Fair Processing Notice – your information and how we use it

Who we are

Wolverhampton Clinical Commissioning Group (CCG) is responsible for securing, planning, designing and paying for your NHS services, including planned and emergency hospital care, mental health services, rehabilitation and community services. This is known as commissioning. The CCG also have delegated commissioning responsibility for primary medical services (GP services) on behalf of NHS England.  We need to use information about you to enable us to do this effectively, efficiently and safely. 

For further information please refer to the 'about us' page.

 

How we use your information

This Fair Processing/Privacy Notice (FPN) reminds you of your rights under Data Protection Legislation (this includes the European General Data Protection Legislation 2016 and the UK Data Protection Act 2018) and demonstrates that the CCG are committed to protecting your privacy when you use out services in order to meet our obligations as a Clinical Commissioning Group. It also explains the choices you can make about the way in which your information is used and how you can opt-out of any sharing arrangements that may be in place. It covers information we collect directly from you or collect indirectly from other individuals or organisations for the CCG’s registered population. 

This FPN is part of our programme to make transparent the data processing activities we are carrying out in order to deliver on our commissioning activities.

This Fair Processing/Privacy Notice will tell you

  • Why we collect information about you
  • What types of information we collect, use, hold and process about you, including information we obtain directly from you and information we use from other sources.
  • Who we share information with
  • Your rights
  • How we keep your information secure
  • Who you can contract for more information

We are happy to provide any additional information or explanation needed. Any request should be sent to wolccg.wccg@nhs.netor by post to: Data Protection Officer, NHS Wolverhampton Clinical Commissioning Group, Technology Centre, Glaisher Drive, Wolverhampton WV10 9RU.

 

Your Rights 

Data Protection Legislation, in particular EU General Data Protection Regulations 2016 provides you with a number of rights in Articles 13-22 relating to the data the CCG holds about you, these are detailed below. You have the right;

To be informed (GDPR: Article 13&14)– You have the right to be informed of any processing of your data by the CCG, this notice provides you with a summary of the information that the CCG holds and hopes that this will provide you with enough information that you are fully informed. If you wish to know more detail about any aspect of the processing, please contact wolccg.wccg@nhs.net.

To access (GDPR: Article 15) – Under Data Protection Act Legislation you have the general right request to see or be provided copes of personal data held about you. You do not need to give a reason. This right can be exercised in writing or verbally. To submit a Subject Access Request (SAR) to Wolverhampton CCG, please email wolccg.wccg@nhs.net or telephone 01902 444878. Further details on how we manage subject access requests can be found below.

To erasure (GDPR Article 17) – You have the right to ‘be forgotten’ unless there is an overriding legal requirement to retain the information held on you. Within the NHS It is a statutory responsibility to retain a record of Health care events; i.e. a medical record. All Health related records are held in line with the NHS Records Management Code of Practice 2016 retention schedules unless otherwise stated

If you wish to discuss the content of your medical record then please contact the GP Practice, the hospital or the NHS organisation which provided your healthcare to address your concerns.

To rectification (GDPR Article 16)– You have the right to have accurate and up to date records held on you by an organisation. If you are aware of a mistake in the information held on you, contact the service you supplied your information to for rectification of your record. If the information is not part of your health record (these will follow specific DOH Records Management Code of Practice 2016 guidance) the CCG will work with you to rectify the inaccurate information.

To restrict processing (GDPR Article 18)– or suppress the use of your personal data. It is a statutory responsibility for the NHS to retain a record of Health care events; i.e. a medical record. If you wish to discuss the content of your medical record then please contact the contact the GP Practice, the hospital or the NHS organisation which provided your healthcare to address your concerns. If you wish to discuss this right in relation to the data the CCG holds please contact the CCG.

To object (GDPR Article 21) – You have the right to refuse and withdraw consent to information sharing at any moment in time. If you wish to withhold consent, it may have an impact on the services and responses we can offer you. If you do not wish to consent to your personal information being shared with us, or have any concerns or questions about the use of your personal information, please contact the CCGs Data Protection Officer, Peter McKenzie at wolccg.wccg@nhs.net.

The National Opt-Out Programme in 2018 provides you with information on how you can control how your information is used across the NHS.   The programme has simplified this splitting this into two, one is information being used for your individual care and the second is for information being used for research and planning. You can log on to NHS Choices website: https://www.nhs.uk/your-nhs-data-matters or the NHS App where you will see all options and allows you to manage the choices available to you.

Information from other places where you receive care, such as hospitals and community services is collected nationally by NHS Digital. There are some specific situations where your data may still be used. Data that does not identify you may still also be used and where your confidential patient information will still be used to support your individual care. Any preference you set using this service will not change this.

If the CCG holds information about you in an identifiable form on the basis of consent and you no longer wish us to hold this data please contact the CCG and stating that you wish the CCG to stop holding and processing your data. The CCG will explain if this is possible, i.e. if there is no other overriding legal or statutory reason.

To Data Portability (GDPR Article 20) – Where you have provided information directly to the CCG or the CCG has collected your information for the performance of a contract, you can exercise your right to data portability, this means that if you can use your own personal data for your own purpose. In practice this means that you could transfer your information to another source and that this is provided in format which would allow you to do this. The CCG will assist you explain where this is possible such as where it is held electronically and if it is in an easily readable format.

Rights related to automated decision making including profiling (GDPR Article 22) – An organisation would have to evidence specific conditions in order to process information that relies solely on automated and/or profiling techniques to process, An organisation can only carry out this type of decision-making where the decision is:

  • Necessary for the entry into or performance of a contract; or
  • Authorised by Union or Member state law applicable to the controller; or
  • Based on the individual’s explicit consent

To Complain – We try to meet the highest standards when collecting and using personal information. For this reason, we take any complaints we receive about this very seriously. We encourage people to bring concerns to our attention if they think that our collection or use of information is unfair, misleading or inappropriate. We would also welcome any suggestions for improving our procedures.

To exercise any of your rights listed above, please contact:
Data Protection Officer 
Tel: 01902 444878
Email: wolccg.wccg@nhs.net

You also have the right to complain to, appeal to, or raise your concerns about the processing of your information with the Information Commissioner’s Office by writing to:

Information Commissioner’s Office
Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF
Enquiry Line: 01625 545700
www.ico.gov.uk

 

Primary and Secondary Care Data 

The NHS provides a wide range of services which involve the collection and use of information.  Different care settings are considered as either ‘primary care’ or ‘secondary care’.  Primary care settings include GP practices, pharmacists, dentists and some specialised services such as including military health services.  Secondary care settings include local hospitals, rehabilitative care, urgent and emergency care (including out of hours and NHS 111), community and mental health services. 

Throughout this Privacy Notice you will see reference to an organisation called NHS Digital who are the national provider of information, data and IT systems for commissioners (such as the CCG), analysts and clinicians in health and social care.  NHS Digital provide information based on identifiable information passed securely to them by Primary and Secondary Care Providers who are legally obliged to provide this information.  The way in which NHS Digital collect and use your information can be found here.

For EU General Data Protection Regulations 2016 purposes Wolverhampton CCG’s basis for lawful processing is Article 6(1)(e) – ‘…exercise of official authority…’ as a commissioner. For special categories (health) data the basis is Article 9(2)(h) – ‘…health or social care…’ for the purpose of managing and planning these types of services.

 

What is the New Single National Data opt-out?

The NHS Constitution states “You have the right to request that your confidential information is not used beyond your own care and treatment and to have your objections considered”. If you do not wish your confidential information to be used for anything except your direct health care you are able to ‘opt-out’. As your data may be used in a variety of ways and for a variety of purposes you are able to opt-out of some of these but remain ‘in’ for others e.g. you may not wish a sub-set of your data being uploaded to the National Spine so you would opt-out of this, but may wish your anonymised data to be used for research purposes so you would not opt-out of this. You can discuss this with your GP Practice who will explain the different options you have.

There may be occasions when it is not possible to exercise your right to “opt out”, such as when we have an obligation by law or for the purposes of safeguarding adults and children. 

You can choose whether your confidential patient information is used for research and planning. To find out more visit: nhs.uk/your-nhs-data-matters.

You do not need to do anything if you are happy about how your confidential patient information is used. You can change your choice at any time.

Type 1 and Type 2 opt-out: move to single opt-out process

Previously if you did not want personal confidential data information that identifies you to be shared outside your GP practice, for purposes beyond your direct care you registered a type 1 opt-out with your GP practice. This prevents your personal confidential information from being used other than in particular circumstances required by law, such as a public health emergency like an outbreak of a pandemic disease. As previously stated this has now been changed to a single opt-out that can be applied by yourself following the instructions on the website nhs.uk/your-nhs-data-matters

You will need your NHS number to hand in order to make your opt-out choice.

Please note that any patients who registered a type 2 opt-out previously will automatically be migrated over to the new single opt-out system, there is no need for you to re-register your decision. 

Type 2 opt-out: carried over

Previously you could tell your GP surgery if you did not want NHS Digital to share confidential patient information collected from the across the health and care service for purposes other than your individual care. This was called a type 2 opt-out. You can find further information here: https://digital.nhs.uk/about-nhs-digital/our-work/keeping-patient-data-safe/how-we-look-after-your-health-and-care-information/your-information-choices/how-opt-outs-work.

From 25 May 2018 the type 2 opt-out has been replaced by the national data opt-out. Type 2 opt-outs that have been recorded previously have been automatically carried over to the new single national data opt-out process.

 

Why we collect information about you

In carrying out our role and responsibilities as a commissioner of services for people working and living within the footprint of the CCG, it is essential that the CCG have an understanding of the health and social care needs of our community so as to ensure that these are correctly identified and made available and effective.

The information is kept in written or digital form. The records where necessary will include basic details about you, such as your name and address or may also contain more sensitive information about your health and social care usage and also information such as outcomes of needs assessments, where this is necessary to deliver a service directly to you. The key reasons the CCG holds data is to:

  • Check the quality of care we provide to everyone (a clinical audit)
  • Protect the health of the general public
  • Monitor how we spend public money
  • Train healthcare workers
  • Carry out research
  • Help the NHS plan for the future
  • Pay for the services we commission

From time to time the CCG uses patient data to analyse the health of a population. This is required for the commissioning of health services to our local population, or to help target preventive care to certain patients. If we use your information for these reasons, we will remove your name and other details which could identify you. If we need the information in a way that identifies you, we will ask you first.

The people caring for you use your information (paper or electronic) to provide treatment, to check the quality of your care, to help you make good decisions about your health and to investigate complaints, claims and commissioning purposes. Under EU General Data Protection Regulations 2016 purposes Wolverhampton CCG’s processing is carried out under the basis for lawful processing carried out under the conditions set out in Article 6(1)(e) – ‘…exercise of official authority…’ as a commissioner of Health Services. Conditions applied for processing of special categories (health) data the basis is Article 9(2)(h) – ‘…health or social care…’ for the purpose of managing and planning these types of services. However, further detail has been given in this notice on specific types of information we process and the Legal Basis for doing so i.e. Safeguarding, Individual Funding Requests and so on.

 

Accessing information we hold about you

As highlighted above, you have the right to request to see or be provided copes of personal data we hold about you. You do not need to give a reason. This right is known as a Subject Access Request (SAR) and can be exercised in writing or verbally. To submit a SAR to Wolverhampton CCG, please email wolccg.wccg@nhs.net or telephone 01902 444878.

We will not charge for complying with your request unless it is deemed to be “manifestly unfounded or excessive”. In these circumstances we will work with you to moderate your request to avoid a charge or give you reasonable notice of the potential cost before we proceed with your request.

If you have made your request in an electronic form (i.e. via email) and wish to receive the response in the same format, we will take all reasonable measures to comply with your request. Where we cannot provide information in the format of your choosing, we will notify you before proceeding with the request.

We will endeavour to respond to your request within one calendar month. However this may be extended to 40 calendar days if the request is particularly complex.

Under current Data Protection Legislation, we reserve the right as data controller to withhold personal data if disclosing it would “adversely affect the rights and freedoms of any third party referred to in information held about you”. We will of course advise you of our rationale for withholding any information, whilst observing the right of confidentiality of the third party.

The CCG will not publish any information that identifies you or routinely disclose any information about you without your express permission. 

The CCG does not directly provide healthcare services and as such does not hold personal healthcare records. If you wish to have sight of, or obtain copies of your own personal healthcare records you will need to apply to your GP Practice, the hospital or the NHS organisation which provided your healthcare.  However the CCG will hold information in relation to the provision of Continuing Healthcare, the management of a complaint and/or the outcome of an Individual Funding Request (IFR).

Further information on Subject Access Requests can be found via the Information Commissioners Office (ICO) website: https://ico.org.uk/for-the-public/personal-information/.

 

Personal information we legally collect and hold about you

As a commissioner, we do not routinely hold or have access to your medical records.  However, there are some circumstances in which we may need to hold some personal information about you. There are a number of different categories of personal data used by the CCG which are defined below:

  • Personal Data – this is information which is sometimes called Identifiable information and is any information which may on its own or combined with others identify you such as your name and address The CCG only has access to identifiable information where a legal basis exists to hold that information.
  • Special Data / Sensitive Data – this is data that is considered as data that would not usually be disclosed and is personal to you.  The list below is the seen as an example of special category data, The CCG with a legal basis will hold personal data which can include health data this is then classed as special data.  All personal data the CCG holds is protected and requires a legal basis for it to be held. The following are examples under GDPR Article 9 are Special Categories of Personal data; race; ethnic origin; political opinion; religion; trade union membership; genetics; biometrics (where used for ID purposes); health; sex life; or sexual orientation.
  • Anonymised information – about individuals but with identifying details removed and so cannot be tracked back to you. Where unique identifiers such as your name and full address have been removed so the information is no longer ‘person identifiable ‘. This information is used to plan health care services. Specifically, it is used to:
  • Check the quality and efficiency of the health services that the CCG commissions
  • Prepare performance reports on the services commissioned
  • Establish what illnesses people will have in the future, so the CCG can plan and prioritise services and ensure these meet the needs of patients in the future.
  • Review the care being provided to make sure it is of the highest standard
  • Pseudonymised data – where personal information about you is replaced with a code, which allows the CCG to map your treatment through the health care system but only allows the provider / organisations providing treatment to identify you. This can also be shared with third parties who without the key would not be able to identify you. This is often used for example, when information is needed for research purposes.
  • Aggregated information – anonymised information grouped together so that it cannot easily be put back together in order to identify individuals.

Where possible, we ensure your information is anonymised / aggregated or pseudonymised (especially when using information for purposes other than for direct patient care).

In the circumstances where we are required to hold or receive personal information we will only do this if:

  • The information is necessary for the direct healthcare of patients
  • We have received explicit consent from individuals to be able to use their information for a specific purpose
  • There is an overriding public interest in using the information e.g. in order to safeguard an individual, or to prevent a serious crime
  • There is a legal requirement that will allow us to use or provide information (e.g. a formal court order or legislation)

For example;

  • We have permission to do so from the Secretary of State for Health to use certain confidential patient information when it is necessary for our work and whilst changes are made to our systems that ensure de-identified information is used for all purposes other than direct care
  • if you have made a complaint to us about healthcare that you have received and we need to investigate
  • if you ask us to provide funding for Continuing Healthcare services
  • if you ask us for our help or involvement with your healthcare, or where we are required to fund specific specialised treatment for a particular condition that is not already covered in our contracts with organisations that provide NHS care.
  • if you ask us to keep you regularly informed and up-to-date about the work of the CCG, or if you are actively involved  in our engagement and consultation activities or service user participation groups  

Our records may include relevant information that you have told us, or information provided on your behalf by relatives or those who care for you and know you well, or from health professionals and other staff directly involved in your care and treatment. 

The CCG as a commissioner has a number of functions it performs as part of its day to day activities. Some activities listed below are conducted by the CCG using a data processor (a data processor processes data on behalf of another organisation a data controller who will decide on the purpose of data and how it will be processed) on behalf of the CCG, each activity explains, what information is collected, from which sources and for what purposes.

Although this is not an exhaustive detailed listing, the following tables list key examples of the purposes and rationale for why and how your personal information is collected, held and processed by Wolverhampton CCG; 

 

Details of Information collected and used for specific purposes

Although this is not an exhaustive detailed listing, the following table lists key examples of the purposes and rationale for why we collect and process information. For each purpose we have provided information for you on the purpose, including benefits to you as a patient; the type of information used (see ‘Definitions’); the legal basis identified for the collection and use of information; how we collect and use the information required; data processing activities – listing any third parties we may use for each purpose and information on how to opt out of your information being used for each purpose.

COMPLAINTS

PurposeA complaint may relate to a service which the CCG is directly responsible for providing or it may relate to a service which we have commissioned for the patients who we are responsible for, for example hospital services. The CCG require this information in order to manage and help to resolve complaints which is then used to prevent such complaints arising in future.
Type of Information Used - Identifiable
Legal Basis - Explicit consent
How We Collect and Use Information in relation to Complaints - When the CCG receive a complaint from a person we make up a file containing the details of the complaint which will normal contain the identity of the complainant and any other individuals involved.
The CCG will only use the identifiable information we collect to process the complaint and to check the level of service we provide.
The CCG usually have to disclose the complainant’s identity to whoever the complaint is about. This is inevitable where, for example, the accuracy of a person’s record is in dispute
The CCG will publish service user stories, following upheld complaints, anonymously via our governing body. The service user stories will provide a summary of the concern, service improvements identified and how well the complaints procedure has been applied. Consent will always be sought from the service user and carer or both before we publish the service user story.
Opt out details - If you do not want information identifying you to be disclosed we will try to respect that. However, it may not be possible to handle a complaint on an anonymous basis.

FUNDING TREATMENTS

PurposeTo fund specific treatment for you for a particular condition that is not covered in our contracts.  This may be called an ‘Individual Funding Request (IFR)’ which provides you with the payments required to receive specialist treatment.
Type of Information Used
Identifiable – to make payments
Anonymous – to provide reports for analysis of payments made
Legal Basis
Explicit Consent to use identifiable information to make payments
How We Collect and Use Information in relation to Funding Treatments
Information required to make payments in relation to Funding Treatments is provided by you, along with relevant information from primary and secondary care with regard to the referral for specialist treatment.
Data Processing Activities - The CCG has engaged the services of NHS Arden and Greater East Midlands Commissioning Support Unit to provide this service on our behalf. 
Opt out details - Payments will not be able to be made if you choose not to provide identifiable information. Alternative arrangements will need to be considered.

PREVENTING AND DETECTING FRAUD

Purpose - NHS Wolverhampton CCG is required by law to protect the public funds it administers. It may share information provided to it with other bodies responsible for auditing or administering public funds, in order to prevent and detect fraud.
Type of Information Used - Data matching involves comparing sets of data, such as the payroll or benefits records of a body, against other records held by the same or another body to see how far they match. The data is usually personal information. The data matching allows potentially fraudulent claims and payments to be identified. Where a match is found it may indicate that there is an inconsistency that requires further investigation. No assumption can be made as to whether there is fraud, error or other explanation until an investigation is carried out.
Legal BasisThe processing of data by the Cabinet Office in a data matching exercise is carried out with statutory authority under its powers in Part 6 of the Local Audit and Accountability Act 2014. It does not require the consent of the individuals concerned under the Data Protection Act 2018.
How we Collect and Use Information in Relation to Preventing and Detecting Fraud - The Cabinet Office conducts data matching exercises to assist in the prevention and detection of fraud. This is one of the ways in which the Minister for the Cabinet Office takes responsibility within government for public sector efficiency and reform. The Minister for the Cabinet Office is also the Chair of the Fraud, Error and Debt Taskforce, the strategic decision-making body for all fraud and error, debt and grant efficiency initiatives across government.
All bodies participating in the Cabinet Office’s data matching exercises receive a report of matches that they should investigate, so as to detect instances of fraud, over- or under-payments and other errors, to take remedial action and update their records accordingly.
Further guidance on the exercise can be found here.
Data matching by the exercise is subject to a Code of Practice.
For further information on data matching at NHS Wolverhampton CCG contact the Corporate Operations Manager.
Data Processing Activities - The CCG has engaged the services of PriceWaterhouseCoopers (PwC) to provide services as Local Counter Fraud Specialists.
Opt out detailsAs highlighted above, the provision of information for the purposes of Counter fraud data matching exercise is a legal requirement due to the public interest of preventing public funds from being used fraudulently.

CONTINUING HEALTHCARE

PurposeTo undertake assessments where you have asked us to undertake assessments for Continuing Healthcare – a package of care for those with complex medical needs.  We use your information in order to be able to make the appropriate arrangements for resulting care packages.
Type of Information Used Identifiable
Legal Basis - Explicit Consent
How We Collect and Use Information in relation to Continuing Healthcare - The assessment team will collect, use, share and securely store information from / with the Local Authority (Social Services) and other organisations or individuals that are either directly or indirectly involved in the assessment, decision making process, the arranging of care, the funding and payment of care and appropriate monitoring of and audit of the safety and quality of care.
Opt out details - A Continuing Healthcare Assessment will not be able to be carried out if you choose not to provide identifiable information. Alternative arrangements will need to be considered.

SAFEGUARDING

Purpose -To assess and evaluate any safeguarding concerns to ensure all patients / service users are effectively protected
Type of Information Used - Identifiable
Legal Basis - Legal requirement to use and share information relating to Safeguarding concerns with Safeguarding Boards and Multi-Agency Safeguarding Hubs where all members sign confidentiality agreements. 
How We Collect and Use Information in relation to SafeguardingThe CCG may receive information relating to Safeguarding concerns from yourself directly or relatives or through notification of concerns from other Health and Social Care organisations.  All Health and Social Care professionals have a legal requirement to share information with appropriate agencies where Safeguarding concerns about children or adults have been received.  Where it is appropriate to do so the sharing organisations will keep you informed of when information is required to be shared to provide with assurance regarding the security of that sharing and the benefit to you or the person you are raising Safeguarding concerns about. Access to this information is strictly controlled and where there is a requirement to share information e.g with police or social services, all information will be transferred safely and securely ensuring that only those with a requirement to know of any concerns are appropriately informed.
Opt out details We have a legal requirement to provide information where there are Safeguarding concerns due to public interest issues, e.g. to protect the safety and welfare of vulnerable children and adults.

RISK STRATIFICATION

PurposeRisk stratification is a process for identifying and caring for patients with long term health conditions and patients who are at high risk of emergency hospital admission.  NHS England encourages CCGs and GPs to use risk stratification tools as part of their local strategies for supporting patients with long-term conditions, such as chronic obstructive pulmonary disease (COPD) and diabetes, to help prevent hospital admissions that could have been avoided. As well as helping GP Practices to provide Direct Care support, risk stratification is used by the CCG to support planning and commissioning, for example, understanding the numbers of patients in the region who require services to support COPD will enable us to commission the right services to better manage periods of ill health and to improve the quality of the services we are able to offer you. 
Type of Information Used - Different types of data are legally allowed to be used by different organisations within, or contracted to, the NHS.
Identifiable – when disclosed from GP Practices and NHS Digital to a Risk Stratification supplier (see below, Data Processing Activities)
Aggregated – the CCG can only receive this information in format which cannot identify you.
Pseudonymised – GP’s are provided with pseudonymised data for risk stratification planning purposes, however, where a direct care impact is identified on a patient through the process the GP will be able to re-identify the patient concerned.
Legal Basis - The use of identifiable data for risk stratification has been approved by the Secretary of State, through the Confidentiality Advisory Group of the Health Research Authority (known as Section 251 approval). Further information on Section 251 can be obtained by clicking here. The reference number for the risk stratification approval is CAG7-04(a)/2013. This approval allows your GP or staff within your GP Practice who are responsible for providing your care, to see information that identifies you, but the CCG staff will only be able to see information in a format that does not reveal your identity.
How We Collect and Use Information in relation to Risk Stratification -Risk stratification tools use a mix of historic information about patients such as age, gender, diagnoses and patterns of hospital attendance and admission as well as data collected in GP practices.
NHS Digital provides information, identifiable by your NHS Number only, about hospital attendances. GP Practices provide information from GP records also identifiable by your NHS Number only.  Both sets of information are sent via secure transfer to the risk stratification system where they are immediately pseudonymised and linked to each other.  The risk stratification system uses a formula to analyse the pseudonyonmised data to produce a risk score. These risk scores are available to the GP practice you are registered with where authorised staff who are responsible for providing direct care for you are able to see these scores in a format that identifies you. This will help the clinical team make better decisions about your future care, for example you may be invited in for a review or if they think you may benefit from a referral to a new service they will discuss this with you. The CCG is provided with reports containing aggregate information, which do not identify you, to ensure we are commissioning and planning for these services as required by the population we serve. 
Data Processing Activities - On behalf of its GP Practices, the CCG has entered into a contract with NHS Midlands and Lancashire Commissioning Support Unit as their Risk Stratification Supplier to produce the analysis as above.
Opt out details - National data opt-out applies
Additionally, your GP practice can apply a code which will stop your identifiable information being used for this purpose.
Additional information is also available from the NHS England website: https://www.england.nhs.uk/ourwork/tsd/ig/risk-stratification/

INVOICE VALIDATION

Purpose Where we pay for care, particularly where different providers are caring for the same person, we may ask for evidence before paying, or we may commission a service where the payment is all or partly based on the providers ensuring the service user has a healthy outcome. We need to ensure that we are paying the right amount of money for the right services to the right people.
These invoices are validated within a special secure area known as a Controlled Environment for Finance (CEfF) to ensure that the right amount of money is paid, by the right organisation, for the treatment provided. 
A small amount of information that could identify an individual is used within this secure area (such as NHS number or date of birth and postcode).  The process followed ensures that only the minimum amount of information about individuals is used by a very limited number of people.  The process is designed to protect confidentiality.  
Type of Information UsedIdentifiable - within the Controlled Environment for Finance, for invoice validation.
Pseudonymised, anonymised or aggregated - within the CCG, for commissioning purposes such as financial planning, management and contract monitoring.
Legal Basis - A Section 251 approval from the Secretary of State, through the Confidentiality Advisory Group of the Health Research Authority enables the Arden and GEM CSU CEfF (see below) to process identifiable information without consent for the purposes of invoice validation within a Controlled Environment for Finance – CAG 7-07(a)(b)(c)/2013.  
How We Collect and Use Information in relation to Invoice Validation Organisations that provide treatment submit their invoices to the CCG for payment. The secure area (Controlled Environment for Finance, provided by AGEM CSU) receives additional information, including the NHS Number, or occasionally the date of birth and postcode, from the organisation that provided treatment.
NHS Digital sends information into the secure area, including the NHS number and details of the treatment received. The information is then validated ensuring that any discrepancies are investigated and resolved between the Controlled Environment for Finance and the organisation that submitted the invoices. The invoices will be paid when the validation is completed.
The CCG does not receive any identifiable information for purposes of Invoice Validation however they will receive reports to help us manage our finances.
Data Processing ActivitiesThe CCG uses the services of the Arden and GEM CSU Controlled Environment for Finance and has a contract in place with them.  Only authorised staff are able to access this information.
Opt out details National data opt-out applies
Additionally, your GP practice can apply a code which will stop your identifiable information being used for this purpose.
Additional information is also available from the NHS England website: https://www.england.nhs.uk/ourwork/tsd/ig/in-val/invoice-validation-faqs/

PATIENT AND PUBLIC INVOLVEMENT

PurposeIf you have asked us to keep you regularly informed and up to date about the work of the CCG or if you are actively involved in our engagement and consultation activities or patient participation groups, we will collect and use information which you share with us.  Where you submit your details to us for involvement purposes, we will only use your information for this purpose.
Type of Information Used - Identifiable
Legal BasisExplicit Consent
How We Collect and Use Information in relation to Patient and Public Involvement - We will be collecting and using your information to enable us to keep you informed of any news, consultation activities or patient participant groups. 
Data Processing ActivitiesThe CCG uses the services of the Arden and GEM CSU to support our work with Patient and Public Involvement.
Opt out details - You can opt out at any time by contacting us

COMMISSIONING

Purpose - Hospitals and community setting organisation that provide NHS-funded care must by law submit certain information to NHS Digital about services provided to you and the population we serve.  This information is known as commissioning datasets. The CCG obtains these datasets from NHS Digital which relate to patients registered with our GP practices. This enables us to plan, design, purchase and pay for the best possible care available for you.
Type of Information Used - Different types of commissioning data are legally allowed to be used by different organisations within, or contracted to, the NHS.
Identifiable – when disclosed from Primary and Secondary Care Services to NHS Digital
Aggregated – the CCG can only receive this information in aggregated format which does not identify individuals
Legal Basis There is a Statutory requirement for NHS Digital to collect identifiable information to help to run the health service.
Section 251 approval from the Secretary of State, through the Confidentiality Advisory Group of the Health Research Authority (CAG 2-03(a)/2013, CAG 7-07(a)) enables NHS Digital to share this information with the CSU ‘Accredited Safe Haven’ to process in order to provide information in pseudonymised form to the CCG to perform its statutory functions to plan, design, purchase and pay for the best possible care available for you.
There is no requirement for a legal basis for use of the aggregated information which is available to the CCG as this does not identify individuals.
How We Collect and Use Information in relation to Commissioning - The datasets we receive from NHS Digital have been linked and are in a format that does not directly identify you. Information such as your age, ethnicity and gender as well as coded information about any clinic or accident and emergency attendances, hospital admissions and treatment will be included.
We also receive similar information from the GP Practices within our CCG membership that also does not identify you. We use these datasets for a number of purposes such as:

  • Performance managing contracts;
    • Maternity datasets
    • Summaries of Hospital activity and costs against CCG’s plan, by point of delivery, specialty including details of Drugs used and length of stay etc.
    • Outpatient Referral reports including referral route, referring practice, specialty, waiting List data
    • Formulary Adherence Rate
    • Reporting on specific conditions e.g. Renal CAS:- Number of patients referred and Outcomes (e.g. Discharged back to GP with no appointment or investigation, investigations taken place or further outpatient appointments)
    • Data on access to services e.g.  demand,      Choose and Book Slot availability
    • Datasets on Diagnostic Services e.g. Radiology Reporting (CQ1314_6), MUST Screening
    • A&E Daily Data Set
    • Inpatient data for the population for Urgent Care Dashboard including gender, ethnicity, Age, Patient Identifier (PAS) GP Code, consultant code, purpose of attendance (diagnosis), time and date of arrival at unit, time and date of discharge from unit, Length of Stay, Source of Referral, discharge destination (including ward code if admitted), ACS flag and outcomes.
    • WUCTAS Activity Dataset including A&E Time to initial assessment (average time), A&E Waiting Times, % type 1 A&E attendances where the patient was admitted transferred or discharged within four hours of arrival.
    • Delayed Discharge Dataset showing numbers of delayed discharges broken down by reason code and CCG
    • Patient Experience datasets including details of patients requiring assistance to eat at mealtimes and Ward Moves
    • Other Quality information such as Local Avoidable Events
    • Safeguarding Dashboard
    • Workforce Data including: Staff in post, Vacancy/Locum/Bank, Staff turnover, Sickness & absence, PDR compliance, Staff survey results & actions, EWTD, Equality and Diversity metrics report and EDS data
    • Workforce Training Data (including Equality Training)
  • Reviewing the care delivered by providers to ensure service users are receiving quality and cost effective care; 
  • To prepare statistics on NHS performance to understand health needs and support service re-design, modernisation and improvement;
  • To help us plan future services to ensure they continue to meet our local population needs;
  • To reconcile claims for payments for services received in your GP Practice;
  • To audit NHS accounts and services;

Data Processing Activities - The CCG has engaged the services of NHS Midlands and Lancashire and NHS Arden and Greater East Midlands Commissioning Support Unit to provide services (Business Intelligence and Contract Management) to support us in this work. 
Opt out detailsNational data opt-out applies
Additionally, your GP practice can apply a code which will stop your identifiable information being used for this purpose.
The specific terms and conditions and security controls that we are obliged to follow when using those commissioning datasets can also be found on NHS Digital website.  
More information about how this data is collected and used by NHS Digital is available on their website http://www.hscic.gov.uk/patientconf

NATIONAL REGISTRIES

Purpose - National Registries are used in the NHS to provide support to particular groups of patients to ensure they are receiving the care and support they require, for example, the Learning Disabilities Register.  NHS Digital are responsible for the information collected and used in the Registers who will ensure your information is kept securely and confidentially. 
Type of Information Used - Identifiable and pseudonymised – dependant on purpose.
Legal Basis - A Section 251 approval from the Secretary of State, through the Confidentiality Advisory Group of the Health Research Authority enables NHS Digital to process identifiable information without consent for the purposes of approved National Registries.
How We Collect and Use Information in relation to National Registries - The GP Practices within our CCG membership provide this information to NHS Digital using a secure transfer method.
Opt out details - National data opt-out applies
Additionally, your GP practice can apply a code which will stop your identifiable information being used for this purpose.

RESEARCH

Purpose - Research can provide direct benefit to patients who take part in medical trials and indirect benefits to the population as a whole.
Your information can be used to identify people to invite them to take part in clinical trials, other interventional studies or studies purely using information from medical records.
Type of Information Used - Identifiable and anonymised – dependant on the purpose.
Legal Basis - Where identifiable information is being used your explicit consent will be gained. Where gaining consent from all patients is not appropriate, e.g. for large-scale, nationwide projects, a Section 251 approval from the Secretary of State, through the Confidentiality Advisory Group of the Health Research Authority is required. The approval ensures that the appropriate security processes are in place to protect your information and ensuring only the minimum information is used for the purpose specified. Research activities using anonymised information does not require your consent.
How We Collect and Use Information in relation to Research - Where identifiable information is needed for research, you will be approached by the organisation where the treatment was received, to see if you wish to participate in the particular research study. You will be provided with information about the research and the way in which your identifiable information will be used and kept safe and secure before being asked to provide explicit consent to take part. Where a Section 251 approval has been granted you will be informed of the project and will be able to make a decision as to whether you wish to opt out. Information related to research projects will be kept safe and secure with access limited to authorised research team members only.
Opt out detailsWhere consent is required to take part in a research project you will also be provided with details by the organisation holding your records on how to opt out at any time.
Where s251 approval has been granted you can request that your identifiable information is not included. The Register of current s251 approval across England and Wales can be found here:
The organisation holding your records will provide notices on their premises and websites about any research projects being undertaken which will provide opt out details.
Your GP practice can apply a code which will stop your identifiable information being used for this purpose.

SERIOUS INCIDENT REPORTS

Purpose - The CCG collects and uses information from Serious Incident Reports from Primary and Secondary Care Providers to ensure incidents are dealt with appropriately with lessons learnt.
Type of Information Used - Identifiable
Legal Basis - Explicit consent
How We Collect and Use Information in relation to Serious Incident Reports - We are statutorily required to fully investigate and review incidents. Where there is a requirement to provide incident reports externally the information will be anonymised unless there is a legal requirement to provide your details. You will be kept informed of the requirements we are required to meet and asked for consent where information is to be shared externally.
Opt out details - If you do not want information identifying you to be disclosed we will try to respect that. However, it may not be possible to fully investigate serious incidents on an anonymous basis. If the incident involved a breach of law or regulations there may be a legal duty to provide identifiable information. You will be fully informed of this throughout the process.

CLINICAL AUDIT

Purpose - Effective clinical audit can provide direct benefit to you as a patient and to the population the CCG serves to ensure that the services we plan and commission offer high quality and effective care.
Type of Information Used - Identifiable – where clinical audit is undertaken by the GP practice who you are registered with. The GP’s and clinicians involved in your Direct Care are said to have a ‘legitimate relationship’ with you and any outcomes will directly improve patient’s health and wellbeing.
Anonymous – where clinical audit is being undertaken by GPs and health professionals with whom you do not have a ‘legitimate relationship’ with. 
Legal Basis - For special categories (health) data the basis is Article 9(2)(h) – ‘…health or social care…’ for the purpose of managing and planning these types of services. For clinical audit undertaken by the GPs and clinicians directly involved in your care we rely on ‘Public task’ to collect and use your information where the outcomes cannot be achieved using anonymous information.
Where clinical audit is undertaken by GPs and health professionals with whom you do not have a ‘legitimate relationship’, your explicit consent will be required where identifiable information is being used or another statutory basis identified.
Using anonymous data for the purposes of clinical audit does not require a legal basis.
How We Collect and Use Information in relation to clinical audits - Information required for clinical audit will be collected from your records held by the organisation where you have received treatment.  Authorised healthcare professionals will review the records held ensuring that only the minimum information required for the purpose is used. Where consent is required to use identifiable information you will be contacted by the organisation who has provided your treatment.
Opt out details Where you have provided explicit consent to take part in a clinical audit you can opt out at any time by contacting the organisation who provided your treatment.
Your GP practice can apply a code which will stop your identifiable information being used for this purpose.

Area of work

QUALITY TEAM

Processed on behalf of WCCG
Purpose/s for Processing
  • To keep accurate records of all incidents reported to the WCCG, which enable us to monitor and assess and help improve the quality and the safety of the health services delivered by our providers.
  • To help make robust decisions about the future health care service provision for needs of general population.
  • To provide a central point where GPs, Care Homes, providers and fellow commissioners can report and raise queries and quality concerns regarding patient care.
Format used
  • Electronic
  • National Database

Personal Data processed: Items that can be used to identify an individual to include a Psedonymisation code/key (this list is not exhaustive)

Name
DOB
Address
Location Data
NHS Number

DOB, NHS number, dates of admission and discharge where applicable and location of treatment.

‘Special Category’ Data Processed: (all items that fall under DP law listed)

Race
Ethnic origin
Politics
Religion
Trade Union membership
Genetics
Biometrics (when used for ID purpose)
Health
Sex life; or
Sexual orientation

Ethnic origin
Health

Transfer of Data outside the UK No
Transfer of Data outside the EU No
Retention Period Criteria used: N/A
The source the personal data originates from and whether it came from publicly accessible sources
  • GP Practice
  • Acute
  • Community Trust Providers
  • Patient
  • Mental Health Trust
  • 3rd sector providers

Whether the provision of personal data part of a statutory or contractual requirement or obligation

and possible consequences of failing to provide the personal data

  • Statutory
  • Contractual

By failing to provide the personal data, the WCG quality team will be unable to monitor or assess or improve the quality and safety of health services.

Failure to provide information would prevent investigations into, and learning from, quality concerns regarding alleged poor care.

The existence of automated decision making, (making a decision solely by automated means without any human involvement); including profiling and information about how decisions are made, the significance and the consequences.

N/A

 

Area of work

Looked After Children

Processed on behalf of CCG
Purpose/s for Processing
  • LAC health assessments - to enable the  quality assurance of statutory health assessments the CCG commission Provider organisations and other area’s to complete on our behalf. 
  • LAC health database – to monitor statutory LAC health assessment process
  • Carefirst – local authority system to enable the CCG to access details of our LAC to ensure consistency of health care provision and accuracy around contact details when co-ordinating/monitoring health care provision
Format used
  • Electronic
  • Paper

Personal Data processed: Items that can be used to identify an individual to include a Psedonymisation code/key (this list is not exhaustive)

  • Name
  • DOB
  • Address
  • NHS number
  • Family member details (including above) and relationship
  • Family/Child history relating to safeguarding concerns / LAC status

‘Special Category’ Data Processed: (all items that fall under DP law listed)

Details of the following might be included dependant on the incident and the relevance.
  • Race
  • Ethnic origin
  • Religion
  • Health
Transfer of Data outside the UK No
Transfer of Data outside the EU No
Retention Period Criteria used:

Statutory health assessments – for duration of QA process

Health database / Carefirst – on-going

The source the personal data originates from and whether it came from publicly accessible sources
  • GP summaries
  • LAC health team
  • Local authority
  • CAMHS
Not publically accessible sources

Whether the provision of personal data part of a statutory or contractual requirement or obligation

and possible consequences of failing to provide the personal data

  • Statutory requirement to supply (LAC health assessments)
  • Failure to comply may lead to gaps in information, leading to non- identification of learning and limiting the chance to improve services and improve outcomes for children, young people.
The existence of automated decision making, (making a decision solely by automated means without any human involvement); including profiling and information about how decisions are made, the significance and the consequences.

N/A

 

Area of work

Operations

Processed on behalf of CCG
Purpose/s for Processing

FOI Inbox – To meet statutory Duty (compliance with FOI) & Public Task

Modern.gov, Staff absence records, Remuneration Committee, Staff Information Folder, Staff Personal Files – Legal Obligations as an employer

Format used
  • Electronic Database
  • Paper Records

Personal Data processed: Items that can be used to identify an individual to include a Psedonymisation code/key (this list is not exhaustive)

Name
DOB
Address
Location Data
NHS Number

FOI Inbox

  • Name
  • Address

Modern.gov, Remuneration Committee

  • Name

Staff Personal Files

  • Name
  • DOB
  • Address
  • Emergency Contact Details

‘Special Category’ Data Processed: (all items that fall under DP law listed)

Race
Ethnic origin
Politics
Religion
Trade Union membership
Genetics
Biometrics (when used for ID purpose)
Health
Sex life; or
Sexual orientation

Personal Files (May include)

  • Health (Sickness records
  • Race
  • Ethnic Origin
  • Religion
  • Sexual Orientation
  • Trade Union membership

Transfer of Data outside the UK No
Transfer of Data outside the EU No
Retention Period Criteria used:
  • NHS Records Management Code of Practice 2016
    • Committee Records
    • Staff Records
The source the personal data originates from and whether it came from publicly accessible sources

FOI Inbox – Public

Modern.gov, Rem Comm, Staff Personal Files– From Individual members of Staff

Whether the provision of personal data part of a statutory or contractual requirement or obligation

and possible consequences of failing to provide the personal data

FOI Inbox – Personal data required to comply with requests (cannot be made anonymously)

Modern.gov, Rem Comm, Staff Personal Files – Required to meet CCG’s obligations as an employer

The existence of automated decision making, (making a decision solely by automated means without any human involvement); including profiling and information about how decisions are made, the significance and the consequences.

N/A

 

Area of work

Finance

Processed on behalf of WCCG
Purpose/s for Processing
  • Finance working papers & documents
  • Sales order requests
  • GP Claims forms
  • PCT legacy documents
  • Finance ESR
  • Manual payments
  • Payment uploads
  • Finance emails
  • CCG Annual Accounts, Programme Budgeting and Planning & Associated working papers
Format used
  • Electronic
  • National Database

Personal Data processed: Items that can be used to identify an individual to include a Psedonymisation code/key (this list is not exhaustive)

Name
DOB
Address
Location Data
NHS Number

  • NHS Number
  • Name
  • Payroll information

‘Special Category’ Data Processed: (all items that fall under DP law listed)

Race
Ethnic origin
Politics
Religion
Trade Union membership
Genetics
Biometrics (when used for ID purpose)
Health
Sex life; or
Sexual orientation

N/A
Transfer of Data outside the UK No
Transfer of Data outside the EU No
Retention Period Criteria used:
  • NHS Records Management Code of Practice 2016
The source the personal data originates from and whether it came from publicly accessible sources
  • Invoices received from providers, suppliers

Whether the provision of personal data part of a statutory or contractual requirement or obligation

and possible consequences of failing to provide the personal data

Public task, legal obligation, NHS Act requirement to produce statutory accounts
The existence of automated decision making, (making a decision solely by automated means without any human involvement); including profiling and information about how decisions are made, the significance and the consequences. N/A

Other organisations who provide support services for us (Data Processors)

Legal Basis

We have entered into contracts with other NHS organisations to provide some services for us or on our behalf. These organisations are known as “data processors”.

Below are details of our data processors and the function that they carry out on our behalf:

  • Arden&GEM CSU – Invoice Validation, Individual Funding Requests, HR
  • Midlands and Lancashire CSU – Commissioning Intelligence
  • Iron Mountain – Archiving of Records
  • PriceWaterhouseCoopers – Internal Audit related purposes
  • NHSLA – Claims Management
  • PHS Datashred - The CCG’s Confidential Waste Disposal Company
  • Shared Business Service –Staff Payroll
  • Royal Wolverhampton NHS Trust – IT services
  • PI Ltd. – using Pseudonymised data to support Population health Profiling with City of Wolverhampton Council for the Local Health Economy

Arden&GEM CSU and Midlands and Lancashire CSUs are NHS England approved Data Services for Commissioning Regional Offices (DSCRO). They provide a secure and compliant data processing function of health and social care data sets. This type of processing is to support commissioning, planning, risk stratification, patient care and paying and validating invoices. The output data from this process will be anonymised or pseudonymised. The CCG does not receive any personal identifiable information from this service.

These organisations are subject to the same legal rules and conditions for keeping personal confidential data secure and are underpinned by a contract with us. Before awarding any contract, we ensure that organisations will look after your information to the same high standards that we do. Those organisations can only use your information for the service we have contracted them for and cannot use it for any other purpose. Other NHS Organisations can act as Data Processors, such as Arden & GEM CSU, the same legal rules and conditions apply with contracts and agreements required to be in place.  

Our Commitment to Data Privacy and Confidentiality Issues

We are committed to protecting your privacy and will only process personal confidential data in accordance with Data Protection Legislation including the European General Data Protection Regulations 2016 and Data Protection Act 2018, the Common Law Duty of Confidentiality and the Human Rights Act 1998 and will only process personal data if there is a legitimate basis for doing so and that any such processing is fair and lawful.

Wolverhampton CCG is a Data Controller under the terms of the European General Data Protection Regulations 2016 and Data Protection Act 2018, we are legally responsible for ensuring that all personal information that we process i.e. hold, obtain, record, use or share about you is done in compliance with Data Protection Legislation.

All data controllers must notify the Information Commissioner’s Office (ICO) of all personal information processing activities. Our ICO Data Protection Register number ZA024989 and our entry can be found in the Data Protection Register on the Information Commissioner’s Office website.

Everyone working for the NHS has a legal duty to keep information about you confidential. The NHS Care Record Guarantee and NHS Constitution provide a commitment that all NHS organisations and those providing care on behalf of the NHS will use records about you in ways that respect your rights and promote your health and wellbeing.

If you are receiving services from the NHS, we share information that does not identify you (anonymised) with other NHS and social care partner agencies for the purpose of improving local services, research, audit and public health.

We would not share information that identifies you unless we have a fair and lawful basis such as: 

  • You have given us permission;
  • To protect children and vulnerable adults;
  • When a formal court order has been served upon us;
  • and/or
  • When we are lawfully required to report certain information to the appropriate authorities e.g. to prevent fraud or a serious crime;
  • Emergency Planning reasons such as for protecting the health and safety of others;
  • When permission is given by the Secretary of State or the Health Research Authority on the advice of the Confidentiality Advisory Group to process confidential information without the explicit consent of individuals.

The Health and Social Care Information Centre (HSCIC) has published a guide to confidentiality in health and social care that explains the various laws and rules about the use and sharing of confidential information which can be found here.

How we keep your information secure

All information that we hold about you will be held securely and confidentially.  We use administrative and technical controls to do this.  We use strict controls to ensure that access to information is restricted and only authorised staff are able to see information that identifies you.  Only a limited number of authorised staff have access to information that identifies you where it is appropriate to their role and is strictly on a need-to-know basis.

All of our staff, contractors and committee members receive appropriate and on-going training to ensure they are aware of their personal responsibilities and have contractual obligations to uphold confidentiality, enforceable through disciplinary procedures.

We will only use the minimum amount of information necessary about you.

Retention and destruction of records

All records held by the CCG will be retained in accordance with the schedules set out in the Records Management Code of Practice for Health and Social Care 2016 which concentrates on the management of records through their lifecycle, i.e. from creation to eventual archiving or destruction.

The NHS Care Record Guarantee is a commitment that all NHS organisations (and other organisations which provide NHS-funded care) will use your records in ways that respect your rights and promote your health and wellbeing. The NHS Constitution establishes the principles and values of the NHS in England. It provides a summary of your legal rights and contains pledges that the NHS is committed to achieve, including certain rights and pledges concerning your privacy and confidentiality.

Overseas Transfers

Your information will not be sent outside of the United Kingdom where the laws do not protect your privacy to the same extent as the law in the UK. We will never sell any information about you.

Review and Changes to our Fair Processing/Privacy Notice

We will keep our Fair Processing/Privacy Notice (FPN) under regular review. This FPN was updated in September 2018.

Key roles in the CCG

The CCG have a number of key roles which support the protection of your data:

  • Caldicott Guardian – The CCGs Caldicott Guardian is a senior person responsible for protecting the confidentiality of patient and service-user information and enabling appropriate and lawful information sharing. The Caldicott Guardian actively supports work to enable information sharing where it is appropriate to share, and advises on options for lawful and ethical processing of information. The CCGs Caldicott Guardian is Helen Hibbs, who can be contacted via wolccg.wccg@nhs.net
  • Senior Information Risk Owner (SIRO) – A SIRO is a CCG Executive Director or member of the Senior Management Board of an organisation with overall responsibility for an organisation's information risk policy. The SIRO is accountable and responsible for information risk across the organisation. The SIRO ensures that everyone is aware of their personal responsibility to exercise good judgement, and to safeguard and share information appropriately. The CCGs SIRO is Tony Gallagher and can be contacted via wolccg.wccg@nhs.net
  • Data Protection Officer – The CCG has appointed a Data protection Officer as required by Data Protection Legislation. The Data Protection officer ensures that your rights are respected and the CCG is complaint with the law. If you have any concerns or questions about how the CCG looks after your personal information, please contact the Data Protection Officer by using the contact details above. The CCGs Data Protection Officer is Peter McKenzie, who can be contacted via wolccg.wccg@nhs.net

Contact us

If you have any questions or concerns regarding how we use your information, please contact us at:

Data Protection Officer
Peter McKenzie, Corporate Operations Manager
Phone: 01902 444878
Email: wolccg.wccg@nhs.net

If you would like to request any personal information that the CCG may hold about you under Data Protection Legislation, please submit a Subject Access Request:

Data Protection Officer
NHS Wolverhampton Clinical Commissioning Group, Technology Centre, Glaisher Drive, Wolverhampton WV10 9RU
Phone: 01902 444878
Email: wolccg.wccg@nhs.net

For independent advice about data protection, privacy and data-sharing issues, you can contact the:

Information Commissioner’s Office
Wycliffe House, Water Lane,Wilmslow, Cheshire, SK9 5AF.
Phone: 08456 30 60 60 or 01625 54 57 45
Website: www.ico.gov.uk

Further information

Further information about the way in which the NHS uses personal confidential data and your rights in that respect can be found via the following links:

  • Data Protection Act 2018
  • General Data Protection Regulations
  • NHS Confidentiality Code of Practice
  • NHS Digital Guide to confidentiality in health and social care
  • Health Research Authority
  • NHS England
  • The NHS Constitution is founded on a common set of principles and values that bind together the communities and people it serves – patients and public – and the staff who work for it. The NHS Constitution establishes the principles and values of the NHS in England. It sets out rights to which patients, public and staff are entitled, and pledges which the NHS is committed to achieve, together with responsibilities, which the public, patients and staff owe to one another to ensure that the NHS operates fairly and effectively.
  • The NHS Care Record Guarantee sets out the rules that govern how patient information is used in the NHS and what control the patient has over this. It covers people’s access to their own records; controls on others access; how access will be monitored and policed; options people have to further limit access; access in an emergency; and what happens when someone cannot make decisions for themselves. Everyone who works for the NHS, or for organisations delivering services under contract to the NHS has to comply with this guarantee. The NHS Care Record Guarantee was first published in 2005 and is regularly reviewed by the National Information Governance Board to ensure it remains clear and continues to reflect the law and best practice. It was last reviewed in January 2011.
  • An independent review of information about service users is shared across the health and care system led by Dame Fiona Caldicott was conducted in 2012. The report, Information: To share or not to share? The Information Governance Review, be found at: https://www.gov.uk/government/publications/the-information-governance-review
  • The NHS Commissioning Board – NHS England – Better Data, Informed Commissioning, Driving Improved Outcomes: Clinical Data Sets provides further information about the data flowing within the NHS to support commissioning http://www.england.nhs.uk/wp-content/uploads/2012/12/clinical-datasets.pdf
  • Please visit the Health and Social Care Information Centre’s website for further information about their work. Information about their responsibility for collecting data from across the health and social care system can be found at http://www.hscic.gov.uk/collectingdata
  • The Information Commissioner’s Office is the Regulator of Data Protection Legislation and offer independent advice and guidance on the law and personal data, including your rights and how to access your personal information. For further information please visit the Information Commissioner’s Office website at http://www.ico.org.uk.
  • The Health Research Authority (HRA) has been established to promote and protect the interests of patients, streamline regulation and promote transparency in health and social care research. http://www.hra.nhs.uk.

This information was last updated in September 2018.