Keeping your information safe
We work hard to keep any information and data we hold about you safe and secure.
We have a privacy notice that explains how we use manage your information we hold about you and how we make sure it is kept safe. Read the privacy notice below to find out more.
This privacy notice is different from the website privacy policy which explains how this website uses cookies on your device (phone, laptop, computer, tablet, etc).
If you have any questions about the Privacy Notice, please contact us.
NHS GM Privacy Notice
This privacy notice details how and why your personal data is processed by us, NHS GM (NHS GM).
Privacy notices are a requirement under current UK Data Protection legislation and are an important element of evidencing transparency.
For the purposes of the data categorised by this privacy notice NHS GM is a Data Controller; as a Data Controller we make decisions regarding the processing of information and who it is shared with.
We are legally responsible for ensuring that all personal data that we process is done so in a way that is compliant with current UK Data Protection legislation. In particular the Data Protection Act 2018 (DPA) and the UK General Data Protection Regulation (UK GDPR).
This notice will explain our legal basis for handling your data in a safe, secure and appropriate manner.
A list of commonly used terms in relation to this Privacy Notice.
UK GDPR Defined Terms:
Processing
The UK GDPR defines the following as “Processing”:
“‘processing’ means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;”
Legal Basis for Processing
When an organisation processes Personal Data it must have a legally approved reason for doing so, such as consent, this is known as a legal basis for processing. The legislation lays out specific terms for each legal basis.
Personal Data
Personal Data is defined as any information relating to an identified or identifiable natural person. Specifically, any information that can be used to identify an individual either directly or indirectly. A legal basis is required to process any Personal Data.
Special Categories of Personal Data
Special Categories of Personal Data relates to Personal Data that is particularly sensitive and should be afforded extra protection by organisations that handle it. The UK GDPR requires organisations to have an additional legal basis for handling this data.
The legislation defines the following data as being Special Categories of Personal Data:
“Racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation.”
Pseudonymised Data
Pseudonymised Data is Personal Data that can no longer be traced to a specific individual. Typically, this is achieved by replacing key information with a new value. The Personal Data cannot then be attributed to an individual without further information which is kept separately and securely.
Pseudonymised Data is still subject to the UK GDPR as the information is re-identifiable.
Anonymised Data
This is data which does not relate to individuals or is data which no longer contains identifiable information. Data can be considered anonymised when it does not allow for the identification or re-identification of the individuals to whom it relates. The information should not re-identifiable with any further processing or cross-referencing with any information that is likely to be available.
Anonymous Data does not fall within the scope of UK GDPR as it is no longer considered Personal Data.
NHS Specific & Common Use Terms:
Personal Confidential Data
This term came from the Caldicott review undertaken in 2013 specifically related to the NHS and describes Personal Confidential Data as:
“This is identifiable information about an individual that they would reasonably expect to be held confidential”
It may include personal data and special categories of data but it is adapted to include dead as well as living people and ‘confidential’ includes both information ‘given in confidence’ and ‘that which is owed a duty of confidence’.
Aggregated Data
This is statistical information about multiple individuals that has been combined to show general trends or values without identifying individuals within the data.
Primary Care Data
As many people’s first point of contact with the NHS, around 90 per cent of patient interaction is with primary care services. In addition to GP practices, primary care covers dental practices, community pharmacies and high street optometrists. Primary Care Data relates to information which has been sourced from these types of services.
Secondary Care Data
Secondary Care means treatment and care of a specialised medical service by clinicians, for example, specialist doctors and nurses, within a health facility or hospital on referral by a primary care clinician such as your GP. Secondary Care data relates to information which has been sourced from these types of services.
Secondary Uses Service (SUS) Data
The Secondary Uses Service (SUS) is the single, comprehensive repository for healthcare data in England which enables a range of reporting and analyses to support the NHS in the delivery of healthcare services. When a patient or service user is treated or cared for, information is collected which supports their treatment. SUS data is useful to commissioners and providers of NHS-funded care for ‘secondary’ purposes – this is use of data other than for direct or ‘primary’ clinical care.
For further information about SUS, please visit:
https://digital.nhs.uk/services/secondary-uses-service-sus
Community Care/Social Care Data
Community care data includes data from social care services covering both adults and children.
We are NHS Greater Manchester Integrated Care, thereafter referred to as NHS GM throughout this document.
As of the 01/07/2022 Integrated Care Boards (ICBs) replaced local Clinical Commissioning Groups (CCGs) in order to implement and monitor an Integrated Care System (ICS) within Greater Manchester.
An ICB is a statutory NHS organisation that will manage the NHS budget for their ICS area. The ICB will provision health services within that area to extend and manage the services provided and commissioned by NHS GM
The purpose of NHS GM is to bring partner organisations together to:
- Improve outcomes in population health and healthcare.
- Tackle inequalities in outcomes, experience and access.
- Enhance productivity and value for money.
- Help the NHS support broader social and economic development.
NHS GM is also required to monitor implemented and potential services that it provides to accurately report their effectiveness. In some cases, this will require staff employed by NHS GM to have direct access to patient data.
The following are representatives in relation to Data Protection for NHS GM:
Data Protection Officer (DPO) – As a Data Controller NHS GM is required to appoint a DPO, a DPO is typically a senior subject matter expert in Data Protection who can advise the organisation on best practice and standard legal obligations. NHS GM have a joint DPO consisting of two people. One person is from the Corporate Information Governance Team and the other person is an Information Governance Lead from one of the Greater Manchester localities.
You can contact a DPO by email: gmhscp.icpdpo@nhs.net
Caldicott Guardian – NHS GM is also required to have a Caldicott Guardian. A Caldicott Guardian is a senior person within a health and social care organisation, preferably a health professional. Their role it is to monitor adherence to the Caldicott Guidelines which ensure that health information is used appropriately, ethically and treated confidentially.
You can contact the Caldicot Guardian by:
Position: the Chief Medical Director.
E-mail: gmhscp.icpdpo@nhs.net
Primary Use of Data
NHS GM doesn’t typically supply direct care services, however information may be collected and processed to commission and support the services within our area.
Secondary Use of Data
Secondary use of data in the NHS is when patient data is not used for direct care but for other secondary purposes such as commissioning, risk stratification, financial and clinical audit, healthcare management and planning, research and public health surveillance.
Disclosure of anonymised, pseudonymised or aggregated data will often satisfy a number of secondary uses and must be used in preference to patient/personal data. Consent for disclosure of effectively de-identified data is not required as it is not personal data. De-identification processes must occur before data leaves the source organisation. If a request is for identifiable data and the source organisation feels that de-identified data would suffice clarification should be obtained as to why identifiable data is required other than, exceptionally, where mandated by law such as under a Section 251 approval as per the NHS Act 2006 (see section below) or patient consent is obtained. Where consent is being relied upon you have the right to dissent from the disclosure of personal data for secondary purposes unless an act of law compels disclosure.
Section 251 of the NHS Act 2006
Section 251 of the NHS Act 2006 provides a mechanism which can enable the use of confidential information for certain purposes where it is unreasonable for consent to be obtained or that would otherwise be unlawful (e.g. information from NHS Digital on commissioning, Risk Stratification and Invoice Validation) through an application made to the Confidentiality Advisory Group (CAG).
The CAG assesses applications against the Health Service (Control of Patient Information) Regulations 2002 and provides independent expert advice to the Health Research Authority (HRA) and the Secretary of State for Health on whether an application to process patient information without consent should be approved.
The use of data for which an application is made must be for a medical purpose as defined in section 251 (12) of the NHS Act 2006. This includes medical research and management of health and social care services.
Section 251 may also be utilised by the Secretary of State for Health to allow for information sharing in relation to specific circumstances (such as a pandemic) either over a specific period or for the foreseeable future.
NHS Digital/Data Services for Commissioners Regional Office (DSCRO)
Legislation provides some NHS bodies, particularly NHS Digital, ways of collecting personal data directly from care providers for secondary purposes, such as evaluating care provided at population level.
NHS Digital is the national information and technology partner for the health and care system. The NHS Digital systems and information help doctors, nurses and other health care professionals improve efficiency and make care safer.
NHS Digital disseminate data to commissioners under the Health and Social Care Act (2012). The act provides the powers for NHS Digital to collect, analyse and disseminate national data and statistical information. To access this data, organisations must submit an application and demonstrate that they meet the appropriate governance and security requirements.
NHS Digital, through its Data Services for Commissioners Regional Offices (DSCROs), is permitted to collect, hold and process personal data. This is for purposes beyond direct patient care (secondary use) to support NHS commissioning organisations and the commissioning functions within local authorities
DSCRO have the ability to pseudonymise personal data before they disseminate it. Meaning that any data received by the NHS GM from NHS Digital would not be identifiable and NHS GM do not have the means to re-identify the data.
Data regarding health care treatment can only be shared with commissioning organisations where a formal Data Sharing Framework Contract (DSFC) is in place alongside a Data Sharing Agreement (DSA). These place a clear obligation on the receiving organisation to only use the supplied information for the agreed purposes. This data cannot be shared with others unless specified within the DSA.
The dataset collected from secondary care providers, for example hospitals, by NHS Digital is referred to the Secondary Uses Service (SUS) is the single, comprehensive repository for healthcare data in England which enables a range of reporting and analyses to support the NHS in the delivery of healthcare services. When a patient or service user is treated or cared for, information is collected which supports their treatment. For further information, please visit NHS Digital’s website: https://digital.nhs.uk/services/secondary-uses-service-sus
The following are the types of organisations NHS Digital receives data from, and then forwards on in an anonymised format or a de-identified format with NHS Number in order to link and analyse the data.
Where data is used for these statistical purposes, stringent measures are taken to ensure individuals cannot be identified.
Types of organisations and types of information we receive:
- Acute Trusts – Hospitals – we receive pseudonymised acute data such as A&E attendances, waiting times, diagnosis, treatments, and follow ups, length of stay, discharge information and next steps.
- Community trusts or community organisations – we receive pseudonymised community data such as outpatient information, waiting times, diagnosis and treatments, referrals and next steps, domiciliary and district nursing (which includes home visits) and community rehabilitation units.
- Mental Health Trusts or Mental Health organisations – we receive pseudonymised mental health data such as rehabilitation and outpatient attendances, waiting times, diagnosis, treatment, length of stay, discharge, referrals and next steps.
- Primary Care organisations, for example your local GP practice. We receive anonymised primary care data such as attendances, diagnosis, treatment, GP or GP practice visits, referrals, medication/prescriptions information and follow-ups.
We contract with other organisations who provide us with additional expertise to support the work of NHS GM. On some occasions, they may access personal data, for example, IT Services may have to access computer systems to fix a fault. We ensure the external data processors that support us are legally and contractually bound to operate this process via contracts/Information Sharing Agreements. These reinforce their responsibilities as data processor to ensure your data is securely protected.
Categories of Processors:
IT Services
Printing Services
Waste Destruction Services
Facility Services
Other NHS Organisations
Local Authorities
Offsite Storage Providers
Processing outside of the UK
As detailed in invoice validation within the “Data Processing Activities” section., NHS Shared Business Services use an offshore service provider called Sopra Steria who is based in India. NHS SBS have confirmed that Sopra Steria have implemented the necessary standard contractual clauses (SCC) to process data overseas.
We are committed to protecting your privacy and will only process personal data in accordance with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, the Common Law Duty of Confidentiality and the Human Rights Act 1998.
All information is subject to security measures and procedures to make sure it cannot be seen, accessed or disclosed to or by any inappropriate persons. We have an Information Governance Framework that explains the data security governance within NHS GM.
Access to electronic data is secured via account access, password protection and multi-factor authentication. Data is stored on secure networks and/or online systems and paper documentation is filed securely in lockable storage cabinets.
Our IT providers (internal and external), regularly monitor our systems for potential vulnerabilities and attacks and look to always ensure security is strengthened.
Everyone working for the NHS has a legal duty to keep information about you confidential and comply with the common law duty of confidentiality and other NHS guidance.
All of our staff including contractors and committee members receive appropriate and on-going data security training to ensure they are aware of their personal responsibilities and have contractual obligations to uphold confidentiality, enforceable through disciplinary procedures.
Retention
Whenever we collect or process your data, we will only keep it for as long as is necessary for the purpose it was originally collected. NHS organisations apply retention schedules in accordance with the Records Management Code of Practice for Health and Social Care 2021.
This code is based on current legal requirements and professional best practice and sets the required standard of practice in the management of records for those who work within or contract to NHS organisations in England.
Some of the information we collect may not be referenced by the Records Management Code of Practice for Health and Social Care 2021 but we will only keep this information for as long as required.
In certain circumstances we may be required to retain information beyond the standard retention period, for example, in cases where an investigation may take place or legal proceedings may require it.
Destruction
Destruction or disposal of data will only happen following a “review” of the information at the end of its retention period. Where data has been identified for disposal we have the following responsibilities:
- To ensure that information held in manual form (regardless of whether originally or printed from the IT systems) is destroyed using a crosscut shredder or subcontracted to a reputable confidential waste company.
- To ensure that electronic storage media used to hold or process information are destroyed or overwritten to current national cyber security standards.
To ensure that any arrangement made to sub-contract secure disposal services from another provider, complies with the NHS Standard Contract and with assurance that the sub-contractor’s organisational and technical security measures comply with the UK General Data Protection Regulations (UK GDPR) and the Data Protection Act 2018.
National Data Opt-Out
The National Data Opt-Out Policy is a service that allows individuals to opt out of their confidential patient information being used for research and planning. This provides a facility for individuals to opt-out from the use of their data for research or planning purposes.
In line with this there are choices you can make about how your information is used, and you can choose to opt out of your information being shared or used for any purpose beyond providing your care.
NHS GM predominately processes non-identifiable data. Therefore, the National Data Opt-Out Policy does not apply in many of the circumstances in which we process data. As an organisation we do not have the facility or access to take any action regarding applying a National Data Opt-Out.
For further information on the National Data Opt-Out Policy please contact your GP or visit the site below:
https://digital.nhs.uk/services/national-data-opt-out
An Opt-Out can also be applied by using the NHS App.
Shared Care Record – The Greater Manchester Care Record (GMCR)
Your health or social care provider can advise you of how you can opt out of having a GM Care Record. Please note this is separate to your Summary Care record for which you will need to opt-out of separately if required. More information regarding the GMCR is in the section headed “Greater Manchester Care Record”.
https://gmwearebettertogether.com/your-privacy/
Summary Care Record (SCR)
Your Summary Care Record is a short summary of your GP medical records. It tells other health and care staff who care for you about the medicines you take and your allergies.
NHS GM are unlikely to have any interaction with your SCR, please see information below or visit the website below to learn more about SCR Opt-Out.
The purpose of SCR is to improve the care that you receive, however, if you don’t want to have an SCR you have the option to opt out. If this is your preference please inform your GP or fill in an SCR opt-out form and return it to your GP practice.
The Greater Manchester Care Record (GMCR) pulls together information from assorted health and social care records across the Greater Manchester region into one combined record. The GMCR is a joined up record that has been implemented to encourage better care as you move between different parts of the health and social care system.
Further information about how your information is used and shared in regards to the GMCR please see link below:
https://gmwearebettertogether.com/your-privacy/
For further information regarding Shared Care Records being implemented across the NHS please see link below:
https://www.nhsx.nhs.uk/information-governance/guidance/summary-of-information-governance-framework-shared-care-records/
Please see the Opt-Out section for information on how to Opt-Out of the Greater Manchester Care Record.
What are your rights over your personal data?
You have a number of rights over your data under the Data Protection Act 2018 and the UK General Data Protection Regulation (UK GDPR):
- Right to be Informed
Right of Access - Right to Rectification
- Right to Erasure
- Right to Data Portability
- Right not to be subject to a decision based solely on automated processing
- Right to withdraw consent
- Right to Object
- Right to Restrict Processing
Right to be Informed
You have a right to be informed about how your information is used and shared with an emphasis on transparency. This notice is part of the fulfilment of this right.
Right of Access
You are entitled to request to view/ask for a copy of the information NHS GM holds about you. This is known as a Right of Access request but can also be referred to as a Data Subject Access Request (DSAR or SAR). You can make this request to anyone in the organisation via any medium, however in order to process your request we are required to verify your identity.
As such the best way to make such a request is to provide it in writing/email and with identification and to provide adequate information to help us process your request. If we need further information, we will ask you to provide this.
There is no charge (subject to exemptions) to have a copy of the information held about you and we must respond to you within one month (subject to exemptions).
To request a copy of or request access to information we hold about you and/or to request information to be corrected if it is inaccurate, please contact:
E-mail: gmhscp.icpsar@nhs.net
For any postal requests please ensure it is marked private and confidential and addressed to the DPO for the organisation.
The NHS GM holds a limited amount of healthcare data as detailed above. To request access to GP records, please contact your GP practice and to request access to hospital records, please contact the hospital you attended for treatment/care.
You should also be aware that in certain circumstances, your right to see some details in your records held by NHS GM may be withheld. This may be because releasing the information could cause serious harm to your physical or mental health or if there is 3rd party information that cannot be released.
Right to Rectification
Rectification refers to correcting inaccuracies or incomplete data which is held by us. This applies to factual inaccuracies only – such as identifiers, next of kin, spelling errors and mixed records. We are legally unable to remove or alter professional opinions which you may disagree with as these, even if disputed, must remain as an accurate reflection of events. You do, however, have the right to include your own statements alongside professional opinions.
Right to Erasure (‘forgotten’)
In some circumstances you can request that your information is deleted.
This right will apply if the processing has been undertaken on the basis of consent which is withdrawn, the processing of data is determined not to be lawful or if the information is no longer required.
Please note that information processed for healthcare purposes is exempt from this right.
Right to Data Portability
This right allows you to request that data which you have supplied to an organisation is moved, transferred or copied to another organisation or system where possible.
It also ensures that you may receive a copy of the information in a machine readable format.
Right not to be subject to a decision based solely on automated processing
Automated decision making is the use of computer systems or definitions to apply rules to data in order to determine an outcome – credit ratings are an example of automated decision making.
This right can be applied to request human based information on decisions that are subject to automated processing.
Right to withdraw consent
The legal basis to process your personal and special category of data generally, falls within Articles 6(1)(e) and 9(2)(b) and (h) of the GDPR.
Other processing may be appropriate under Articles 6(1)(b), 6(1)(c), 6(1)(d) and 6(1)(f).
Where these do not apply, any other processing will likely be reliant on your consent under Article 6(1)(a) and possibly Article 9(2)(a); this will be based on consent under UK GDPR and as a result, you will be asked to make a definitive decision; there will be no presumption of consent from silence, inaction or pre-selected choices.
You have the right to refuse (or withdraw) consent to information sharing at any time. However, this may not be possible if the sharing is a mandatory or legal requirement imposed on NHS GM. Any restrictions, and the possible consequences of withholding your consent, will be fully explained to you as the situation arises.
Right to Object
You have the right to object if there are grounds related to your own particular situation, or if information is likely to be used for:
- Marketing
- Scientific or Historical Research
- Statistical Purposes
- Purposes in the public interest or under an official authority (e.g. NHS Act 2006)
You have the right to object, however please note that if an organisation can demonstrate compelling reasons why this information is required for the public good or on legitimate grounds then your objection may be overruled.
Being unable to process data would cause a decline in the consistency of health care that can be provided; this could lead to injury or death i.e. allergies.
Right to restriction of processing
This right enables individuals to suspend the processing of personal information, for example, you have disputed the accuracy of information, objected to its use, or require data due for destruction to be maintained for a legal claim.
This right may be overruled for the reasons of important public interest.
The Data Protection Act 2018 and UK GDPR sets out a number of different reasons for which personal data can be processed. Relevant legislation states that we are required to inform you of what the legal basis is for processing personal data and any special category data.
The typical categories of processing we carry out within NHS GM, their legal basis and conditions we use to do this are outlined below:
NHS Continuing Healthcare (CHC)
Type of data
Personal Data – Demographics
Special Category Data – Health Data
Source of Data
Primary Care and Secondary Care
Legal basis for processing Personal Data and Special Category of data under GDPR
- Article 6 (1)(e) – Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority.
- Article 9(2)(h) – Processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services on the basis of domestic law or pursuant to contract with a health professional and subject to the conditions and safeguards referred to in paragraph 3.
Common Law Duty of Confidentiality basis
Implied Consent
If you make an application for NHS Continuing Healthcare (CHC) funding we will use the information you provide and where needed request further information from care providers to identify eligibility for funding. If agreed, arrangements will be put in place to provide and pay for the agreed funding packages with appointed care providers.
This process is nationally defined; we follow a standard process and use standard information collection tools when assessing eligibility for CHC applications.
If you require services from the Continuing Healthcare team, NHS GM need to ensure that you are registered at one of our GP Practices. We need to establish whether we are the responsible commissioner. Any delay in establishing who is responsible could lead to a delay in commissioning a care package or a placement in nursing care. This is particularly relevant in patients that have been referred to CHC under the fast-track criteria on the basis that they require immediate access to a package of care as they are nearing end of life.
In addition when one of our patients has passed away the Continuing Healthcare team need to be verify the date of the death. This will ensure that the team do not send letters/information to any patient (or next of kin) who has passed away. We understand this may cause upset and distress for families. As this information relates to people who have passed away this is not covered under the Data Protection Act 2018 or UK GDPR (only relates to living individuals).
Individual Funding Requests
Type of data
Personal Data – Demographics
Special Category Data – Health Data
Source of Data
Primary Care and Secondary Care
Legal basis for processing Personal Data and Special Category of data under GDPR
- Article 6 (1)(e) – Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority.
- Article 9(2)(h) – Processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services on the basis of domestic law or pursuant to contract with a health professional and subject to the conditions and safeguards referred to in paragraph 3.
Common Law Duty of Confidentiality basis
Implied Consent
You or your doctor on your behalf can make an Individual Funding Request (IFR) for a treatment not routinely commissioned. We use the information you provide and, if necessary, request further information from primary care and secondary care providers to identify eligibility for funding.
Safeguarding
Type of data
Personal Data – Demographics
Special Category Data – Health Data
Source of Data
Primary Care and Secondary Care and Community Care
Legal basis for processing Personal Data and Special Category of data under GDPR
- Article 6 (1)(e) – Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority.
- Article 9 (2)(b) – Processing is necessary for the purposes of carrying out the obligations and exercising the specific rights of the controller or the data subject in the field of …social protection law.
- Article 9(2)(h) – Processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services on the basis of domestic law or pursuant to contract with a health professional and subject to the conditions and safeguards referred to in paragraph 3.
Common Law Duty of Confidentiality basis
Overriding Public Interest/Statutory legalisation for adult and children safeguarding
Information is provided to care providers to ensure that adult and children’s safeguarding matters are managed appropriately. Access to personal data will be shared in some limited circumstances where it’s legally required for the safety of the individuals concerned.
For the purposes of safeguarding children and vulnerable adults, personal and healthcare data is disclosed under the provisions of the Children Acts 1989 and 2006 and Care Act 2014
Incident Management – Serious Incidents
Type of data
Personal Data – Demographics
Special Category Data – Health Data
Source of Data
Primary Care and Secondary Care and Community Care
Legal basis for processing Personal Data and Special Category of data under GDPR
- Article 6 (1)(e) – Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority.
- Article 9(2)(h) – Processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services on the basis of domestic law or pursuant to contract with a health professional and subject to the conditions and safeguards referred to in paragraph 3.
Common Law Duty of Confidentiality basis
Serious Incident Framework 2015
GM is accountable for effective governance and learning following all Serious Incidents (SI’s). We work closely with all provider organisations as well as commissioning staff members to ensure all SI’s are reported and managed appropriately.
The Francis Report (February 2013) emphasised that commissioners should have a primary responsibility for ensuring quality, as well as providers.
Supporting Medicines Optimisation
Type of data
Personal Data – Demographics
Special Category Data – Health Data
Source of Data
Primary Care
Legal basis for processing Personal Data and Special Category of data under GDPR
- Article 6 (1)(e) – Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority.
- Article 9(2)(h) – Processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services on the basis of domestic law or pursuant to contract with a health professional and subject to the conditions and safeguards referred to in paragraph 3.
Common Law Duty of Confidentiality basis
Implied Consent
The Medicines Optimisation Team work with GP practices to provide advice on medicines/prescribing queries and review prescribing of medicines to ensure that it is safe. In some cases, to ensure clinical safety, this may require the use of personal data.
In cases where personal data needs to be processed, this is done with GP Practice agreement. No data is processed from GP Practice clinical systems and no changes are made to patient’s records without permission from the GP.
Where specialist support is required, for example, to advise community pharmacists to order a drug that comes in solid, gas or liquid form; NHS GM medicines optimisation pharmacists will provide advice on behalf of a GP to support your care. Personal data is used for this purpose.
Personal data is also used by our medicines optimisation team to review and authorise (if appropriate) requests for high-cost drugs which are not routinely funded.
Business Intelligence
Type of data
Personal Data – Demographics
Special Category Data – Health Data
Source of Data
Primary Care and Secondary Care
Legal basis for processing Personal Data and Special Category of data under GDPR
- Article 6 (1)(e) – Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority.
- Article 9(2)(h) – Processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services on the basis of domestic law or pursuant to contract with a health professional and subject to the conditions and safeguards referred to in paragraph 3.
Common Law Duty of Confidentiality basis
Implied Consent
NHS GM undertake a number of different BI functions to support the services within the Greater Manchester area and to report on those services as required.
This type of data is used to help assess the needs of the general population and/or in the Greater Manchester area. This helps us make informed decisions and prepare reports on the services we commission to assess:
- The quality and efficiency of the health services we commission.
- To work out what illnesses people may have in the future, so we can plan and prioritise services and ensure these meet the needs of patients in the future.
- To review the care being provided to make sure it is of the highest standard.
- Where information is used for statistical purposes, secure measures are taken, when possible, to ensure individuals cannot be identified. Anonymous or pseudonymised information may also be used for secondary use purposes.
Risk Stratification
Type of data
Pseudonymised / Anonymised / Aggregate Data
Source of Data
Primary Care, Secondary Care and Community Care
Legal basis for processing Personal Data and Special Category of data under GDPR
- Article 6 (1)(c) – Processing is necessary for compliance with a legal obligation.
- Article 9(2)(h) – Processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services on the basis of domestic law or pursuant to contract with a health professional and subject to the conditions and safeguards referred to in paragraph 3.
- Section 251 NHS Act 2006.
NHS England encourages Care Systems and GPs to use risk stratification tools as part of their local strategies for supporting patients with long-term conditions and to manage avoidable admissions. Knowledge of the risk profile of our population will help NHS GM CS to commission appropriate preventative services and to promote quality improvement in collaboration with our GP practices.
Risk stratification tools use various combinations of historic information about patients, for example: Age, gender, diagnoses, patterns of hospital attendance, admission and primary care data collected in GP practice systems.
Risk stratification is a process which applies algorithms, or calculations to identify those patients who are most at risk from certain medical conditions and who will benefit from clinical care to help prevent or better treat their condition. To identify those patients individually from the patient community would be a lengthy and time-consuming process. Such a process would risk increasing the time it takes to improve and deliver care. A GP/health professional at your GP Practice will need to review this information before a decision is made.
There are two types of risk stratification:
- Risk Stratification for case-finding: Identifies/manages patients who are at high risk of emergency hospital admission or to reduce the risk of certain diseases developing. This is called Risk Stratification for case-finding.
- Risk Stratification for Commissioning: Allows the CCG to understand the health needs of the local population in order to plan and commission the right services.
For risk stratification, there is a Section 251 approval in place which allows NHS Digital to receive personal data. They process this via DSCRO who then send pseudonymised data to the care system.
NHS GM also use a system/tool called Tableau to undertake anonymous/pseudonymised analysis.
If you do not wish information about you to be included in our risk stratification programme, please contact your GP Practice. They can add a code to your records that will stop your information from being used for this purpose.
Invoice Validation
Type of data
Personal Data – demographics
Pseudonymised – coded health care data
Source of Data
GP Practice and other care providers
Legal basis for processing Personal Data and Special Category of data under GDPR
- Article 6(1)(c) – Processing is necessary for compliance with a legal obligation.
- of Article 9(2)(h) – Processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services on the basis of domestic law or pursuant to contract with a health professional and subject to the conditions and safeguards referred to in paragraph 3.
- Section 251 NHS Act 2006, NHS Constitution (Health and Social Care Act 2012).
There may be times where one healthcare organisation will need to invoice another for treatment given to a patient. This can occur, for example, when you need hospital treatment while away from home on holiday. The hospital at which you were seen may need to invoice us for the treatment you received.
Before paying the invoice, we will need to be sure that we, and not another care system, are responsible for your treatment costs as well as checking to ensure that the amount the care system is being billed for is correct. A limited amount of information about you needs to be processed such as your NHS Number and details of treatment. This information may be passed on to enable the billing process to proceed. This process is known as invoice validation.
These details are held in a secure environment and kept confidential. This information will only be used to validate invoices and will not be shared for any further commissioning purposes.
Some NHS GM localities are Controlled Environments for Finance (CEfF) under a Section 251 exemption, this enables us to process patient identifiable information without consent for the purposes of invoice validation – CAG 7-07(a)(b)(c)/2013. In these cases we only use your NHS Number (no other identifiable information).
NHS Shared Business Services – Finance and Accounting Services
Some provider invoices for patient care submitted to NHS GM for payment are processed via NHS Shared Business Services. They provide support services for the NHS, providing finance and accounting solutions. NHS SBS also use offshore service provider called Sopra Steria who are based in India. Both NHS SBS and Sopra Steria have met the necessary information governance standards to process data overseas.
Purposes where consent is our Legal Basis for Processing:
There are also other areas of processing undertaken where consent is required from you. Under GDPR, consent must be freely given, specific, you must be informed and a record must be made that you have given your consent, to confirm you have understood.
Patient and public involvement
Type of data
Personal Data – demographics
Source of Data
Data subject
Legal basis for processing Personal Data and Special Category of data under GDPR
- Article 6 (1)(a) – Consent
- Article 9 (1)(a) – Consent
Common Law Duty of Confidentiality basis
Explicit Consent
If you have asked us to keep you regularly informed and up to date about the work of the NHS GM or if you are actively involved in our engagement and consultation activities or patient participation groups, we will collect and process personal data which you consent to and share with us.
Where you submit or publish your details to us for involvement purposes, we will only use your information for this purpose and only with your written consent. You can contact us at any point to withdraw your consent for us to use your photograph, film and words for any new purposes.
Please remember that once an article is published and in circulation it may be copied and used by others, especially online. If you ask us to stop using your photo, film or words in the future we will comply with your request, but we cannot guarantee that other parties will do so.
Right of Access Requests (also known as Subject Access Requests)
Type of data
Personal Data – demographics
Source of Data
Data subject
Legal basis for processing Personal Data and Special Category of data under GDPR
- Article 6 (1)(c) – Processing is necessary for compliance with a legal obligation to which the controller is subject
Common Law Duty of Confidentiality basis
Explicit Consent
If you have asked us for a copy of your data we will need your written consent (or your legal representative’s) before we proceed in order to validate your identity and identify if we hold any further information about you.
Incidents (non-serious) relating to NHS GM commissioned services
Type of data
Personal Data – Demographics
Special Category of Personal Data – Health data
Source of Data
Primary Care
Legal basis for processing Personal Data and Special Category of data under GDPR
- Article 6 (1)(a) – Consent
- Article 9 (1)(a) – Consent
Common Law Duty of Confidentiality basis
Explicit Consent
The Governance and Risk Team work with providers such as GP Practices, Trusts, Care Homes etc. to investigate non-serious incidents. In the majority of cases personal data is not required. However, in some cases to ensure the incident is investigated thoroughly this may require the use of personal data which may include health data.
Complaints
Type of data
Personal Data – Demographics
Special Category of Personal Data – Health data
Source of Data
Data Subject
Legal basis for processing Personal Data and Special Category of data under GDPR
- Article 6 (1)(e) – Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority.
- Article 9(2)(h) – Processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services on the basis of domestic law or pursuant to contract with a health professional and subject to the conditions and safeguards referred to in paragraph 3.
Common Law Duty of Confidentiality basis
Explicit Consent
In the first instance of a complaint we require information to verify your identity and begin the complaints process. In order to do so we rely upon consent as the legal basis.
If the complaint is verified and is in relation to care services provided by NHS GM we are required to investigate and may take further measures handle the complaint. In these instances, we rely on a different legal basis to carry out an investigation to satisfy regulatory requirements.
When we receive a complaint from a person we make up a file containing the details of the complaint. This normally contains the identity of the complainant and any other individuals involved in the complaint.
We will only use the personal information we collect to process the complaint and to check on the level of service we provide.
We usually have to disclose the complainant’s identity to whoever the complaint is about. This is inevitable where, for example, the accuracy of a person’s record is in dispute.
If a complainant doesn’t want information identifying him or her to be disclosed, we will try to respect that. However, it may not be possible to handle a complaint on an anonymous basis.
We will keep personal information contained in complaint files in line with NHS retention policy. It will be retained in a secure environment and access to it will be restricted according to the ‘need to know’ principle.
We will publish service user stories, following upheld complaints, anonymously via our governing body. The service user stories will provide a summary of the concern, service improvements identified and how well the complaints procedure has been applied. Consent will always be sought from the service user and carer or both before we publish the service user story.
Care Gateway
Type of data
Personal Data – Demographics
Special Category of Personal Data – Health data
Source of Data
Primary Care
Legal basis for processing Personal Data and Special Category of data under GDPR
- Article 6 (1)(e) – Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority.
- Article 9(2)(h) – Processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services on the basis of domestic law or pursuant to contract with a health professional and subject to the conditions and safeguards referred to in paragraph 3.
Common Law Duty of Confidentiality basis
Implied Consent
The Care Gateway team manage GP referrals for patients registered with a GP Practice in the Greater Manchester area.
They also:
- Organise non-emergency patient transport for eligible patients.
- Book community phlebotomy appointments (where their GP doesn’t have the capacity to do so).
Urgent & Emergency Care
Type of data
Personal Data – Demographics
Special Category of Personal Data – Health data
Source of Data
Primary Care, Providers, North West Ambulance Service, Secondary Care
Legal basis for processing Personal Data and Special Category of data under GDPR
- Article 6 (1)(e) – Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority.
- Article 9(2)(h) – Processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services on the basis of domestic law or pursuant to contract with a health professional and subject to the conditions and safeguards referred to in paragraph 3.
Common Law Duty of Confidentiality basis
Implied Consent
The team supports Clinical Leads with the monitoring of all incidents across Greater Manchester and supports the management of end-to-end reviews arising from high level incidents as well as providing other governance and resilience support. The team provides administrative support to several Greater Manchester NHS 111 and other UEC system meetings including the Clinical Quality Assurance Committee.
Integral to the team are dedicated Directory of Services (DoS) project leads who work with the GM CCGs aligning the services that they have commissioned to be appropriately profiled in the system to enhance the effectiveness of the NHS 111 service delivery.
As part of the clinical governance and quality monitoring of the incidents there may be occasion whereby the patients identifiable data needs to be shared on a need to know basis in order to seek additional assurances.
Other Circumstances
There are certain circumstances where we will process/share personal information without your consent and where there is another legal statute or law allowing us to do this which are:
- To protect children and vulnerable adults
- When a formal court order has been served upon us; and / or
- When we are lawfully required to report certain information to the appropriate authorities e.g. to prevent fraud or a serious crime;
- Emergency Planning reasons such as for protecting the health and safety of others.
We will not disclose any health information without an appropriate lawful principle, unless there are exceptional circumstances such as when the health or safety of others is at risk, where the law requires it, or to carry out a statutory functions i.e. reporting to external bodies to meet legal obligations.
Information Commissioner’s Office (ICO) – NHS GM is a registered as a Data Controller with the ICO. The ICO is the Statutory Authority in relation to Data Protection and is the UK’s independent authority set up to uphold information rights in the public interest, promoting openness by public bodies and data privacy for individuals.
ICO Registration Number: ZB343633
You have the right to lodge a complaint with the Information Commissioner’s Office with respect to the management of your personal data.
You can contact the ICO for further information via:
Website: https://ico.org.uk
Phone: 0303 123 1113
Address:
Information Commissioner’s Office,
Wycliffe House,
Water Lane,
Wilmslow,
Cheshire,
SK9 5AF
Links
If you would like to find out more useful information on the wider health & care social system approach to using personal information, please see the links below:
- Information Commissioners Office (ICO)
- Information Governance Alliance
- NHS Constitution
- NHS Care Record Guarantee
- NHS Digital Guide to Confidentiality in Health and Social Care
- Health Research Authority
- Health Research Authority Confidentiality Advisory Group (CAG)
- NHS Digital
- Records Management Code of Practice for Health & Social Care
- Secondary Uses Service (SUS)