Privacy Notice – Incident Management
The Integrated Care Board (ICB) takes every measure to ensure that no identifiable personal data is accessed or shared without complying with necessary regulations. On the rare occasion that the ICB or one of our providers may breach these regulations it is our duty to investigate what may have caused such an incident and the consequences of this.
In these circumstances the ICB may be required to obtain and process information relating to the data subject in order to fully investigate and inform the individual of the outcome of their enquiries. The ICB will always ensure the information obtained is not excessive, in line with the Data Protection Principles of GDPR Article 5(1)(c) adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (‘data minimisation’).
Data Controller contact
If you have any queries, concerns, or want to request that we change or delete your information, you may contact NHS Derby and Derbyshire ICB at the following address:
Information Governance Team, Scarsdale, Nightingale Close, Newbold, Chesterfield, Derbyshire, S41 7PF
Purpose of the processing
The processing of this data is necessary to allow the ICB to investigate incidents and to allow for learning.
Lawful basis for processing
The lawful justification for the processing and possible sharing of this data is under the following Article 6 and Article 9 of the UK General Data Protection Regulations (UK GDPR):
Article 6(1)(e) ‘…necessary for the performance of a task carried out in the public interest or in the exercise of official authority…’
Article 9(2)(h) ‘necessary for the purposes of preventative or occupational medicine for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services…”
Recipient or categories of recipients of the processed data
The data will be shared with providers involved in the incident. Where possible this data will be anonymised prior to sharing.
Right to object
You have the right to object to some or all the information being processed under Article 21 of UK GDPR. To object to the processing of your information, please contact the controller. You should be aware that this is a right to raise an objection, which is not the same as having an absolute right to have your wishes granted in every circumstance.
In circumstances where it is necessary to share information for compliance with the Data Protection Act 2018, Schedule 1, Part 2(11)(2) the ICB has an obligation to enact its ‘protective function’ and this may, in some instances, override the subjects right to object.
Right to access and correct
You have the right to access the data that is being shared and have any inaccuracies corrected. There is no right to have accurate medical records deleted except when ordered by a court of law.
The data will be retained in line with the law and national guidance. Or speak to the ICB.
Right to complain
You have the right to complain to the Information Commissioner’s Office (ICO).
Contact the ICO online or call their helpline on 0303 123 1113 (local rate) or 01625 545 745 (national rate).
There are National Offices for Scotland, Northern Ireland and Wales.