Skip to content

Home > Privacy Notice > Incident Management Privacy Notice

Privacy Notice – Incident Management

The Integrated Care Board (ICB) takes every measure to ensure that no identifiable personal data is accessed or shared without complying with necessary regulations. On the rare occasion that the ICB or one of our providers may breach these regulations it is our duty to investigate what may have caused such an incident and the consequences of this.

In these circumstances the ICB may be required to obtain and process information relating to the data subject in order to fully investigate and inform the individual of the outcome of their enquiries. The ICB will always ensure the information obtained is not excessive, in line with the Data Protection Principles of GDPR Article 5(1)(c) adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (‘data minimisation’).


Data Controller contact

If you have any queries, concerns, or want to request that we change or delete your information, you may contact NHS Derby and Derbyshire ICB at the following address:

Information Governance Team, Scarsdale, Nightingale Close, Newbold, Chesterfield, Derbyshire, S41 7PF



Purpose of the processing

The processing of this data is necessary to allow the ICB to investigate incidents and to allow for learning.


Lawful basis for processing

The lawful justification for the processing and possible sharing of this data is under the following Article 6 and Article 9 of the UK General Data Protection Regulations (UK GDPR):


Article 6(1)(e) ‘…necessary for the performance of a task carried out in the public interest or in the exercise of official authority…’


Article 9(2)(h) ‘necessary for the purposes of preventative or occupational medicine for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services…”


Recipient or categories of recipients of the processed data

The data will be shared with providers involved in the incident. Where possible this data will be anonymised prior to sharing.

Right to object

You have the right to object to some or all the information being processed under Article 21 of UK GDPR. To object to the processing of your information, please contact the controller. You should be aware that this is a right to raise an objection, which is not the same as having an absolute right to have your wishes granted in every circumstance.

In circumstances where it is necessary to share information for compliance with the Data Protection Act 2018, Schedule 1, Part 2(11)(2) the ICB has an obligation to enact its ‘protective function’ and this may, in some instances, override the subjects right to object.


Right to access and correct

You have the right to access the data that is being shared and have any inaccuracies corrected. There is no right to have accurate medical records deleted except when ordered by a court of law.


Retention period

The data will be retained in line with the law and national guidance. Or speak to the ICB.


Right to complain

You have the right to complain to the Information Commissioner’s Office (ICO).

Contact the ICO online or call their helpline on 0303 123 1113 (local rate) or 01625 545 745 (national rate).

There are National Offices for Scotland, Northern Ireland and Wales.

Visit the ICO


Last Updated: Wednesday 17th January 2024 - 1:20:pm

Subscribe to our Newsletter

Joined Up Care Derbyshire produces a bi-monthly newsletter which provides important updates on health and care developments around the city and county.

Previous copies of the newsletter can be found on our website.

If you would like to receive this newsletter, please visit our newsletter page to sign up.