about us victoria square birmingham

Data Protection

Privacy Notice – Data Protection Act 1998

Your information and how we use it

The purpose of this notice is to inform you about the type of information that we hold, how we use that information, who we share it with, how we keep it secure and confidential, how we destroy information securely and how you can request a copy of the information we hold. 

The CCG is classed as a “Data Controller” under the Data Protection Act 1998 and is legally bound to ensure that personal information is used appropriately and complies with the eight principles of the Data Protection Act 1998.

Under the Act it means that as a Data Controller we have to register with the Information Commissioners Office. A copy of the registration is available through the ICO website (search by CCG name or our reference number ZA007791).

Who we are

Birmingham CrossCity Clinical Commissioning Group (CCG), Bartholomew House, 142 Hagley Road, Edgbaston, Birmingham, B16 9PA

  • Telephone: 0121 255 0700
  • Fax: 0121 682 0090
  • Email: This email address is being protected from spambots. You need JavaScript enabled to view it.

What we do

Our CCG is clinically-led which means we are made up of doctors, nurses and other professions and are responsible for planning, buying and monitoring (also known as commissioning) health services from healthcare providers such as hospitals and GP practices for our local population to ensure the highest quality of healthcare. We also have a performance monitoring role of these services, which includes responding to any concerns from our patients on services offered.

Definitions

To aid you in reading and understanding terms used in the NHS in relation to information/data please see below:

What is Personal Confidential Data?

This is a term used in the Caldicott Information Governance Review and describes personal information about identified or identifiable individuals, which should be kept private or secret and includes dead as well as living people. The review interpreted 'personal' as including the Data Protection Act definition of personal data, but included data relating to the deceased as well as living people, and 'confidential' includes both information 'given in confidence' and 'that which is owed a duty of confidence' and is adapted to include 'sensitive' as defined in the Data Protection Act. Examples of identifiable data are:

  • Name
  • Address
  • Postcode
  • Date of birth
  • NHS number
What is Personal Data?

As per the Data Protection Act 1998, and defined by the ICO: Personal data means data which relate to a living individual who can be identified:

  1. From those data, or
  2. From those data and other information which is in the possession of, or is likely to come into the possession of, the data controller, and includes any expression of opinion about the individual and any indication of the intentions of the data controller or any other person in respect of the individual.
What is Sensitive Personal Data?

Sensitive personal data is different from Personal Data. Sensitive personal data means personal data consisting of information as to:

  1. The racial or ethnic origin of the data subject
  2. Their political opinions
  3. Their religious beliefs or other beliefs of a similar nature
  4. Whether a member of a trade union (within the meaning of the Trade Union and Labour Relations (Consolidation) Act 1992)
  5. Their physical or mental health or condition
  6. Their sexual life
  7. The commission or alleged commission of any offence
  8. Any proceedings for any offence committed or alleged to have been committed, the disposal of such proceedings or the sentence of any court in such proceedings.
How is Direct Patient Care defined? The Caldicott Review defined it as a clinical, social or public health activity concerned with the prevention, investigation and treatment of illness and the alleviation of suffering of individuals. It includes supporting individuals' ability to function and improve their participation in life and society. It includes the assurance of safe and high quality care and treatment through local audit, the management of untoward or adverse incidents, person satisfaction including measurement of outcomes undertaken by one or more registered and regulated health or social care professionals and their team with whom the individual has a legitimate relationship for their care.
How is indirect patient care defined? Defined by the Caldicott Review as activities that contribute to the overall provision of services to a population as a whole or a group of patients with a particular condition, but which fall outside the scope of direct care. It covers health services management, preventative medicine, and medical research. Examples of activities would be risk prediction and stratification, service evaluation, needs assessment, financial audit.

How we use your information

Our CCG holds some information about you and this document outlines how that information is used, who we may share that information with, how we keep it secure (confidential) and what your rights are in relation to this. The CCG uses different types of information/data which are:

  • Personal confidential data/identifiable - containing details that identify living individuals
  • Pseudonymised - about individuals but with identifying details (such as name or NHS number) replaced with a unique code
  • Anonymised - about individuals but with identifying details removed
  • Aggregated - anonymised information grouped together so that it doesn't identify individuals.

What safeguards are in place to ensure data that identifies me is secure?

We only use information that may identify you in accordance with the Data Protection Act 1998.  

The Data Protection Act requires us to process personal data only if there is a legitimate basis for doing so and that any processing must be fair and lawful.

Within the health sector, we also have to follow the common law duty of confidence, which means that where identifiable information about you has been given in confidence, it should be treated as confidential and only shared for the purpose of providing direct healthcare. 

Keeping your records confidential

The NHS Digital Code of Practice on Confidential Information applies to all of our staff, and they are required to protect your information, inform you of how your information will be used, and allow you to decide if and how your information can be shared.  All CCG staff are expected to make sure information is kept confidential and receive annual training on how to do this. This is monitored by the CCG and can be enforced through disciplinary procedures.

We also ensure the information we hold is kept in secure locations, restrict access to information to authorised personnel only, protect personal and confidential information held on equipment such as laptops with encryption (which masks data so that unauthorised users cannot see or make sense of it).

We ensure external data processors that support us are legally and contractually bound to operate and prove security arrangements are in place where data that could or does identify a person are processed.

Any breaches or near misses of the Data Protection Act 1998 are reported through our incident management system and dealt with appropriately.

What do we use anonymised/pseudonymised data for?

Wherever possible the CCG will use anonymised/pseudonymised data to plan health care services. Specifically we use it to:

  • Check the quality and efficiency of the health services we commission
  • Prepare performance reports on the services we commission
  • Work out what illnesses people will have in the future, so we can plan and prioritise services and ensure these meet the needs of patients in the future
  • Review the care being provided to make sure it is of the highest standard
  • Patient pathway analysis
  • Understanding the needs of the population
  • Specialised services and other high cost/low volume analysis
  • Multi-agency projects
  • Reviews for quality assurance purposes.

What do we use your sensitive and personal information for?

There are some limited exceptions where we may hold and use sensitive personal information about you. For example the CCG has been required by law to perform certain services that involve the processing of sensitive personal information.

The areas where we regularly use sensitive personal information include: 

 

Purpose Process Legal Basis Security
Individual Funding Request (IFR) An individual funding request can be made by your clinician (doctor or other health professional) if they believe that a particular treatment or service that is not routinely offered by the NHS is the best treatment for you, given your individual clinical circumstances. Explicit Consent An individual funding request can be made by your clinician (doctor or other health professional) if they believe that a particular treatment or service that is not routinely offered by the NHS is the best treatment for you, given your individual clinical circumstances.
Continuing Healthcare Assessment If a clinician (doctor or other health professional) asks us to carry out an assessment of complex medical needs they will explain to you what information we need to collect, who we would need to share it with in order for us to assess your needs and commission your care package. Explicit Consent Any files that are created that hold your personal confidential data are kept secure for the appropriate period of time.  Once they have reached their NHS retention period they are securely destroyed.  This relates to both paper and electronic records.
Complaints / Queries / Concerns If you have asked us to assist you in raising/resolving a complaint/concern about the treatment you have received within the area that we commission services we will need to know the details of the treatment/appointments and condition that you have concerns about in order that we can assist you. Explicit Consent Any files that are created that hold your personal confidential data are kept secure for the appropriate period of time.  Once they have reached their NHS retention period they are securely destroyed.  This relates to both paper and electronic records
Safeguarding (children and adults)  We will collect and hold identifiable information where we are investigating safeguarding issues/concerns  This would be without consent as we rely on the below legislation:
 
Children Act 1989/2004 and the Care Act 2014.
Any files that are created that hold your personal confidential data are kept secure for the appropriate period of time.  Once they have reached their NHS retention period they are securely destroyed.  This relates to both paper and electronic records.
Patient and Public engagement We collect and hold information in order to ensure that the CCG is effectively engaging with our patients for the population that we commission services for. Explicit Consent  Any files that are created that hold your personal confidential data are kept secure for the appropriate period of time.  Once they have reached their NHS retention period they are securely destroyed.  This relates to both paper and electronic records.
Paying Invoices (Invoice Validation) for the treatment/services you have received  The validation of invoices is undertaken within a controlled environment for finance within the Arden & GEM CSU. Invoice validation is undertaken to ensure that the CCG is paying for treatments relating to its patients only. The dedicated CSU team receives patient level information direct from the hospital providers and undertakes a number of checks to ensure that the invoice is valid and that it should be paid for by the CCG. The CCG does not receive or see any patient level information relating to these invoices.
Confidentiality Advisory Group (CAG) Section 251

Section 251 of the NHS Act 2006 allows the Secretary of State for Health to make regulations to set aside the common law duty of confidentiality for defined medical purposes.

The Regulations that enable this power are called the Health Service (Control of Patient Information) Regulations 2002.

The HRA took on responsibility for Section 251 in April 2013, establishing the Confidentiality Advisory Group (CAG) function.

Any files that are created that hold your personal confidential data are kept secure for the appropriate period of time.  Once they have reached their NHS retention period they are securely destroyed.  This relates to both paper and electronic records

Risk Stratification

* Please see Opt out below

This is a process that helps your family doctor (GP) to help you manage your health. By using selected information from your health records, a secure NHS computer system will look at any recent treatments you have had in hospital or in the surgery and any existing health conditions that you have. This will alert your doctor to the likelihood of a possible deterioration in your health. The clinical team at the surgery will use the information to help you get early care and treatment where it is needed. Midlands & Lancashire CSU DSCRO supports GP Practices with this work. NHS security systems will protect your health information and patient confidentiality at all time.  Where it is not possible to use completely de-identifiable data single identifier such as your NHS number or post code will used.

Confidentiality Advisory Group (CAG) Section 251

Section 251 of the NHS Act 2006 allows the Secretary of State for Health to make regulations to set aside the common law duty of confidentiality for defined medical purposes.

The Regulations that enable this power are called the Health Service (Control of Patient Information) Regulations 2002.

Any references to ‘section 251 support or approval’ actually refers to approval given under the authority of the Regulations.

The HRA took on responsibility for Section 251 in April 2013, establishing the Confidentiality Advisory Group (CAG) function.

Any files that are created that hold your personal confidential data are kept secure for the appropriate period of time.  Once they have reached their NHS retention period they are securely destroyed.  This relates to both paper and electronic records.

Visitors to our website

Links to other websites

This privacy notice does not cover the links on our website linking to other websites.  We encourage you to read the privacy statements on the other websites you visit.

When someone visits the CCG Website we collect standard internet log information and details of behaviour patterns. We do this to find out things such as the number of visitors to the various parts of the site. We collect this information in a way which does not identify anyone.

The CCG will not make any attempt to find out the identities of those visiting the CCG website

We collect identifiable information from visitors to our website who register in order to comment on forum threads or to receive further information on specific topics.

No personal data recorded. 
 
Explicit Consent
Any files that are created that hold your personal confidential data are kept secure for the appropriate period of time.  Once they have reached their NHS retention period they are securely destroyed.  This relates to both paper and electronic records.

National Registries

National registries such as the Learning Disabilities Register) have a statutory permission to collect and hold service user identifiable information without the need to seek consent from each service user. Section 251 of the NHS Act 2006  
Sensitive personal information may also be used  The information is necessary for your direct healthcare.

CCGs responding to patients, carers or Member of Parliament communication.

You have freely given your informed agreement (consent) for us to use your information for a specific purpose.

There is an overriding public interest in using the information e.g. in order to safeguard an individual, or to prevent a serious crime.

There is a legal requirement that will allow us to use or provide information (e.g. a formal court order).
 Consent, Legislation, Regulations  Any files that are created that hold your personal confidential data are kept secure for the appropriate period of time.  Once they have reached their NHS retention period they are securely destroyed.  This relates to both paper and electronic records.
Job applicants, current and former employees 

When individuals apply to work at the CCG, we will use the information they supply to process their application and to monitor recruitment statistics.   Where we want to disclose information to a third party, for example where we want to take up a reference or obtain a ‘disclosure’ from the Criminal Records Bureau we will not do so without informing them beforehand unless the disclosure is required by law.

Once a person has taken up employment with us, we will compile a file relating to their employment. The information contained in this will be kept secure and will only be used for purposes directly relevant to that person’s employment. 

 Explicit Consent

Personal information about unsuccessful candidates will be held for 12 months after the recruitment exercise has been completed, it will then be destroyed or deleted. 

We retain statistical information about applicants to help inform our recruitment activities, but no individuals are identifiable from that data.

Any files that are created that hold your personal confidential data are kept secure for the appropriate period of time.  Once they have reached their NHS retention period they are securely destroyed.  This relates to both paper and electronic records.

Personal Health Budgets

A personal health budget is an amount of money to support the identified healthcare and wellbeing needs of an individual, which is planned and agreed between the individual, or their representative, and the CCG. To support this process, the CCG will process personal confidential data including sensitive data to evaluate, agree and monitor any personal health budgets.

https://www.england.nhs.uk/healthbudgets/

 Explicit Consent Any files that are created that hold your personal confidential data are kept secure for the appropriate period of time.  Once they have reached their NHS retention period they are securely destroyed.  This relates to both paper and electronic records.
Assuring Transformation We collect and track data for people with learning disabilities and/or autism as part of the Winterbourne Review Concordat: Programme of Action.  We hold, manage and maintain a register of people with learning disabilities and/or autism for people in in-patient settings that covers their current care provision.  More information is available here Section 251 of the NHS Act 2006.   

Any files that are created that hold your personal confidential data are kept secure for the appropriate period of time.  Once they have reached their NHS retention period they are securely destroyed.  This relates to both paper and electronic records.     

       
       

Right to opt out (fair processing)

Patients have a right to opt out of their information being used for risk stratification profiling. It follows that the GP practice must make patients aware that their information is being used for these purposes and that they have a right to opt-out. This information is required for compliance with Principle 1 of the Data Protection Act. NHS England guidance is that GP practices should provide information to patients explaining how their data will be used and what to do if they have any concerns or objections. 

The above process works by the GP practice adding a code to your records that will stop your information from being used for this purpose.

How long do you hold confidential information for?

All records held by the CCG will be kept for the duration specified by national guidance from NHS Digital.

Do you share my information with other organisations?

We commission a number of organisations (both within and outside the NHS) to provide healthcare services to you. We may also share anonymised statistical information with them for the purpose of improving local services, for example understanding how health conditions spread across our local area compared against other areas.

The law provides some NHS bodies, particularly NHS Digital formerly The Health and Social Care Information Centre (HSCIC), ways of collecting and using patient data that cannot identify a person to help Commissioners to design and procure the combination of services that best suit the population they serve.

We may also share information with NHS England and NHS Digital. If you do not want your information to be used for purposes beyond providing your care you can choose to opt-out.  If you wish to do so, please inform your GP practice and they will mark your choice in your medical record.

You can opt out of your data being used for some purposes. You can withdraw your opt-out choice at any time by informing your GP practice. More information is available on NHS Digital Your personal information choices.

Data may be de-identified and linked by these special bodies so that it can be used to improve health care and development and monitor NHS performance. Where data is used for these statistical purposes, stringent measures are taken to ensure individual patients cannot be identified.

When analysing current health services and proposals for developing future services it is sometimes necessary to link separate individual datasets to be able to produce a comprehensive evaluation. This may involve linking primary care GP data with other data such as secondary uses service (SUS) data (inpatient, outpatient and A&E).  In some cases there may also be a need to link local datasets which could include a range of acute-based services such as radiology, physiotherapy, audiology etc, as well as mental health and community-based services such as Improving Access to Psychological Therapies (IAPT), district nursing, podiatry etc. When carrying out this analysis, the linkage of these datasets is always done using a unique identifier that does not reveal a person’s identity as the CCG does not have any access to patient identifiable data.

Patient opt out

The NHS Constitution states "You have the right to request that your confidential information is not used beyond your own care and treatment and to have your objections considered".

There are several forms of opt- outs available at different levels.  These include for example:

  1. Information directly collected by the CCG: Your choices can be exercised by withdrawing your consent for the sharing of information that identifies you, unless there is an overriding legal obligation.
  2. Information not directly collected by the CCG, but collected by organisations that provide NHS services:

Type 1 opt-out

If you do not want personal confidential data information that identifies you to be shared outside your GP practice, for purposes beyond your direct care, you can register a ‘Type 1 opt-out’ with your GP practice. This prevents your personal confidential information from being used other than in particular circumstances required by law, such as a public health emergency like an outbreak of a pandemic disease. Patients are only able to register the opt-out at their GP practice. Records for patients who have registered a ‘Type 1 opt-out’ will be identified using a particular code that will be applied to your medical records that will stop your records from being shared outside of your GP practice.

Type 2 opt-out

NHS Digital collects information from a range of places where people receive care, such as hospitals and community services.  To support those NHS constitutional rights, patients within England are able to opt out of their personal confidential data being shared by NHS Digital for purposes other than their own direct care, this is known as a 'Type 2 opt-out' If you do not want your personal confidential information to be shared outside of NHS Digital for purposes other than for your direct care, you can register a ‘Type 2 opt-out’ with your GP practice. Alternatively visit the website here.

Patients are only able to register the opt-out at their GP practice as the CCG cannot do this

You have the right to consent/refuse/withdraw consent to information sharing at any moment in time. There are possible consequences to not sharing but these will be fully explained to you to help you with making your decision as this could in some circumstances affect your health and wellbeing. This applies to any organisation that holds and processes your information.

Main partner organisations

  • NHS hospital trusts
  • GPs
  • Ambulance services
  • Other CCGs where joint commissioning takes place
  • External organisations providing healthcare services to the NHS.

We may also share your information, subject to strict agreements with:

  • Social services
  • Education services
  • Local authorities
  • Voluntary sector providers.

An example of how we share de-identified statistical information would be with Public Health (Local Authority), so that they can understand health trends and information across our local area compared against other areas.

Instances where consent may not be sought

Where personal information is used we will seek your consent to do this, however there may be certain circumstances in which we are legally required to share your personal information without your consent for example:

  • By a court order
  • Safeguarding
  • Prevent disorder or crime
  • Notifiable diseases.

Data Processors

We may also contract with other organisations to process data.  These organisations are known as Data Processors. We ensure external data processors that support us are legally and contractually bound to operate and prove security arrangements are in place where data that could or does identify a person are processed.

Currently, the external data processors we work with include (amongst others):

  • Arden & GEM Commissioning Support Unit (CSU), they carry out  the following on our behalf:
    • Individual Funding Requests (IFR)
    • Continuing Healthcare Assessment and case management
    • Invoice Validation.
  • Midlands & Lancashire Commissioning Support Unit (CSU), they carry out the following on our behalf:
    • Risk stratification
    • Business intelligence.
  • Optum Health Solutions (UK) Limited, they carry out on our behalf:
    • Risk stratification

What are your rights - gaining access to the data we hold about you

Everyone has the right to request, see, or have a copy, of data we hold that can identify them, with some exceptions. You do not need to give a reason to see your data, but you may be charged a fee. This is known as a subject access request. You will need to put your request in writing to us.

You can also request the following should you feel we hold inaccurate information:

  • You can request information is corrected
  • Have the information updated where it is no longer accurate
  • Ask us to stop processing information about you where we are not required to do so by law – although we will first need to explain how this may affect the care you receive.

If you wish to have a copy of the information that the CCG holds about you please contact: Donna Dallaway, Senior Information Governance & Compliance Manager, on 0121 255 0860 or email This email address is being protected from spambots. You need JavaScript enabled to view it.  There may be a charge for this information.

Please note: The CCG does not directly provide health care services and therefore does not hold personal healthcare records. If you wish to have sight of, or obtain copies of your of your own personal health care records you will need to apply to your GP practice, the hospital or NHS organisation which provided your health care.

Complaints about how we handle your information

If you wish to make a complaint about how we handle your information, please contact: Donna Dallaway, Senior Information Governance & Compliance Manager, on 0121 255 0860 or email This email address is being protected from spambots. You need JavaScript enabled to view it. 

Caldicott Guardian

A Caldicott Guardian is a senior person responsible for protecting the confidentiality of patient and service-user information and enabling appropriate information-sharing. Each NHS organisation is required to have a Caldicott Guardian; this was mandated for the NHS by Health Service Circular: HSC 1999/012.

The CCG’s Caldicott Guardian is Jenny Belza, Chief Nurse and Quality Officer. Her email address is This email address is being protected from spambots. You need JavaScript enabled to view it.

Senior Information Risk Owner

We have also appointed a Senior Information Risk Owner (SIRO) who is accountable for the management of all information assets and any associated risks and incidents. Our SIRO is Dr Masood Nazir and his email address is: This email address is being protected from spambots. You need JavaScript enabled to view it.

Should you require further information on the Data Protection Act 1998 and your rights please see the information below:

  • Information Commissioner's Office website
  • The NHS Care Record Guarantee: The NHS Care Record Guarantee for England sets out the rules that govern how patient information is used in the NHS and what control the patient can have over this. It covers people’s access to their own records; controls on others’ access; how access will be monitored and policed; options people have to further limit access; access in an emergency; and what happens when someone cannot make decisions for themselves. Everyone who works for the NHS or for organisations delivering services under contract to the NHS has to comply with this guarantee which was first published in 2005 and is regularly reviewed by the National Information Governance Board to ensure it remains clear and continues to reflect the law and best practice. It was last reviewed in January 2011. Please read the NHS Care Record Guarantee version 5 (2011) for more information.
  • NHS Constitution: The NHS is founded on a common set of principles and values that bind together the communities and people it serves – patients and public – and the staff who work for it. The NHS Constitution establishes the principles and values of the NHS in England. It sets out rights to which patients, public and staff are entitled, and pledges which the NHS is committed to achieve, together with responsibilities, which the public, patients and staff owe to one another to ensure that the NHS operates fairly and effectively.
  • Caldicott Review: To share or not to share? An independent review of information about patients is shared across the health and care system led by Dame Fiona Caldicott was conducted in 2012. The report, Information: To share or not to share? The Information Governance Review can be read here.

Changes to this privacy notice

We regularly review our privacy notice. This privacy notice was updated on 13 September 2016.

Noticed an error or broken link? Let us know