Privacy Notice

Last updated November 2017

Fair Processing Notice- How We Use Your Information

This notice is designed to inform you of the type of information (including personal information) that we NHS Liverpool CCG, as your clinical commissioning group (CCG), holds about you, how that information is used, who we may share that information with, and how we keep it secure and confidential and what your rights are in relation to the information which we hold.

Who are we?

Liverpool CCG is responsible for the planning, purchasing and monitoring (commissioning) of health services from healthcare providers such as hospitals and GP practices to ensure the highest quality of healthcare for the people of Liverpool. We do not provide healthcare like a GP practice or a hospital. Our role is to make sure the appropriate NHS care is in place for the people of Liverpool, within the budget we have.

Why we collect information about you

In carrying out our role as a commissioner of health services we may collect and hold some information about you which helps us respond to your queries or secure specialist services. We may keep your information in written form and/or on a computer. The records may contain information about your health and also information such as outcomes of needs assessments. They may also include, where there is a legal basis to do so, basic details such as your name, address and date of birth. Liverpool CCG is the Data Controller of the information we hold about you.  

How your records are used to help the NHS

Your information may be used to: -

  • Help assess the needs of the general population and make informed decisions about the provision of future services;
  • Improve outcomes for the population by identifying which services or health care is most effective;
  • Help understand which patient groups are likely to get ill and attend hospital (risk stratification);
  • Information can also be used to conduct health research and development, monitor NHS performance, to help the NHS plan for the future;
  • To investigate complaints in respect of the services we commission.

Using your information in this way can help us to identify patients who will benefit from early intervention and plan care which has a greater chance of improving health outcomes for patients.

We will not publish any information that identifies you or routinely disclose information about you without your express permission. You have the right to refuse/withdraw consent to information sharing at any time. The possible consequences will be fully explained to you, such as potential delays in receiving care.  See below “Choices about your personal information” for further information.

There may be circumstances where we are legally bound to share information about you, for example in the event of a pandemic and in accordance with the Data Protection Act to protect the public's interests. Anyone who receives information from us is also under a legal duty to keep this information confidential.

Working in partnership with other organisations

There are a number of NHS organisations who work on our behalf or with us to ensure that data we receive is accurate and securely transferred and managed. These organisations can be called data processors. They collect information from a range of places where people receive care, such as hospitals and community services and send it to us securely. Our main NHS data processors are Arden and GEM Commissioning Support Unit (CSU), Midlands and Lancs CSU and NHS Digital (previously Health and Social Care Information Centre).

As an NHS organisation we often work in partnership with a range of NHS providers and commissioners and we also work closely with the Liverpool City Council who provide social care related services. In addition, we sometimes may work with a third party data provider to help undertake some analysis. Your information may at times be shared with these partners to support the care you receive and the planning of services. All information is shared only if there is a legal basis to do so with a comprehensive sharing agreement and strict security features in place in line with national policy over data transfer and storage.  

The data collected about you may be used to influence whether you, or people with similar characteristics, are at risk of needing NHS care in the future. This analysis is described as risk stratification. The data is then made available to services which will identify and prioritize patients who are most at risk and would benefit the most from proactive intervention and care.

Linking Data

To help us identify risks we obtain data from the health and social care services you use and ‘link’ this data. This is a very important process without which we have very limited understanding of how health and social care is connected. The data is then ‘pseudonymised’, which means any identifying details (such as name or NHS number) is replaced with a unique code. No other patient identifiable data such as name or address is received for data linkage. This data is always stored securely and only shared with those who are part of the risk stratification process.

We receive data from hospitals (via a portal called the Secondary Uses System) and GP records (EMIS) to enable this analysis to take place individual people cannot be identified.

A data sharing agreement is signed between NHS Digital and ourselves to ensure that agreement over how we use the data is maintained.

Financial Validation

We will use limited information about individual patients when validating invoices received for your healthcare, to ensure that the invoice is accurate and genuine. The limited information includes name, DOB, GP Practice and service code and is normally only used for patients who have visited a secondary care organisation outside the area we serve, such as a hospital in another city. This will be performed in a secure environment and will be carried out by a limited number of authorised staff. These activities and all identifiable information will remain with the Controlled Environment for Finance (CEfF), approved by NHS England. You have the right to refuse your information being disclosed for this purpose. This would not affect your care but would make it difficult for us to validate that costs of these services should be charged against our budget. 

The National Fraud Initiative: Fair Processing Notice

NHS Liverpool CCG is required by law to protect the public funds it administers. It may share information provided to it with other bodies responsible for; auditing, or administering public funds, or where undertaking a public function, in order to prevent and detect fraud.

The Cabinet Office requires NHS organisations to participate in data matching exercises to assist in the prevention and detection of fraud. Data matching involves comparing computer records held by one NHS organisation against computer records held by the same or another organisation to see how they match. This is usually personal information. Computerised data matching can help us to identify and investigate potentially fraudulent claims, payments and errors.

Data matching involves comparing computer records held by one body against other computer records held by the same or another body to see how far they match. This is usually personal information. Computerised data matching allows potentially fraudulent claims and payments to be identified. Where a match is found it may indicate that there is an inconsistency which requires further investigation. No assumption can be made as to whether there is fraud, error or other explanation until an investigation is carried out.

Information on the type of data we are required to share is set out in the Cabinet Office’s guidance which can be found here. Data matching is subject to a Code of Practice and is detailed here.

The use of data by the Cabinet office in data matching exercises is carried out with statutory authority under its power in Part 6 of the Local Audit and Accountability Act 2014. It does not require the consent of the individuals concerned under the Data Protection Act 1998.  For further information on the Cabinet Office's legal powers and the reasons why it matches particular information click here

Further information on data matching at NHS Liverpool CCG please contact:

Stephen Hendry 0151 296 7655 stephen.hendry@liverpoolccg.nhs.uk

Senior Operations and Governance Manager 
NHS Liverpool Clinical Commissioning Group 
The Department
Lewis’s Building
2 Renshaw Street
Liverpool
L1 2SA

Security of Information

Everyone working for the NHS is subject to the Common Law Duty of Confidence. The information we do hold about you whether in paper or electronic form, is therefore protected from unauthorised access. Under the NHS Confidentiality Code of Conduct all our staff are required to protect your information, inform you of how your information will be used and allow you to decide if and how your information can be shared.

Choices about your personal information

There are choices you can make about how your information is used and you can choose to opt out of your information being shared or used for any purpose, beyond providing your care.

If you do not want your information to be used for any purpose beyond providing your care as outlined above, you can choose to ‘opt-out’. If you wish to do so, please inform your GP practice and they will mark your choice in your medical record. This won’t affect the care you receive now, but giving us access to this data helps us to plan and improve services which your friends and family might use in the future.

There are two types of opt-out. You can withdraw either opt-out at any time by informing your GP practice.

  • Type 1 opt-outs
    If you do not want information that identifies you to be shared outside your GP practice for purposes beyond your direct care, you can register a type 1 opt-out with your GP practice. This prevents your personal confidential information from being used other than in particular circumstances required by law, such as a public health emergency like an outbreak of a pandemic disease.
  • Type 2 opt-outs
    NHS Digital collects information on our behalf from a range of places where people receive care, such as hospitals and community services. If you do not want your personal confidential information to be shared outside of NHS Digital, for purposes other than for your direct care you can register a type 2 opt-out with your GP practice. When this is done, your record is removed from any data we receive from NHS Digital. 

Type 2 opt out does not apply when there is a legal requirement to release information, or where you have given your consent to a specific release of your information, such as for research.

There are also some limited circumstances, which are set out in the direction, when your information may still be shared. These are cases where:

  • The Secretary of State for health has identified the information flow is very important.
  • There are complex technical barriers that make it very difficult to apply opt outs.

For more information on how NHS Digital collect and use opt-out information click here.

Access to your information

Under the Data Protection Act 1998 you have the right to see or be given a copy of personal data held about you. This right can be exercised via submission of a Subject Access Request (SAR) to the NHS Liverpool CCG. We are able to charge a reasonable fee for the administration of the request; however, these fees are set down in law as follows:

  • We may charge up to £10 for complying with a SAR relating to health records if the information is only held electronically.
  • We may charge up to £50 for complying with a SAR relating to health records if those records are held either wholly or partly in non-electronic form.

CCG oversight of your information

We have assigned a Caldicott Guardian and Senior Information Risk Owner (SIRO) who have oversight of the handling of information within our CCG as well as support organisations that we may buy services from. The Caldicott Guardian has the role of overseeing and making decisions on information sharing. The Senior Information Risk Owner (SIRO) is accountable for information risk. Both roles are supported by the CCG’s Information Governance Working Group (IGWG) which meets regularly to discuss issues related to information governance. The group is formed of senior representatives from each team within our CCG and is chaired by the Senior Information Risk Owner.

If you wish to contact the CCG’s Caldicott Guardian or SIRO, please contact (in the first instance)

Stephen Hendry 0151 296 7655 stephen.hendry@liverpoolccg.nhs.uk

Senior Operations and Governance Manager 
NHS Liverpool Clinical Commissioning Group 
The Department
Lewis’s Building
2 Renshaw Street
Liverpool
L1 2SA 

Complaints and appeals

In the event that you believe the NHS Liverpool CCG has not complied with the Data Protection Act, either in responding to a Subject Access Request or in the way we have processed your personal information, you have the right to make a complaint and can do so, either by contacting our Corporate Governance Lead (as stated above) or by seeking independent advice from the Information Commissioner's Office.

Information Commissioners Office
Wycliffe House
Water Lane
WILMSLOW
Cheshire SK9 5AF

Enquiry Line: 01625 545700
Website: www.ico.gov.uk

How long do we keep your records?

Any records that we have received as detailed above, are stored securely and kept for a period of time in line with NHS Liverpool CCG’s retention policy and the NHS Code of Practice which can be found here. Dependent on the reason we received your data, we may store your information securely for a period of between two and 20 years.  Your records may be kept longer but would not ordinarily be kept longer than 30 years. Following this period of time, information about you would be destroyed under confidential conditions.

Further information

If you would like to know more about how NHS Liverpool CCG uses your information you can find our contact details here.  For more information how data is collected and used across the NHS, please click here. Find out more about our data sharing campaign "We Share Because We Care", here.

Further information can also be obtained from the following links:

Data Protection Act 1998 
Care Record Guarantee; and
NHS Confidentiality Code of Practice

 

Handling Continuing Healthcare (CHC) Applications

If you make an application for Continuing Healthcare (CHC) funding, NHS Liverpool Clinical Commissioning Group (LCCG) will use the information you provide and where needed request further information from care providers to identify your eligibility for funding. If agreed, arrangements will be put in place to arrange and pay for the funding packages with appointed care providers. This process is nationally defined and we follow a standard process. Liverpool CCG use standard information collection tools to decide whether someone is eligible.

Handling Individual Funding Requests (IFR) Applications

If you make an Individual Funding Request (IFR) to fund specialist drugs or rare treatments, NHS Liverpool CCG will use the information you provide and may request further information from care providers to identify your eligibility for funding. If agreed, arrangements will be put in place to arrange and pay for the funding packages with appointed care providers.

Supporting Medicines Management

CCGs advise local GP practices with medical prescribing queries which generally don’t require identifiable information.

Where specialist support is required, e.g. to order a drug that normal comes in solid form but the patient needs it in gas or liquid form. The medicines management team will order this on behalf of a GP to support your care.

Safeguarding

Advice and guidance is provided to care providers to ensure that adult and children’s safeguarding matters are managed appropriately. Access to identifiable information will be shared in some limited circumstances where it is legally required for the safety of the individuals concerned.

Quality Alerts

A Quality Alert is a systemic issue, generally affecting a service, or the ability to deliver a high quality service. NHS Liverpool CCG Quality Team triage quality alerts (QA’s) reported by GPs/Provider organisations. The CCG has a statutory duty to support NHS England with the continuous quality improvement of primary medical services as set out in the HSCA 2012 and the Primary Medical Services assurance framework. For the CCG to triage quality alerts reported by Liverpool GPs and providers, the Quality team at the NHS Liverpool CCG may require the relevant individuals NHS number to investigate.

Post Infection Reviews

In the rare cases, where an infection occurs the Clinical Commissioning Groups collaborate closely with the organisation involved in providing patient care, to jointly identify and agree the possible causes of, or factors that contributed to the infection.

CCGs will lead the Post Infection Review in the circumstances set out in the Post Infection Review Guidance, issued by NHS England. They will be able to use the results of the Post Infection Review to inform the mandatory healthcare associated infections reporting system.

Serious Incident Management

NHS Liverpool CCG is accountable for effective governance and learning following all Serious Incidents (Sis) and works closely with provider organisations to ensure all SIs are reported and managed appropriately. The Francis Report- NSH Patient Safety and Quality (February 2013) emphasised that commissioners, as well as providers had a responsibility for ensuring the quality of health services provided.

Sharing Information

In order for NHS Liverpool CCG to perform its commissioning functions, information (mostly anonymised) may be shared from various organisations which include: General Practices, acute and mental health hospitals, other CCGs, community services, walk-in centers, nursing homes, directly from service users and many others.

Risk Stratification

Your GP will use your data to provide the best care they can for you. As part of this process, your GP will use your personal and health data to undertake risk stratification, also known as case finding.

Risk stratification involves applying computer based algorithms, or calculations, to identify those patients registered with the GP Surgery who are most at risk from certain medical conditions and who will benefit from clinical care to help prevent or better treat their condition.

To identify those patients individually from all registered with your GP would be a lengthy and time-consuming process, which would by its nature potentially not identify individuals quickly and increase the time to improve care.

Your GP Surgery uses the services of a health partner, NHS Midlands and Lancashire Commissioning Support Unit (MLCSU) to identify those most in need of preventative or improved care. This contract is arranged by the CCG.

Liverpool CCG and Midlands and Lancashire CSU act on behalf of your GP to organise this service with appropriate contractual and security measures only.

NHS Midlands and Lancashire CSU will automatically process your personal and confidential data without any staff being able to view the data. Typically they will process your data using indicators such as your age, gender, NHS number and codes for your medical health to identify those who will benefit from clinical intervention.

Processing takes place automatically and without human or manual handling. Data is extracted from your GP computer system, automatically processed, and only your GP is able to view the outcome, matching results against patients on their system.

We have implemented strict security controls to protect your confidentiality and recommend this as a secure and beneficial service to you. If you wish, you can ask your GP for your data not to be processed for this purpose and your GP will mark your record as not to be extracted so it is not sent to NHS Midlands and Lancashire CSU for risk stratification purposes.  

The lawful basis to use this information for risk stratification has been allowed by s251 NHS Act 2006 and is processed by NHS Midlands and Lancashire CSU or other approved providers only. For further information on Risk Stratification, please visit:

https://www.england.nhs.uk/ourwork/tsd/ig/risk-stratification/

http://www.hra.nhs.uk/about-the-hra/our-committees/section-251/

Caldicott Guardian

Each NHS organisation and General Practice is required to mandate to have a Caldicott Guardian who has responsibility for satisfying the highest practical standards for handling patient identifiable, confidential and sensitive information. The Caldicott Guardian also actively supports work to enable information sharing where it is appropriate and advises on options for lawful and ethical processing of patient information.

Managing Conflicts of Interest

The CCG manages conflicts of interest as part of our day-to-day activities. Effective handling of conflicts of interest is crucial to give confidence to patients, tax payers, healthcare providers and parliament that CCG commissioning decisions are robust, fair, transparent and offer value for money. It is essential in order to protect healthcare professionals and maintain public trust in the NHS. Failure to manage conflicts of interest could lead to legal challenge and even criminal action in the event of fraud, bribery and corruption.

Section 14O of the National Health Service Act 2006 (as amended by the Health and Social Care Act 2012) (“the Act”) sets out the minimum requirements of what both NHS England and CCGs must do in terms of managing conflicts of interest.

Any persons who are included in the declaration of interest registers and have concerns about this can contact the Data Protection Officers for the NHS Liverpool CCG at;

NHS Midlands and Lancashire Commissioning Support Unit
Kingston House
438 High Street
West Bromwich
B70 9LD

Email: mlcsu.southcheshirevaleroyalccgrequests@nhs.net

Patient right to object to processing/opt-out

There are choices you can make about how your information is used, and you can choose to opt out of your information being shared or used for any purpose beyond providing your care.

There are some circumstances where you cannot object to your information being shared. This would be in the event that there was a safeguarding issue or where the organisation was required by law to share your information.

Type 1 opt-outs

If you do not want information that identifies you to be shared outside your GP practice, for purposes beyond your direct care, you can register a type 1 opt-out with your GP practice. This prevents your personal confidential information from being used other than in particular circumstances required by law, such as a public health emergency like an outbreak of a pandemic disease.

Type 2 opt-outs

NHS Digital collects information from a range of places where people receive care, such as hospitals and community services. If you do not want your personal confidential information to be shared outside of the HSCIC, for purposes other than for your direct care, you can register a type 2 opt-out with your GP practice.

If you have consented to your personal data being used, you also have the right to withdraw this consent at any time and you do not need to provide a reason to withdraw your consent. In this scenario the possible consequences of withdrawing consent will be explained to you. A possible consequence may be that you are unable to receive a specific service as a result of withdrawing consent. If you wish to opt out or withdraw your consent from the CCG processing your data, please contact the patient advice and liaison service (PALS) which is provided by NHS Midlands and Lancashire Commissioning Support Unit on behalf of NHS Liverpool CCG:

Email: MLCSU.complaints@nhs.net

How long we will keep your information and how we will destroy information

There are different retention schedules for different types of information and types of record. In the NHS, all commissioners and providers apply retention schedules in accordance with the Information Governance Alliance’s Records Management Code of Practice for Health and Social Care. For more information, you can access the document here: The retention starts on page 53.

 http://systems.digital.nhs.uk/infogov/iga/rmcop16718.pdf.     

When destroying data we ensure that we, or third parties we contract to destroy data on our behalf, meet guidelines set out within principle 7 of the Data Protection Act 1998, the European Standard EN 15713 for paper copies and Communications Electronics Security Group (CESG) Standards (www.cesg.gov.uk) for secure destructions of electronic data.

Employee Information

We collect information about individuals who work for us for the following purposes:

  • The administration of prospective, current and past employees including self-employed, contract personnel, temporary staff or voluntary workers.
  • The recruitment and selection process
  • Administration of non- CCG staff contracted to provide services on our behalf
  • Planning and management of our workload or business activity
  • Occupational health service
  • Administration of agents or other intermediaries
  • Pensions administration
  • Payment administration
  • Disciplinary matters, staff disputes, employment tribunals
  • Staff training and development
  • Ensuring staff are appropriately supported in their roles
  • Vetting checks
  • Assessing our performance against equality objectives as set out by the Equality Act 2010

Members of staff can apply for a copy of the records we hold about them by following the same processes outlined above in ‘Accessing your information held by NHS Liverpool CCG’.

Relevant links to associated documents or organisations

If you would like to find out more information on the wider health and care system approach to using personal information or other useful information, please click on the following links:

  • NHS Constitution:

https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/ 480482/NHS_Constitution_W EB.pdf

  • NHS Care Record Guarantee:

http://systems.digital.nhs.uk/rasmartcards/strategy/nhscrg

  • NHS Digital’s Guide to Confidentiality:

http://systems.digital.nhs.uk/infogov/confidentiality

  • Information Commissioner Office:

         https://ico.org.uk/

  • Health Research Authority:

         http://www.hra.nhs.uk/

  • Health Research Authority Confidentiality Advisory Group (CAG):

http://www.hra.nhs.uk/about-the-hra/our-committees/section-251/

  • For more information about care records and how to access them see NHS Choices

http://www.nhs.uk/NHSEngland/thenhs/records/healthrecords/Pages/overview

.aspx.

  • For details about how public bodies must make information available, see the model publication scheme published by the Information Commissioner’s Office.

            https://ico.org.uk/for-organisations/guide-to-freedom-of-

information/publication-scheme/

Accessing your information held by NHS Liverpool CCG

Under the Data Protection Act 1998 you have the right to see or be given a copy of personal data held account about you. To gain access to your information you will need to make a Subject Access Request (SAR) to NHS Liverpool CCG.

We may charge a reasonable fee for the administration of the request, set down in law as follows:

  • Your personal details including your full name, address, date of birth, and NHS number so that your identity can be verified and your records located.
  • If the information is only held electronically we may charge up to £10 for complying.
  • If the information is only held wholly or partly in paper format we may charge up to £50 for complying.

If you wish to make a Subject Access Request please contact the Corporate Services Team:

NHS Liverpool CCG
2 Renshaw Street
The Department
Liverpool L1 2SA

Email: SARS@liverpoolccg.nhs.uk

Note: In order to deal with a Subject Access Request, Liverpool CCG will need to share information with the Midlands and Lancashire Commissioning Support Unit (MLCSU).

Freedom of Information Requests (FOI)

The Freedom of Information Act (2000) gives every individual the right to request information held by Government Agencies. Private Companies are not subject to this act. Please note that a Freedom of Information Request is not the same as a Subject Access Request.

For postal requests, please send to the Freedom of Information Team at:

Corporate Services
NHS Liverpool Clinical Commissioning Group
3rd Floor, The Department
Lewis’s Building
2 Renshaw Street
Liverpool L1 2SA 

You can also email your request to: FOI@liverpoolccg.nhs.uk

Your request for information must be made in writing and you are entitled to a response within 20 working days.

Decommissioning of services

The CCG will retain legal responsibility for the information held about you until it is formally dissolved or until agreements are put in place to transfer responsibility.

Complaints

If you have a comment, compliment or complaint about how your information has been used in Liverpool then please contact the complaints team:

Email: complaints@liverpoolccg.nhs.uk

Letter:

Corporate Services
NHS Liverpool Clinical Commissioning Group
3rd Floor, The Department
Lewis’s Building
2 Renshaw Street
Liverpool L1 2SA 

Records of complaints will not be kept within your clinical file and will be handled in line with the NHS Records Management Code of Practice.

If you are not happy with our responses about your use of information and data and have exhausted all the avenues in the CCG Complaints Process and wish to take your complaint to an independent body, you can do this by contacting the Information Commissioner’s Office in writing to the following address:

Wycliffe House
Water Lane
WILMSLOW
Cheshire SK9 5AF

You can also telephone their helpline on 0303 123 1113 9 (local rate) or 01625 545 745 if you prefer to use a national rate number. Or email: casework@ico.org.uk

 

NHS Choices logo

Be better informed about your right to choice in the NHS

Enter your postcode below to find nearby services