Privacy Notice – Invoice Validation
Invoice validation is an important process in ensuring that your care is paid for correctly. It involves using your NHS number to check that the Integrated Care Board (ICB) is responsible for paying for your treatment. We can also use your NHS number to check whether your care has been funded through specialist commissioning, which NHS England will pay for.
The process makes sure that the organisations providing your care are paid correctly. All information with NHS numbers collected to validate invoices is held within a secure, controlled environment for finance (CEfF) (within/on behalf of) the ICB. The use of personal data by ICBs for invoice validation has been approved by the Confidentiality Advisory Group of the Health Research Authority and was scheduled for review 30 September 2022.
We are required by Articles in the UK General Data Protection Regulations (UK GDPR) to provide you with the information in the following subsections.
Data Controller contact
If you have any queries, concerns, or want to request that we change or delete your information, you may contact NHS Derby and Derbyshire ICB at the following address:
Information Governance Team, Scarsdale, Nightingale Close, Newbold, Chesterfield, Derbyshire, S41 7PF
Purpose of the processing
The processing of this information is required to enable the ICB to ensure accurate payment of invoices and to provide accountability and fulfil the ICBs legal obligations.
Lawful basis for processing
The lawful justification for the processing and sharing of this data is under the following Article 6 of the UK General Data Protection Regulations (UK GDPR):
Article 6(1)(c) “the processing is necessary for compliance with any legal obligation to which the controller is subject”
The ICB does not require access to Special Category data for the purposes of Invoice Validation and will not process data at this level.
Recipient or categories of recipients of the processed data
The data will be shared with the ICBs external provider into a Controlled Environment for Finance (CEfF).
Anonymised data will be shared with NHS Shared Business Services (SBS) to arrange payment of the invoice.
Right to object
You have the right to object to some or all the information being processed under Article 21 of UK GDPR. To object to the processing of your information, please contact the controller. You should be aware that this is a right to raise an objection, which is not the same as having an absolute right to have your wishes granted in every circumstance.
Under the Confidentiality Advisory Group review 10 October 2017 the requirement to oblige with patients objections from the flow of information to CEfF which are required to support invoice validation was removed.
Right to access and correct
You have the right to access the data that is being shared and have any inaccuracies corrected. There is no right to have accurate medical records deleted except when ordered by a court of law.
The data will be retained in line with the law and national guidance. Or speak to the ICB.
Right to complain
You have the right to complain to the Information Commissioner’s Office (ICO).
Contact the ICO online or call their helpline on 0303 123 1113 (local rate) or 01625 545 745 (national rate).
There are National Offices for Scotland, Northern Ireland and Wales.