Privacy Notice
Page Contents
Privacy Notices
Who we are
NHS Derby and Derbyshire Integrated Care Board (ICB) was established on 1st July 2022 and is a successor organisation to the now abolished NHS Derby and Derbyshire Clinical Commissioning Group (CCG).
We are directly responsible for:
- the local NHS budget – planning and commissioning of services working closely with partners across the Joined Up Care Derbyshire Integrated Health and Care system
- the delivery of high quality and safe local health and care services
- producing a five-year delivery plan
- additional commissioning responsibilities – such as primary care, dentistry, optometry, pharmaceutical – previously held by NHS England.
For more information about the ICB please see our About Us section.
Our commitment to data privacy and confidentiality issues
We are committed to protecting your privacy and will only ‘process’ data (processing refers to how data is Held, Obtained, Recorded, Used and Shared) in accordance with Data Protection Legislation.
This includes ensuring the ICB comply with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act (DPA) 2018 (Data Protection Legislation), and any applicable national Laws as required.
In addition, consideration will also be given to all applicable Law concerning privacy, confidentiality, the processing and sharing of personal data including:
- the Human Rights Act 1998,
- the Health and Social Care Act 2012 as amended by the Health and Social Care (Safety and Quality) Act 2015,
- the Common Law Duty of Confidentiality, and the
- Privacy and Electronic Communications (EC Directive) Regulations.
In the circumstances where we are required to use personal identifiable information, we will only do this if:
- The information is necessary for your direct healthcare, or
- We have received explicit consent from you to use your information for a specific purpose, or
- There is an overriding public interest in using the information:
- To prevent a serious crime or in the case of Public Health or other emergencies, to protect the health and safety of others, or
- There is a legal requirement that allows or compels us to use or provide information (e.g., a formal court order or legislation), or
- We have permission from the Secretary of State for Health and Social Care to use specific personal identifiable information when it is necessary for our work.
All individuals working for the NHS have a legal and contractual duty to keep information about you confidential.
All identifiable information that we hold about you will be held securely and confidentially. We use administrative and technical controls to do this.
All records held by the ICB will be kept for the duration specified by national guidance from NHS England(formally NHS Digital) found in the Records Management Code of Practice 2021. In all circumstances data will be retained in accordance with data protection requirements and ‘kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed’. Once data is no longer required it will be destroyed securely.
All health and social care organisations are required to provide annual evidence of compliance with applicable laws, regulations and standards through the Data Security and Protection Toolkit.
Our staff, contractors and committee members receive appropriate and ongoing training to ensure that they are aware of their personal responsibilities and have contractual obligations to uphold confidentiality, enforceable through disciplinary procedures. Staff are trained to ensure how to recognise and report and incident and the organisation has procedures for investigating, managing and learning lessons from any incidents that occur.
Your information will not be sent outside of the United Kingdom where the laws do not protect your privacy to the same extent as the law in the UK. We will never sell any information about you.
The ICB maintains a set of regularly updated policies and procedures covering all aspects of information governance.
The type of personal information we collect
The ICB processes several different types of information:
- Identifiable – containing details that identify individuals. The following are data items that are considered identifiable:
- name,
- address,
- NHS Number,
- full postcode, and
- date of birth
- Pseudonymised information – individual-level information where individuals can be distinguished by using a coded reference, which does not reveal their ‘real world’ identity
- Anonymised – about individuals but with all identifying details removed
- Aggregated – statistical information about multiple individuals that has been combined to show general trends or values without identifying individuals within the data.
Our records may be held on paper or in a computer system.
How we use your personal information
Use of anonymised data
We use anonymised data (from which individuals cannot be identified) to plan health care services including:
- Checking the quality and efficiency of the health services we commission;
- Preparing performance reports on the services we commission;
- Establishing what illnesses people will have in the future, so we can plan and prioritise services and ensure these meet the needs of patients;
- Reviewing the care being provided to make sure it is of the highest standard.
Use of pseudonymised (de-identified) information
We use de-identified information (using a coded ‘reference’ which does not reveal an individual’s identity) in our role, including:
Use of personal and sensitive (identifiable) information
There are some categories of personal data for which special safeguards are required by law, known as special category or sensitive data. This includes records relating to health, sex life, race, ethnicity, political opinions, trade union membership, religion, genetics and biometrics.
We collect and use personal information for the following purposes and we have specific privacy notices linked below:
- Direct Care
- Complaints
- Freedom of Information
- HR, Staffing, Employment, Recruitment and Training
- Incident Management
- Invoice Validation
- Medicines Management
- Patient Communications
- Patient Participation and Engagement Groups
- Public Health
- Quality Alerts
- Safeguarding
We keep our privacy notices under regular review: these were last reviewed in December 2023.
Sharing your information with other organisations or individuals (third parties)
We may share your information with other organisations as follows:
- as required by law
- to prevent and detect fraud and mistakes
- to make payments to NHS Service providers
- to secure the effective and efficient delivery of NHS and related services
- for benefits and tax administration
- as part of an appeal.
Your information will not be transferred outside of the United Kingdom, unless this is stated in the privacy notice of the service you use.
Your rights
Under the Data Protection Legislation all individuals have certain rights in relation to the information the ICB holds about them. Not all rights apply equally to all our processing and are dependent on the lawful basis for processing. Further information can be found on the ICO site ‘Lawful Basis for Processing’ section.
If you require further detail each link below will take you to the Information Commissioner’s Office’s website where further detail is provided in section ‘When does the right apply’.
These rights are:
- The right to be informed about the processing of your data
- The right of access to the data held about you (subject access request (SAR))
- The right to have that information amended in the event that it is not accurate
- The right to have the information deleted
- The right to restrict processing
- The right to have your data transferred to another organisation (data portability)
- The right to object to processing
- Rights in relation to automated decision making and profiling
Currently the ICB does not use automated decision-making (making a decision solely by automated means without any human involvement).
These are commitments relating to your rights set out in the NHS Constitution, for further information please visit: https://www.gov.uk/government/publications/the-nhs-constitution-for-england.
Subject access requests and how to exercise other rights
Individuals can access personal information about them by making a ‘subject access request’ under the Data Protection Legislation. Click here to find out more information about how to make a request for any personal information we may hold and/or to exercise any of your other rights under Data Protection legislation.
Opting out
Your information can be used for improving health, care and services including:
- planning to improve health and care services
- research, for example to find a cure for serious illnesses.
Type 1 opt-out
If you do not want personal data to be shared outside your GP practice, for purposes beyond your direct care you can register a type 1 opt-out with your GP practice. This prevents your personal confidential information from being used other than circumstances required by law, such as a public health emergency like an outbreak of a pandemic disease.
Patients are only able to register the opt-out at their GP practice.
National Data Opt Out
Patients are able to apply the National Data Opt Out to their records which will prevent their data from being used within projects that have a Section 251 application approved by the Confidentiality Advisory Group, this means that the Common Duty of Confidentiality has been set aside by the Secretary of State. Further information can be located in the ICB National Data Opt Out Compliance Statement
Our data processors
We ensure external data processors that support us are legally and contractually bound to operate and prove security arrangements are in place where data that could or does identify a person are processed. The ICB remains the data controller (the organisation responsible for determining the purposes for which and the way personal data is used under Data Protection Legislation) of such information at all times.
Contact us
If you have any queries, concerns, or want to request that we change or delete your information, you may contact NHS Derby and Derbyshire ICB at the following address:
Information Governance Team, Scarsdale, Nightingale Close, Newbold, Chesterfield, Derbyshire, S41 7PF
Email: ddicb.igteam@nhs.net
Concerns about how we are using your information
We try to meet the highest standards when collecting and using personal information. For this reason, we take any complaints we receive about this very seriously. We encourage people to bring concerns to our attention if they think that our collection or use of information is unfair, misleading or inappropriate. We would also welcome any suggestions for improving our procedures.
For more information about Data Protection, or if you are unsatisfied with the way your personal information has been handled, you can contact the national regulator, the Information Commissioner’s Office, at:
The Office of the Information Commissioner, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AX
Email: casework@ico.org.uk
Website: https://ico.org.uk/