to medical records. The provider of your healthcare for example an Acute Trust, or GP would hold this information. However, we may need to hold some information about you, for example:
If you have made a complaint to us about healthcare that you have received and we need to investigate
If access to specific treatments is regulated via eligibility criteria which include the Individual Funding Request process
If you ask us to provide funding for Continuing Healthcare or personal health budget services
If you ask us for our help or involvement with your healthcare, or where we are required to fund specific specialised treatment for a particular condition that is not already covered in our contracts with organisations that provide NHS care
If you ask us to keep you regularly informed and up-to-date about the work of the CCG, or if you are actively involved in our engagement and consultation activities or service user participation groups
In circumstances where our safeguarding staff are involved in the most serious cases.
In circumstances where our Quality teams are undertaking monitoring visits, limited clinical information may be accessed in a de-identified form.
Where information processing falls within the CCGs infection control oversight functions.
Our records may include relevant information that you have told us, information provided on your behalf by relatives or those who care for you and know you well, or from health professionals and other staff directly involved in your care and treatment. Our records may be held on paper or in a computer system.
We may share your information with other organisations as follows:
- as required by law
- to prevent and detect fraud and mistakes
- to make payments to NHS Service providers
- to secure the effective and efficient delivery of NHS and related services
- for benefits and tax administration
- as part of an appeal
Your information will not be transferred outside the European Economic Area, unless this is stated in the privacy notice of the service you use.
Why we process your information
For some of our services, we need to collect personal data so we can get in touch, or provide the service. The CCGs can use your personal data under many different laws. The main ones that apply are the NHS Act 2006, the Health and Social Care Act 2012, the Care Act 2014, the Data Protection Act 2018 and the General Data Protection Regulations, but there are many more.
In many cases there is a statutory requirement to process your data and we can do so without your consent. For some services where individuals choose to engage with e.g. where someone wishes us to include them on our mailing list, the CCG process this data by requesting your explicit consent.
The CCG have in place arrangements to handle limited amounts of person confidential data. These data include limited data processed in accordance with our validation of referral (where treatments are restricted), and indirectly where the CCG perform an oversight function for monitoring the quality of the services commissioned.
Where CCGs hold a contract for the provision of a clinical service, the organisation which deliver that service are the Data Controller. These providers are under contract and have to keep your details safe and secure, and use them only to provide the service.
The CCG has undertaken an assurance exercise, validated via the completion of the Data Security and Protection toolkit, which has assured the legal basis of processing for each of the CCG’s activities. The CCG processes person identifiable data for the following purposes:
- Financial Transactions including processing applications for funding treatments
- Invoice validation
- Dealing with complaints
- Processing Safeguarding referrals
- Continuing Healthcare
- Risk Stratification
- Patient & public involvement - where you have agreed for us to contact you to gain your views about the services we commission Regulatory Oversight and Quality monitoring functions
- National registries
- To ensure we meet our legal and statutory obligations
- Clinical audit
- GP data including performance and monitoring information
- Investigating and managing serious incidents
As an employer, the CCG will process employee data for the following purposes:
To ensure that the information we hold about you is kept up-to-date;
To deal with any employee / employer related disputes that may arise;
For assessment and analysis purposes to help improve the operation and performance of the CCG;
To inform the development of recruiting and retention policies so that they are relevant to the CCG’s workforce;
To enable the monitoring of protected characteristics in accordance with the Equality Act 2010 and ensure that the CCG continues to meet equality standards;
To prevent, detect and prosecute against fraud;
To respond to requests made by a “relevant authority” under Section 29 of the Data Protection Act 2018, such as the police, government departments and local authorities with the regulatory powers to request access to personal data without the consent of the data subject for the purposes of the prevention or detection of crime.
In accordance with the consent provided by you as part of your terms and conditions of employment; and
To comply with the CCG’s legal obligations as an employer; i.e. HMRC and pensions.
Keeping your personal information
Your personal data will only be retained by the CCGs where there is a clear lawful basis to do so, and this will not be retained for longer than is necessary. The CCG ensures that we comply with best practice in relation to the retention and destruction of records.
You have certain legal rights, including:
to have your information processed fairly and lawfully
to request access any personal information we hold about you
the right to privacy, and to expect the NHS to keep your information confidential and secure
to request that your confidential information is not used beyond your own care and treatment and to have your objections considered
to request that any inaccurate data that we hold about you is corrected.
These are commitments set out in the NHS Constitution, for further information please visit: https://www.gov.uk/government/publications/the-nhs-constitution-for-england
Subject access requests and requests to correct errors
Individuals can find out if we hold any personal information about them by making a ‘subject access request’ under the Data Protection Act 2018. If we do hold information about you we will:
Give you a description of it
Tell you why we are holding it
Tell you who it could be disclosed to; and
Let you view or have a copy of your personal information in an intelligible form.
To make a request for any personal information we may hold you need to put the request in writing to the address provided below.
Subject Access Request
To make a request for any personal information we may hold, please see NHS Derby and Derbyshire CCG’s Subject Access Request Procedure
Information not directly collected by the CCG, but collected by organisations that provide NHS services
Type 1 opt-out
If you do not want personal data to be shared outside your GP practice, for purposes beyond your direct care you can register a type 1 opt-out with your GP practice. This prevents your personal confidential information from being used other than in particular circumstances required by law, such as a public health emergency like an outbreak of a pandemic disease.
Patients are only able to register the opt-out at their GP practice.
Type 2 opt-out: information held by NHS Digital
Previously you could tell your GP surgery if you did not want NHS Digital, to share confidential patient information that it collects from the across the health and care service for purposes other than your individual care. This was called a type 2 opt-out.
From 25 May 2018 the type 2 opt-out has been replaced by the National Data Opt-Out.
The template privacy notice text can be found at: https://digital.nhs.uk/national-data-opt-out
How each of our services uses your information
You can view the privacy notices for each of our services:
- Complaints & PALS
- Individual Funding Requests
- Patient & Public Involvement
- Personal Health Budgets
- Risk Stratification
- Care Homes
- Staff – Past, Present & Future
- Brain Injury
- Specialist Hospital Funding
- Transforming Care
- Medicines Management
- Medicines Order Line
- Treatment Reviews
- Procedures of Limited Clinical Value
- Continuing Healthcare
- Finance – Invoice Validation
- Special Educational Needs and/Or Disabilities
- Commissioning Purposes
- National Fraud Initiative
Our Data Processors
We ensure external data processors that support us are legally and contractually bound to operate and prove security arrangements are in place where data that could or does identify a person are processed. The CCG remains the data controller (the organisation responsible for determining the purposes for which and the manner in which personal data is used under Data Protection Legislation) of such information at all times. Please click herefor a list of our Data Processors
If you have any queries, concerns or want to request that we change or delete your information you may contact the Derbyshire CCGs at the following address:
Data Protection Officer
Dr Steve Lloyd
10 Nottingham Road
Data Protection Officers are responsible for upholding your rights and making sure we process your information correctly.
Concerns about how we are using your information
We try to meet the highest standards when collecting and using personal information. For this reason, we take any complaints we receive about this very seriously. We encourage people to bring concerns to our attention if they think that our collection or use of information is unfair, misleading or inappropriate. We would also welcome any suggestions for improving our procedures.
For more information about Data Protection, or if you are unsatisfied with the way the your personal information has been handled, you can contact the national regulator, the Information Commissioner’s Office, at:
The Office of the Information Commissioner Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AX www.ico.org.uk Email: email@example.com
Website and Social Media
We will use the Internet to communicate with the public and promote public participation. Through our social media accounts and website, we will post photos, videos, and sound recordings of our work and events, which may sometimes include personal data. Although we seek consent, this may not always be possible when capturing large crowds or public street scenes. If you are ever unhappy about being included in any of these publications, please contact us.
Communications undertaken by the CCG
For key functions of the CCG, it is essential that we maintain lists of professional contacts. Where the CCG are communicating with the public about specific events or engagement – we will make announcements within local media, and contact those people who have expressed an interest in being kept informed and who have shared their contact details with us. In this case, the CCGs do not share details with any other parties, and each person can withdraw their consent for the CCG to hold their information at any time.
The lawful basis for processing this data is the consent of the individual data subject, and this can be withdrawn at any time.
Where the CCG maintains contact lists of professional contacts, whether this be key primary care contacts, or contacts within care homes, pharmacies or optometrists – this is key to ensuring that information about CCG services and developments are shared with partners, and engagement across all care partners is maintained. Again, the CCG do not share details with any other parties. The lawful basis for this processing is one the two following:
Where the CCGs maintain contact lists of GP practice contacts, this is to enable the oversight and management of the GP Contract, and the lawful basis is Contract.
Where the CCGs maintain contact lists for services contracted via NHS England – for example optometrists, care homes, pharmacists and other care providers, the lawful basis for processing this data is the consent of the individual and company involved, and this can be withdrawn at any time. To do join or unsubscribe from this list please contact: DDCCG.Meds.Man@nhs.net.