Skip to content

Home > Privacy Notice > Invoice Validation Privacy Notice

Privacy Notice – Invoice Validation

Invoice validation is an important process in ensuring that your care is paid for correctly. It involves using your NHS number to check that the Integrated Care Board (ICB) is responsible for paying for your treatment. We can also use your NHS number to check whether your care has been funded through specialist commissioning, which NHS England will pay for.

The process makes sure that the organisations providing your care are paid correctly. All information with NHS numbers collected to validate invoices is held within a secure, controlled environment for finance (CEfF) (within/on behalf of) the ICB. The use of personal data by ICBs for invoice validation has been approved by the Confidentiality Advisory Group of the Health Research Authority and was scheduled for review 30 September 2022.

Visit the Health Research Authority for more information

We are required by Articles in the UK General Data Protection Regulations (UK GDPR) to provide you with the information in the following subsections.


Data Controller contact

If you have any queries, concerns, or want to request that we change or delete your information, you may contact NHS Derby and Derbyshire ICB at the following address:

Information Governance Team, Scarsdale, Nightingale Close, Newbold, Chesterfield, Derbyshire, S41 7PF



Purpose of the processing

The processing of this information is required to enable the ICB to ensure accurate payment of invoices and to provide accountability and fulfil the ICBs legal obligations.


Lawful basis for processing

The lawful justification for the processing and sharing of this data is under the following Article 6 of the UK General Data Protection Regulations (UK GDPR):


Article 6(1)(c) “the processing is necessary for compliance with any legal obligation to which the controller is subject”


The ICB does not require access to Special Category data for the purposes of Invoice Validation and will not process data at this level.


Recipient or categories of recipients of the processed data

The data will be shared with the ICBs external provider into a Controlled Environment for Finance (CEfF).

Anonymised data will be shared with NHS Shared Business Services (SBS) to arrange payment of the invoice.


Right to object

You have the right to object to some or all the information being processed under Article 21 of UK GDPR. To object to the processing of your information, please contact the controller. You should be aware that this is a right to raise an objection, which is not the same as having an absolute right to have your wishes granted in every circumstance.

Under the Confidentiality Advisory Group review 10 October 2017 the requirement to oblige with patients objections from the flow of information to CEfF which are required to support invoice validation was removed. 


Right to access and correct

You have the right to access the data that is being shared and have any inaccuracies corrected. There is no right to have accurate medical records deleted except when ordered by a court of law.


Retention period

The data will be retained in line with the law and national guidance. Or speak to the ICB.


Right to complain

You have the right to complain to the Information Commissioner’s Office (ICO).

Contact the ICO online or call their helpline on 0303 123 1113 (local rate) or 01625 545 745 (national rate).

There are National Offices for Scotland, Northern Ireland and Wales.

Visit the ICO


Last Updated: Thursday 18th January 2024 - 9:44:am

Subscribe to our Newsletter

Joined Up Care Derbyshire produces a bi-monthly newsletter which provides important updates on health and care developments around the city and county.

Previous copies of the newsletter can be found on our website.

If you would like to receive this newsletter, please visit our newsletter page to sign up.