Find out more about how we, NHS Gloucestershire Integrated Care Board (NHS Gloucestershire), use your information:
As the NHS worked to manage the pandemic healthcare organisations, GPs, local authorities and arm’s length bodies needed to share information to support efforts against coronavirus (COVID-19).
Information has been collected and shared by the ICB for purposes including protecting public health, providing healthcare services to the public and monitoring and managing the COVID-19 outbreak and incidents of exposure.
Retention Period
Information will usually be retained in line with the Records Management Code of Practice 2021 dependent on the type of information, however, the ICB is currently retaining all relevant information to support the NHS Public Enquiry.
Legal basis
During the pandemic, under Regulation 3(4) of the Health Service (Control of Patient Information) Regulations 2002 (COPI), we were permitted to process confidential patient information for purposes set out in Regulation 3(1) of COPI. This notice expired on 30 June 2022.
For information about the county’s JUYI shared care record and fair processing notice please click here.
The UK General Data Protection Regulation (UKGDPR) requires that data controllers provide certain information to people whose information (personal data) they hold and use. A privacy notice is one way of providing this information. This is sometimes referred to as a fair processing notice.
A privacy notice should identify who the data controller is, with contact details for its Data Protection Officer. It should also explain the purposes for which personal data are collected and used, how the data are used and disclosed, how long it is kept, and the controller’s legal basis for processing.
We will keep our privacy notice under regular review. This privacy notice was last reviewed in April 2024.
NHS Gloucestershire Integrated Care Board is responsible for securing, planning, designing and paying for your NHS services, including planned and emergency hospital care, mental health, rehabilitation, community and primary medical care (GP) services. This is known as commissioning. We need to use information about you to enable us to do this effectively, efficiently and safely.
For further information please refer to the ‘About Us’ page.
We use the following types of information/data:
Categories of data | Description |
---|---|
Personal Data | This is any data relating to an identified or identifiable natural person who can be identified, directly or indirectly. |
Special Categories of Personal Data | The GDPR defines “special categories of personal data” as information about an individual’s: Racial or ethnic origin; political opinions; religious beliefs; trade union membership; health; sexual life; alleged criminal activity; or court proceedings. |
Personal Confidential Data | As defined under the Caldicott Guardian Review, this is personal data about identified or identifiable individuals which should be kept private or secret. The definition includes dead as well as living people and ‘confidential’ includes information ‘given in confidence’ and ‘that which is owed a duty of confidence’. |
Format of the data | Description |
Aggregated | This is anonymised data which is grouped together so that it does not identify any individual |
Anonymised | This is data which does not identify you and where there is no risk that identification is likely to take place. |
Identifiable | This is data which can identify a person such as their name, address, telephone number, date of birth, postcode. |
Pseudonymised | This is data that has undergone a technical process that replaces identifiable information such as your NHS number, postcode, date of birth with a unique identifier, which obscures your ‘real world’ identity to those working with the data. |
Our records may be held on paper or in a computer system.
Integrated Care Boards commission a number of organisations (both within and outside the NHS) to provide healthcare services to you. We receive anonymised statistical information for the purpose of improving local services, research, audit and public health; for example understanding how health conditions spread across our local area compared against other areas.
Who we receive information from
- NHS England
- Other Integrated Care Boards
- Healthcare Providers
- Patients and their families
- Partners in connection with Employment of staff
- Commissioning Support Units
- Public Authorities or Public Bodies
- Local Authorities
- NHS Shared Business Support (SBS)
- NHS Digital
- Our Data Processors
- Members of the public
To contact us about any of the points in this notice refer to the ‘Contact Us’ page.
If you wish to contact the NHS Gloucestershire Data Protection Officer then please e-mail glicb.enquiries@nhs.net
For the purposes of the Data Protection Act 2018, the Controller is NHS Gloucestershire Integrated Care Board.
Our legal basis for processing personal data
Every use of personal data must be lawful and must comply with the Data Protection Act (2018)/UKGDPR and satisfy the common law duty of confidentiality.
NHS Gloucestershire Clinical Commissioning Group is a public body established by the NHS Act 2006 as amended by the Health and Social Care Act 2012, and we are regulated by The National Health Service Commissioning Board and Clinical Commissioning Groups (Responsibilities and Standing Rules) Regulations 2012. As such our business is based upon statutory powers which underpin the legal bases that apply for the purposes of the UKGDPR.
Under the UKGDPR, the legal basis for the majority of our processing is:
- Article 6(1)(e) – processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
For some activities we may ask for your consent and the legal basis is:
- Article 6(1)(a) the data subject has given consent to the processing of his or her personal data for one or more specific purposes;
For entering into and managing contracts with the individuals concerned, for example our employees, the legal basis is:
- Article 6(1)(b) – processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract.
Where we have a specific legal obligation that requires the processing of personal data, the legal basis is:
- Article 6(1)(c) – processing is necessary for compliance with a legal obligation to which the controller is subject.
Where we process special categories data, for example data concerning including health, racial or ethnic origin, or sexual orientation, we need to meet an additional condition in the UKGDPR. Where we are processing special categories personal data for purposes related to the commissioning and provision of health services the condition is:
- Article 9(2)(h) – processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services.
Where we process special categories data for employment or safeguarding purposes the condition is:
- Article 9(2)(b) – processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment and social security and social protection law.
We may also process personal data for the purpose of, or in connection with, legal proceedings (including prospective legal proceedings), for the purpose of obtaining legal advice, or for the purpose of establishing, exercising or defending legal rights. Where we process personal data for these purposes, the legal basis for doing so is:
- Article 6(1)(e) – processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller; or
- Article 6(1)(c) – processing is necessary for compliance with a legal obligation to which the controller is subject; or
- Article 6(1)(f) – processing is necessary for the purposes of legitimate interests pursued by the controller.
Where we process special categories of personal data for these purposes, the legal basis for doing so is:
- Article 9(2)(f) – processing is necessary for the establishment, exercise or defence of legal claims; or
- Article 9(2)(g) – processing is necessary for reasons of substantial public interest.
In ‘Why do we collect your information’ we set out the key ways in which we may process your personal data for the purposes of, or in connection with our statutory functions. If you want to know more about how we process your data please contact our Data Protection Officer: GLICB.enquiries@nhs.net
As a commissioner of health services, we do not routinely hold or have access to your medical records. However, we may need to hold some personal information about you, for example:
- If you have made a complaint to us about healthcare that you have received and you have asked us to investigate it for you
- If you ask us to provide funding for Continuing Healthcare services or submit an Individual Funding Request
- If you ask us for our help or involvement with your healthcare, or where we are required to fund specific specialised treatment for a particular condition that is not already covered in our contracts with organisations that provide NHS care
- If you ask us to keep you regularly informed and up-to-date about the work of the NHS Gloucestershire Integrated Care Board, or if you are actively involved in our engagement and consultation activities or Service User or Patient Participation Groups.
Our records may include relevant information that you have told us, or information provided on your behalf by relatives or those who care for you and know you well, or from health professionals and other staff directly involved in your care and treatment.
We may use your information for the following activities:
- Complaints
- Individual Funding Requests
- Continuing Healthcare
- Medicines Optimisation
- Safeguarding
- Risk Stratification
- Invoice Validation
- Patient and Public Involvement
- Commissioning
- Primary and Secondary Care
- Pharmacy, Opticians and Dental (POD), General Practice Transformation Programme (GPTP) and Complaints
- Maternity and Neonatal Independent Senior Advocacy (MNISA)
Full details of all activities can be found here.
We only use information that may identify you in accordance with the Data Protection Legislation which requires us to process data only if there is a legitimate basis for doing so and that any processing must be fair and lawful.
Within the health sector, we also have to follow the common law duty of confidence, which means that where identifiable information about you has been given in confidence, it should be treated as confidential and only shared for the purpose of providing direct healthcare and only between other professionals and clinicians, unless you have agreed otherwise.
We will ensure that a legal basis is identified for all flows of personal identifiable information to external organisations.
Everyone working for the NHS has a legal duty to keep information about you confidential under the NHS Confidentiality Code of Conduct. The NHS Care Record Guarantee and NHS Constitution provide a commitment that all NHS organisations and those providing care on behalf of the NHS will use records about you in ways that respect your rights and promote your health and wellbeing.
We sometimes ask other organisations to help us process and manage our information and the information we process on behalf of our Customers. Any third parties and external processors are legally and contractually bound to operate within security arrangements that are equivalent to those we have in place.
Before awarding any contract, we ensure that organisations will look after your information to the same high standards that we do. Those organisations can only use your information for the service we have contracted them for and cannot use it for any other purpose.
All organisations are required to complete a Department of Health Data Security and Protection Toolkit, The Data Security and Protection Toolkit is an online self-assessment tool that allows organisations to measure their performance against the National Data Guardian’s 10 data security standards.
All organisations that have access to NHS patient data and systems must use this toolkit to provide assurance that they are practising good data security and that personal information is handled correctly.
Who we receive information from
- NHS England
- Other Clinical Commissioning Groups
- Healthcare Providers
- Patients and their families
- Partners in connection with Employment of staff
- Commissioning Support Units
- Public Authorities or Public Bodies
- Local Authorities
- NHS Shared Business Support (SBS)
- NHS Digital
- Our Data Processors
If we receive a request for your information from another organisation, we will not share information that identifies you unless we have established a fair and lawful basis to do so such as:
- For the provision of your individual care and you have not objected, or would not reasonably be expected to, object
- You have given us your explicit consent to do so and we have explained the consequences of the sharing and you understand your rights;
- We need to act to protect children and vulnerable adults;
- When a formal court order has been served upon us;
- When we are lawfully required to report certain information to the appropriate authorities e.g. to prevent fraud or a serious crime;
- we have been asked to do so by a Controller of the data we are processing on their behalf, this would require a written instruction;
- Emergency Planning reasons such as for protecting the health and safety of others;
- When permission is given by the Secretary of State or the Health Research Authority on the advice of the Confidentiality Advisory Group to process confidential information without the explicit consent of individuals
SCW staff, payroll data and personal data such as contact details may be provided to bodies responsible for auditing, administering public funds or where undertaking a public function for the purposes of preventing and detecting fraud.
The National Fraud Initiative
NHS England is required to protect the public funds it administers. It may share information provided to it with other bodies responsible for; auditing, or administering public funds, or where undertaking a public function, in order to prevent and detect fraud.
We participate in the Cabinet Office’s National Fraud Initiative: a data matching exercise to assist in the prevention and detection of fraud. We are required to provide particular sets of data to the Minister for the Cabinet Office for matching for each exercise.
The use of data by the Cabinet Office in a data matching exercise is carried out with statutory authority under Part 6 of the Local Audit and Accountability Act 2014.
For more information on this please visit the following page: NHS England National Fraud Initiative
National Registries
National Registries (such as the Learning Disabilities Register) have statutory permission under Section 251 (16/CAG/0056) of the NHS Act 2006, to collect and hold service user identifiable information without the need to seek informed consent from each individual service user.
NHS Gloucestershire Integrated Care Board will use other organisations to provide us with support services. These organisations will process information on our behalf and only on our instruction. These organisations are known as “data processors” and will provide additional expertise to support our work.
We will never sell any information about you.
We will ensure that a legal basis is identified for all flows of personal identifiable to external organisations.
Before awarding any contract, we ensure that organisations will look after your information to the same high standards that we do. Those organisations can only use your information for the service we have contracted them for and cannot use it for any other purpose.
NHS Gloucestershire Integrated Care Board ensures that this is supported by use of an NHS Standard Contract which is mandated by NHS England for use by commissioners for all contracts for healthcare services other than primary care. The NHS Standard Contract covers:
- confidential information of all parties
- patient confidentiality, data protection, freedom of information and transparency
A Data Processing Agreement will be put in place with each processor to detail the terms of the processing and the required security measures to protect the data.
In addition a Data Sharing Framework Contract (DSFC) and Data Sharing Agreement (DSA) are in place with NHS Digital for the release of patient level data and Service Level Agreements are in place with NHS South Central and West Commissioning Support Unit (SCWCSU) for the services they provide.
Below is a summary of our data processors and the function they carry out on our behalf:
- South Central and West Commissioning Support Unit – for Commissioning Intelligence analysis which adds value to the analysis of data that does not directly identify individuals; for processing Freedom of Information requests; and for processing Subject Access Requests. A Service Level Agreement is in place between NHS Gloucestershire Integrated Care Board and SCWCSU for this purpose.
- NHS Litigation Authority – for Claims Management (we rely on your consent).
- NHS Shared Business Service – for Invoice Validation (see above)
Your information may be de-identified and linked by organisations so that it can be used to improve health care and monitor NHS performance. Where data is used for these statistical purposes, stringent measures are taken to ensure individual patients cannot be identified. When analysing current health services and proposals for developing future services it is sometimes necessary to link separate individual datasets to be able to produce a comprehensive evaluation. This may involve linking primary care GP data with other data such as secondary uses service (SUS) data (inpatient, outpatient and A&E). In some cases there may also be a need to link local datasets which could include a range of acute-based services such as radiology, physiotherapy, audiology etc, as well as mental health and community-based services such as Improving Access to Psychological Therapies, district nursing, podiatry.
When carrying out this analysis, the linkage of these datasets is always done using a unique identifier that does not reveal a person’s identity.
What is the purpose?
This includes wider NHS purposes beyond the provision of direct care and treatment to you, the purpose is to improve understanding of our population, developing a more informed evidence base to address health inequalities and variation in care delivery and outcomes
What is our Legal Basis?
Under the Health & Social Care Act 2012 the ICB has a statutory legal basis for collecting and processing information for the purposes of commissioning
How is the information processes?
Hospitals and community organisations that provide NHS-funded care are legally and contractually obliged to submit certain information to NHS Digital about services provided to our service users. This information is generally known as commissioning datasets. The ICB obtains these datasets from NHS Digital and they relate to service users registered with GP Practices that are members of the ICB.
These datasets are used in a format that does not directly identify you.
We also receive information from GP Practices within our ICB membership, covering appointment activity, and clinical information to support this purpose, this data does also not directly identify you as the individual, but is linkable to other data that is held.
Primary care data will be linked with other datasets available in the system, analysed in collaboration with clinical representation and in line with system priorities, to provide a more holistic view of the population and needs. The combined analysis is made available to GP practices and appropriate system partners for action.
The ICB has appointed Newton Europe to provide support, initially through a diagnostic assessment to develop an integrated approach within emergency care services and system. Newton Europe will only act under instruction of the ICB and partners
What are the benefits?
By using data for this purpose, an evidence-based assessment, as well as robust monitoring and evaluation can be made to deliver the following:
- Improvements in the physical and mental health outcomes and wellbeing of people within a defined population
- Reduce Health Inequalities
- Reduce the occurrence of ill health
- Support action to deliver appropriate health and care services
- Support action on the wider determinants of health
If you do not wish your information to be included in these datasets, even though it does not directly identify you to us, please contact your GP Practice and they can apply a code to your records that will stop your information from being included.
All records held by NHS Gloucestershire Integrated Care Board will be kept for the duration specified by national guidance from NHS Digital, Records Management Code of Practice. Once information that we hold has been identified for destruction it will be disposed of in the most appropriate way for the type of information it is. Personal confidential and commercially sensitive information is disposed of by approved and secure confidential waste procedures. Personal confidential data held on paper is securely destroyed by Shred-it Ltd. Personal confidential data held electronically is securely destroyed by Countywide IT Services.
A small percentage of records may become archived, meaning that they will be retained indefinitely under the Public Records Act.
We ensure the information we process is held in secure locations. We restrict access to certain categories of information to authorised personnel only where they can demonstrate a clear need for access as part of their job role. We ensure that where we process information on equipment such as laptops or other types of equipment outside of our normal office environment, we protect it with encryption software (which masks data so that unauthorised users cannot see or make sense of it).
All of our staff, contractors and committee members receive appropriate and on- going training to ensure they are aware of their personal responsibilities and have contractual obligations to uphold confidentiality, enforceable through disciplinary procedures.
In all circumstances we will only use the minimum amount of information necessary about you.
Overseas Transfers
Your information will not be sent outside the United Kingdom unless we are sure that your privacy will be protected in the same way as it would be in the UK.
GDPR provides the following rights for individuals:
- The right to be informed
- The right of access (see the Subject Access Request section below)
- The right to rectification
- The right to erasure
- The right to restrict processing
- The right to data portability
- The right to object
- Rights in relation to automated decision making and profiling
You also have a right to request that your confidential information is not used beyond your own care and treatment and to have your objections considered.
Object to NHS Gloucestershire using your personal data
You have the right at any time to object to the NHS Gloucestershire Integrated Care Board sharing your personal information if you do not wish us to process or share your information. If you do not agree to certain information being processed or shared with us, or by us, or have any concern, then please let us know. We may need to explain the possible impact this could have on our ability to help you and discuss the alternative arrangements that are available to you. There may be a lawful basis to continue processing, e.g. for safeguarding purposes.
Request to have your personal data rectified
If we do hold information about you, you can ask us to correct any mistakes. You are entitled to have personal data rectified if it is inaccurate or incomplete.
NHS Gloucestershire must respond within 30 calendar days. However, we may extend this period up to 60 calendar days for complex requests. NHS Gloucestershire may refuse the request if it believes the information is accurate/complete or there is a legal basis to refuse and you will be notified of this. You have the right to complain to the Information Commissioner’s Office and to seek correction by order of a Court.
Request to have your personal data erased
This is more commonly known as the ‘right to be forgotten’. You may request to have your data erased where:
- It no longer needs to be kept by the NHS Gloucestershire Integrated Care Board (it has surpassed the minimum retention period)
- You withdraw your previously given consent or object to the use of your data and there is no requirement for the Trust to retain the data
- It has been used unlawfully
- The NHS Gloucestershire Integrated Care Board must comply with a legal obligation
- You are under 16 and data has been stored electronically by the NHS Gloucestershire Integrated Care Board at your request
NHS Gloucestershire may refuse your request (in full or part) where there is a legal basis to refuse and you will be notified of this.
Request a copy of your personal data held by NHS Gloucestershire
You are entitled to a free-of-charge copy of information that we hold about you. However, NHS Gloucestershire may charge a ‘reasonable fee’ for particularly bulky, complex or repetitive requests (for the same information) based on the administrative cost of providing the information.
NHS Gloucestershire must provide you with the requested information (where it is appropriate to provide) within 30 calendar days once it has sufficient details to be able to process the request. However, we may extend this period up to 90 calendar days or refuse to respond for bulky, complex or repetitive requests.
If we do hold information about you we will:
- Give you a description of it;
- Tell you why we are holding it;
- Tell you who it could be disclosed to; and
- Give you a copy of the information
How to make a request
To make a request for any personal information we may hold about you, or exercise any of your information rights, please contact us
Post:
NHS Gloucestershire Integrated Care Board
Shire Hall
Westgate Street
Gloucester
GL1 2TG
Telephone:
01452 943323 (Office reception)
Email:
We are committed to protecting your privacy and will only process personal confidential data lawfully and in accordance with data protection and privacy law including the UK General Data Protection Regulation (UKGDPR), the Data Protection Act (DPA) 2018, the Human Rights Act 1998, the Health and Social Care (Safety and Quality) Act 2015, and the common law duty of confidentiality.
NHS Gloucestershire Integrated Care Board is a Data Controller as defined in UKGDPR. We are legally responsible for ensuring that all personal information that we hold and use is done so in compliance with the law.
The Data Protection (Charges and Information) Regulations 2018 requires every organisation that processes personal information to pay a fee to the Information Commissioner’s Office (ICO), unless they are exempt. Our ICO Register number is ZA020869 and our entry can be found in the Data Protection Register of Fee Payers on the Information Commissioner’s Office website.
Everyone working for the NHS has a legal duty to keep information about you confidential. The NHS Care Record Guarantee, The NHS Constitution and The NHS Confidentiality Code of Practice provide a commitment that all NHS organisations and those providing care on behalf of the NHS will use records about you in ways that respect your rights and promote your health and wellbeing.
If you are receiving services from the NHS, we share information that does not identify you (anonymised) with other NHS and social care partner agencies for the purpose of improving local services, research, audit and public health.
Confidentiality Advice and Support – Caldicott Guardian
NHS Gloucestershire has a Caldicott Guardian who is a senior person responsible for protecting the confidentiality of service user information and enabling appropriate and lawful information-sharing.
The Caldicott Guardian for NHS Gloucestershire is Marie Crofts – Chief Nursing Officer
Data Protection Officer
NHS Gloucestershire has a Data Protection Officer (DPO) responsible for monitoring compliance with our data protection obligations. The DPO also acts as a contact point for the Information Commissioner, our employees and the public.
The DPO for NHS Gloucestershire Integrated Care Board is the Associate Director of Corporate Governance.
The contact address for the DPO is GLICB.enquiries@nhs.net or see the ‘Contact Us’ section at the end of this notice.
The NHS Constitution states “You have the right to request that your confidential information is not used beyond your own care and treatment and to have your objections considered”. There may be occasions when it is not possible to exercise your right to object or “Opt Out”, such as when we have an obligation by law or for the purposes of safeguarding adults and children.
The right to object or opt-out includes information not directly collected by the NHS Gloucestershire Integrated Care Board, but collected by organisations that provide NHS services:
- Type 1 opt-out
If you do not want personal confidential data that identifies you to be shared outside your GP practice, for purposes beyond your individual care, you can register a ‘Type 1 opt-out’ with your GP practice. This prevents your personal confidential information from being used for anything except your care, except when it is required by law, such as a public health emergency like an outbreak of a pandemic disease.
Patients are only able to register this opt-out at their GP practice. If you would like to opt-out or discuss further then please talk to your GP or the healthcare professional supporting you.
- The national data opt-out
Whenever you use a health or care service, such as attending Accident and Emergency or using Community Care services, important information about you is collected in a patient record for that service. Collecting this information helps to ensure you get the best possible care and treatment.
The information collected about you when you use these services can also be used and provided to other organisations for purposes beyond your individual care, for instance to help with:
- improving the quality and standards of care provided
- research into the development of new treatments
- preventing illness and diseases
- monitoring safety
- planning services
This may only take place when there is a clear legal basis to use this information. All these uses help to provide better health and care for you, your family and future generations. Confidential patient information about your health and care is only used like this where allowed by law.
Most of the time, anonymised data is used for research and planning so that you cannot be identified in which case your confidential patient information isn’t needed.
You have a choice about whether you want your confidential patient information to be used in this way. If you are happy with this use of information you do not need to do anything. If you do choose to opt-out your confidential patient information will still be used to support your individual care.
To find out more or to register your choice to opt out, please visit Your NHS Data Matters
On this web page you will:
- See what is meant by confidential patient information
- Find examples of when confidential patient information is used for individual care and examples of when it is used for purposes beyond individual care
- Find out more about the benefits of sharing data
- Understand more about who uses the data
- Find out how your data is protected
- Be able to access the system to view, set or change your opt-out setting
- Find the contact telephone number if you want to know any more or to set/change your opt-out by phone
- See the situations where the opt-out will not apply.
You can also find out more about how patient information is used at:
NHS Health Research Authority (which covers health and care research);
Understanding Patient Data (which covers how and why patient information is used, the safeguards and how decisions are made)
You can change your mind about your choice at any time.
Data being used or shared for purposes beyond individual care does not include your data being shared with insurance companies or used for marketing purposes and data would only be used in this way with your specific agreement.
Complaints or questions
We try to meet the highest standards when collecting and using personal information. For this reason, we take any complaints we receive about this very seriously. We encourage people to bring concerns to our attention if they think that our collection or use of information is unfair, misleading or inappropriate. We would also welcome any suggestions for improving our procedures.
You can contact the NHS Gloucestershire’s Data Protection Officer at: GLICB.enquiries@nhs.net
Post:
NHS Gloucestershire Integrated Care Board
Shire Hall
Westgate Street
Gloucester
GL1 2TGTel: 01452 943323
Email: GLICB.enquiries@nhs.net
For independent advice about data protection, privacy and data-sharing issues, you can contact the Information Commissioner’s Office:
Post:
Information Commissioner
Wycliffe House,
Water Lane,
Wilmslow,
Cheshire,
SK9 5AF.Tel: 08456 306060 or 01625 545745
Website: www.ico.gov.uk