Who we are
NHS Derby and Derbyshire ICB has responsibility for buying (or commissioning) services across our county.
A major part of our work is effective planning, buying, and monitoring of services from healthcare providers, such as hospitals and GP Practices. This means making sure that the NHS services that people need locally are available and making sure that those services are high quality and value for money.
This privacy notice tells you about information we collect and hold about you, what we do with it, how we will look after it and who we might share it with. It covers information we collect directly from you or receive from other individuals or organisations.
This notice does not provide exhaustive detail; however, we are happy to provide any additional information or explanation needed.
We keep our privacy notice under regular review: it was last reviewed in June 2022.
Our commitment to data privacy and confidentiality issues
We are committed to protecting your privacy and will only ‘process’ data (processing refers to how data is Held, Obtained, Recorded, Used and Shared) in accordance with Data Protection Legislation.
This includes ensuring the ICB comply with the General Data Protection Regulation (EU) 2016/679 (GDPR), the Data Protection Act (DPA) 2018, and any applicable national Laws as required.
In addition, consideration will also be given to all applicable Law concerning privacy, confidentiality, the processing and sharing of personal data including:
- the Human Rights Act 1998,
- the Health and Social Care Act 2012 as amended by the Health and Social Care (Safety and Quality) Act 2015,
- the Common Law Duty of Confidentiality, and the
- Privacy and Electronic Communications (EC Directive) Regulations.
As a Data Controller, the ICB has a duty to:
- keep sufficient information to provide services and fulfil our legal responsibilities
- keep your records secure and accurate
- only keep your information as long as is required
- collect, store, and use the information you provide in a manner that is compatible with the EU General Data Protection Regulation and the Data Protection Act.
Things you can do to help us:
- make sure we have identified you correctly by letting us know when you change address or name; and
- tell us if any of your information we hold is wrong.
- (odt, 710.85 KB)
- (odt, 256.27 KB)
- (odt, 80.91 KB)
- (odt, 105.05 KB)
Personal information we hold about you
As a commissioner, we do not routinely hold or have any access to medical records. The provider of your healthcare for example an Acute Trust, or GP would hold this information. However, we may need to hold some information about you, for example:
- If you have made a complaint to us about healthcare that you have received, and we need to investigate
- If access to specific treatments is regulated via eligibility criteria which include the Individual Funding Request process
- If you ask us to provide funding for Continuing Healthcare or personal health budget services
- If you ask us for our help or involvement with your healthcare, or where we are required to fund specific specialised treatment for a particular condition that is not already covered in our contracts with organisations that provide NHS care
- If you ask us to keep you regularly informed and up to date about the work of the ICB, or if you are actively involved in our engagement and consultation activities or service user participation groups
- In circumstances where our Safeguarding staff are involved in the most serious cases.
- In circumstances where our Quality teams are undertaking monitoring visits, limited clinical information may be accessed in a de-identified form.
Our records may include relevant information that you have told us, information provided on your behalf by relatives or those who care for you and know you well, or from health professionals and other staff directly involved in your care and treatment. Our records may be held on paper or in a computer system.
We may share your information with other organisations as follows:
- as required by law
- to prevent and detect fraud and mistakes
- to make payments to NHS Service providers
- to secure the effective and efficient delivery of NHS and related services
- for benefits and tax administration
- as part of an appeal.
Your information will not be transferred outside the European Economic Area, unless this is stated in the privacy notice of the service you use.
Why we process your information
For some of our services, we need to collect personal data so we can get in touch or provide the service. The ICB can use your personal data under many different laws. The main ones that apply are the NHS Act 2006, the Health and Social Care Act 2012, the Care Act 2014, the Data Protection Act 2018 and the General Data Protection Regulations, but there are many more.
For some services where individuals choose to engage with the ICB e.g., where someone wishes us to include them on our mailing list, we will process this data by requesting your explicit consent.
The ICB have in place arrangements to handle limited amounts of person confidential data. These data include limited data processed in accordance with our validation of referral (where treatments are restricted), and indirectly where the ICB perform an oversight function for monitoring the quality of the services commissioned.
Where the ICB holds a contract for the provision of a clinical service, the organisation which deliver that service are the Data Controller. These providers are under contract and have to keep your details safe and secure and use them only to provide the service.
The ICB has undertaken an assurance exercise, where we have worked with Information Asset Owners to map the flows of information in to and out of the ICB. This is part of our annual work to complete the Data Security and Protection Toolkit.
The ICB processes personal identifiable data for the following purposes:
- Financial transactions including processing applications for funding treatments
- Invoice validation
- Dealing with complaints
- Processing Safeguarding referrals
- Continuing Healthcare
- Risk stratification
- Patient & public involvement – where you have agreed for us to contact you to gain your views about the services we commission
- Regulatory oversight and quality monitoring functions
- National registries
- To ensure we meet our legal and statutory obligations
- Clinical audit
- GP data performance and monitoring information
- Investigating and managing serious incidents.
As an employer, the ICB will process employee data for the following purposes:
- To ensure that the information we hold about you is kept up to date
- To deal with any employee / employer related disputes that may arise
- Payroll purposes
- For assessment and analysis purposes to help improve the operation and performance of the ICB
- To inform the development of recruiting and retention policies so that they are relevant to the ICB’s workforce
- To enable the monitoring of protected characteristics in accordance with the Equality Act 2010 and ensure that the ICB continues to meet equality standards
- To prevent, detect and prosecute against fraud
- To respond to requests made by a “relevant authority” under the Data Protection Act 2018, such as the police, government departments and local authorities with the regulatory powers to request access to personal data without the consent of the data subject for the purposes of the prevention or detection of crime
- In accordance with the consent provided by you as part of your terms and conditions of employment
To comply with the ICB’s legal obligations as an employer, i.e., HMRC and Pensions.
Keeping your personal information
Your personal data will only be retained by the ICB where there is a clear lawful basis to do so, and this will not be retained for longer than is necessary. The ICB ensures that we comply with best practice in relation to the retention and destruction of records.
You have certain legal rights, including:
- to have your information processed fairly and lawfully
- to request access any personal information we hold about you
- the right to privacy, and to expect the NHS to keep your information confidential and secure
- to request that your confidential information is not used beyond your own care and treatment and to have your objections considered
- to request that any inaccurate data that we hold about you is corrected.
These are commitments set out in the NHS Constitution, please visit for further information.
Subject access requests and requests to correct errors
Individuals can find out if we hold any personal information about them by making a ‘subject access request’ under the Data Protection Act 2018. If we do hold information about you, we will:
- Give you a description of it
- Tell you why we are holding it
- Tell you who it could be disclosed to; and
- Let you view or have a copy of your personal information in an intelligible form.
To make a request for any personal information we may hold you need to put the request in writing, via email or letter, to the following address:
Information Governance Team, Scarsdale, Nightingale Close, Newbold, Chesterfield, Derbyshire, S41 7PF
Subject Access Request
To make a request for any personal information we may hold, please see NHS Derby and Derbyshire ICB’s
Information not directly collected by the ICB, but collected by organisations that provide NHS services
Type 1 opt-out
If you do not want personal data to be shared outside your GP practice, for purposes beyond your direct care you can register a type 1 opt-out with your GP practice. This prevents your personal confidential information from being used other than circumstances required by law, such as a public health emergency like an outbreak of a pandemic disease.
Patients are only able to register the opt-out at their GP practice.
Type 2 opt-out: information held by NHS Digital
Previously you could tell your GP surgery if you did not want NHS Digital, to share confidential patient information that it collects from the across the health and care service for purposes other than your individual care. This was called a type 2 opt-out.
From 25 May 2018 the type 2 opt-out has been replaced by the National Data Opt-Out.
The privacy notice text can be found on the NHS Digital website.
How each of our services uses your information
You can view the privacy notices for each of our services:
- (odt, 11.59 KB)
- (odt, 11.96 KB)
- (odt, 10.41 KB)
- (odt, 13.52 KB)
- (odt, 12.85 KB)
- (odt, 14.63 KB)
- (odt, 39.64 KB)
- (odt, 11.58 KB)
- (odt, 11.00 KB)
- (odt, 12.55 KB)
- (odt, 11.63 KB)
- (odt, 13.90 KB)
- (odt, 12.21 KB)
- (odt, 11.55 KB)
- (odt, 10.88 KB)
- (odt, 12.92 KB)
- (odt, 14.00 KB)
- (odt, 8.66 KB)
- (odt, 14.63 KB)
Our Data Processors
We ensure external data processors that support us are legally and contractually bound to operate and prove security arrangements are in place where data that could or does identify a person are processed. The ICB remains the data controller (the organisation responsible for determining the purposes for which and the way personal data is used under Data Protection Legislation) of such information at all times.
If you have any queries, concerns, or want to request that we change or delete your information, you may contact Derby and Derbyshire ICB at the following address:
Data Protection Officer, Dr Steve Lloyd, Scarsdale, Nightingale Close, Newbold, Chesterfield, Derbyshire, S41 7PF
Data Protection Officers are responsible for upholding your rights and making sure we process your information correctly.
Concerns about how we are using your information
We try to meet the highest standards when collecting and using personal information. For this reason, we take any complaints we receive about this very seriously. We encourage people to bring concerns to our attention if they think that our collection or use of information is unfair, misleading or inappropriate. We would also welcome any suggestions for improving our procedures.
For more information about Data Protection, or if you are unsatisfied with the way your personal information has been handled, you can contact the national regulator, the Information Commissioner’s Office, at:
The Office of the Information Commissioner, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AX
Website and Social Media
We will use the Internet to communicate with the public and promote public participation. Through our social media accounts and website, we will post photos, videos, and sound recordings of our work and events, which may sometimes include personal data. Although we seek consent, this may not always be possible when capturing large crowds or public street scenes. If you are ever unhappy about being included in any of these publications, please contact us.
Communications undertaken by the ICB
For key functions of the ICB, it is essential that we maintain lists of professional contacts. Where the ICB are communicating with the public about specific events or engagement – we will make announcements within local media and contact those people who have expressed an interest in being kept informed, and who have shared their contact details with us. In this case, the ICB does not share details with any other parties, and each person can withdraw their consent for the ICB to hold their information at any time.
The lawful basis for processing this data is the consent of the individual data subject, and this can be withdrawn at any time.
Where the ICB maintains contact lists of professional contacts, whether this be key primary care contacts, or contacts within care homes, pharmacies, or optometrists – this is key to ensuring that information about ICB services and developments are shared with partners, and engagement across all care partners is maintained. Again, the ICB do not share details with any other parties. The lawful basis for this processing is one the two following:
Where the ICB maintains contact lists of GP practice contacts, this is to enable the oversight and management of the GP Contract, and the lawful basis is Contract.
Where the ICB maintains contact lists for services contracted via NHS England – for example optometrists, care homes, pharmacists and other care providers, the lawful basis for processing this data is the consent of the individual and company involved, and this can be withdrawn at any time. To do join or unsubscribe from this list please contact: DDICB.Meds.Man@nhs.net.
Covid-19 and Your Information (17 April 2020)
This notice describes how we may use your information to protect you and others during the Covid-19 outbreak. It supplements the ICB’s main Privacy Notice.
The health and social care system is facing significant pressures due to the Covid-19 outbreak. Health and care information is essential to deliver care to individuals, to support health and social care services and to protect public health. Information will also be vital in researching, monitoring, tracking, and managing the outbreak. In the current emergency it has become even more important to share health and care information across relevant organisations.
Existing law which allows confidential patient information to be used and shared appropriately and lawfully in a public health emergency is being used during this outbreak. Using this law, the Secretary of State has required NHS Digital; NHS England and Improvement; Arm’s Length Bodies (such as Public Health England); local authorities; health organisations and GPs to share confidential patient information to respond to the Covid-19 outbreak. Any information used or shared during the Covid-19 outbreak will be limited to the period of the outbreak unless there is another legal basis to use the data.
During this period of emergency, opt-outs will not generally apply to the data used to support the Covid-19 outbreak, due to the public interest in sharing information. This includes National Data Opt-outs. Where data is used and shared under these laws your right to have personal data erased will also not apply. It may also take us longer to respond to Subject Access requests, Freedom of Information requests and new opt-out requests whilst we focus our efforts on responding to the outbreak.
In order to look after your health and care needs, we may share your confidential patient information including health and care records with clinical and non-clinical staff in other health and care providers, for example neighbouring GP practices, hospitals, and NHS 111.
We will also be required to share personal/confidential patient information with health and care organisations and other bodies engaged in disease surveillance for the purposes of protecting public health, providing healthcare services to the public and monitoring and managing the outbreak. Further information about how health and care data is being used and shared by other NHS and social care organisations in a variety of ways to support the Covid-19 response.
NHS England and Improvement and NHSX have developed a single, secure store to gather data from across the health and care system to inform the Covid-19 response. This includes data already collected by NHS England, NHS Improvement, Public Health England, and NHS Digital. New data will include 999 call data, data about hospital occupancy and A&E capacity data as well as data provided by patients themselves. All the data held in the platform is subject to strict controls that meet the requirements of data protection legislation.
In such circumstances where you tell us you’re experiencing Covid-19 symptoms we may need to collect specific health data about you. Where we need to do so, we will not collect more information than we require, and we will ensure that any information collected is treated with the appropriate safeguards.
We may amend this privacy notice at any time so please review it frequently. The date at the top of this page will be amended each time this notice is updated.