Fair processing notice for NHS Coastal West Sussex Clinical Commissioning Group
1 The Causeway, Goring-by-Sea, Worthing, West Sussex BN12 6BT
NHS Coastal West Sussex Clinical Commissioning Group (CCG) holds some information about you. This page provides information about why, how it is used, with whom we share information, how we keep your information confidential and your rights in relation to the information we hold about you.
NHS Coastal West Sussex CCG is the local NHS organisation that brings together local GPs and experienced health professionals to take on planning, buying and monitoring responsibilities (also known as commissioning) for local health services. The CCG is responsible for planning, buying and monitoring:
We also have a role which includes managing patient feedback, including complaints, from our patients about services offered. This helps us to understand what is working well and what is causing problems for our patients.
Further information about our work is available online.
The CCG uses the following types of information/data:
We use anonymised data to plan health care services. Specifically we use it to:
There are some limited exceptions where we may hold and use sensitive personal information about you. For example the CCG is required by law to perform certain services that involve the processing of sensitive personal information.
The areas where we regularly use sensitive personal information include:
Sensitive personal information may also be used in the following cases:
In each of these circumstances the information the CCG holds will be different, as it will be dependent on what is necessary for the individual area of our work.
Sometimes we will need information about you including personal details such as your:
However, the information held will only be relevant to the area of work.
For example, you may have only provided your name, address and email address to sign up for our ePanel, but if you are receiving NHS Continuing Healthcare then the team will have records about your care to date and your condition.
We commission a number of organisations (both within and outside the NHS) to provide healthcare services to you. We may also share anonymised statistical information with them for the purpose of improving local services, for example understanding how health conditions spread across our local area compared against other areas.
In order to perform our commissioning functions, information may be shared between various organisations including: acute and mental health hospitals, GP practices, community services, other CCGs, commissioning support units (CSU), ambulance services, local councils (social services and public health) and voluntary sector and other health organisations.
The law provides some NHS bodies, particularly NHS Digital (formerly the Health and Social Care Information Centre) ways of collecting and using patient data that cannot identify a person. This information helps commissioners to design and procure the combination of services that best suit the population they serve.
We may also share information with NHS England and NHS Digital. If you do not want your information to be used for purposes beyond providing your care you can choose to opt-out. If you wish to do so, please inform your GP practice and they will mark your choice in your medical record. You can opt out of your data being used for some purposes. You can withdraw your opt-out choice at any time by informing your GP practice. More information is available on NHS Digital Your personal information choices and in the section ‘Your right to Opt Out’ below.
NHS Digital takes the responsibility for looking after care information very seriously. Please follow links on how NHS Digital look after information for more detailed documentation.
NHS England recognises the importance of protecting personal and confidential information in all that they do, direct or commission and takes care to meet its legal duties. Follow the links on the How NHS England uses your information page for more details.
NHS Coastal West Sussex CCG is an Accredited Safe Haven (ASH) under a NHS Act 2006 Section 251 exemption which enables us to hold and process NHS numbers for commissioning purposes. We have a signed Data Sharing Agreement with NHS Digital (formerly the Health & Social Care Information Centre) for them to provide us with weakly pseudonymised data (i.e. your NHS Number). All information received through this service is stored securely within an accredited safe haven environment accessible only to authorised team members.
Data may be de-identified and linked so that it can be used to improve health care and development and monitor NHS performance. Where data is used for these statistical purposes, stringent measures are taken to ensure individual patients cannot be identified.
When analysing current health services and proposals for developing future services it is sometimes necessary to link separate individual datasets to be able to produce a comprehensive evaluation. This may involve linking primary care GP data with other data such as secondary uses service (SUS) data (hospital inpatient, outpatient and A&E data). In some cases there may also be a need to link local datasets which could include a range of acute-based (hospital) services such as radiology, physiotherapy, audiology etc, as well as mental health and community-based services such as Improving Access to Psychological Therapies (IAPT), district nursing, podiatry etc. When carrying out this analysis, the linkage of these datasets is always done using a unique identifier that does not reveal a person’s identity as the CCG does not have any access to patient identifiable data for this purpose.
We may also contract with other organisations to process data. These organisations are known as data processors. We ensure external data processors that support us are legally and contractually bound to operate and prove security arrangements are in place where data that could or does identify a person are processed. Currently, the external data processors we work with are listed in the table below under ‘For other organisations to provide support services to us’.
Although this is not an exhaustive detailed listing, the following lists key examples of the purposes and rationale for why we collect and process information;
To process your personal information if it relates to a complaint where you have asked for our help or involvement. We will need to rely on your explicit consent to undertake such activities.
Complaint processing activities
The CCG uses NHS South Central and West Commissioning Support Unit to help us manage complaints. When we receive a complaint from a person we make up a file containing the details of the complaint. This normally contains the identity of the complainant and any other individuals involved in the complaint.
We will only use the personal information we collect to process the complaint and to check on the level of service being provided.
We usually have to disclose the complainant’s identity to whoever the complaint is about. This is inevitable where, for example, the accuracy of a person’s record is in dispute.
If a complainant doesn’t want information identifying him or her to be disclosed, we will try to respect that. However, it may not be possible to handle a complaint on an anonymous basis.
We will keep personal information contained in complaint files in line with NHS retention policy. It will be retained in a secure environment and access to it will be restricted according to the ‘need to know’ principle.
We may use service user stories, following upheld complaints, but always anonymously, via our Quality Committee. The service user stories will provide a summary of the concern, service improvements identified and how well the complaints procedure has been applied. Consent will always be sought from the service user and carer or both before we use the service user story.
We will collect and process your personal information where we are required to fund specific treatment for you for a particular condition that is not already covered in our contracts. This may be called an “individual funding request” (IFR).
The clinical professional who first identifies that you may need the treatment will explain to you the information that we need to collect and process in order for us to assess your needs and commission your care, and gain your explicit consent.
We will collect and process your identifiable information where you have asked us to undertake assessments for Continuing Healthcare (a package of care for those with complex medical needs) and funded nursing care, and commission resulting care packages.
The clinical professional who first sees you to discuss your needs will explain to you the information that they need to collect and process in order for us to assess your needs and commission your care and gain your explicit consent.
CWS CCG uses an electronic system known as Caretrack provided by CHS Healthcare Limited, who are based at 1 Wrens Court, 53 Lower Queen Street, Sutton Coldfield, West Midlands B72 1RT. Caretrack is used to record the detail of those service users who have applied for Continuing Healthcare and Funded Nursing Care, and for recording the actions taken by Continuing Healthcare staff in the management of the service.
We also use an electronic system called INTEND, which is provided by West Sussex County Council. This system is used to obtain suitable packages of care for service users from an approved list of care providers.
To improve the assessment processing of retrospective continuing healthcare claims, the CCG has contracted CHS Healthcare Limited to assess some claims. The process is explained to affected claimants and explicit consent is obtained before any personal information is shared.
We will collect and process your personal information where you have asked us to support you to choose a health provider.
Your GP will discuss your needs with you, and when together you have agreed that you need to be referred for specialist treatment, your GP practice will forward your referral to our team of Patient Choice Navigators (PCNs) at the CCG. Using the NHS e-Referral System (formerly Choose and Book) we will help you to make an informed choice. Information will only be shared when you have agreed with your GP that a referral is the best course of action.
In accordance with the NHS Constitution, you have the right to choose when and where you wish to be treated and in a timely manner.
When you need to be seen by a specialist, the CCG is committed to ensuring that whenever possible, you receive a timely outpatient appointment at a provider of your choice. Your GP will provide you with a booking card and a telephone number for you to contact the team. You are then asked to contact the Patient Choice Navigators five days after seeing your GP so they can work with you to book your appointment.
Following discussion with you, the Patient Choice Navigators will send your referral on to the hospital or community provider of your choice, who will then contact you to confirm your appointment. If you do not make contact with the PCN within 10 days of the team receiving your referral then an appointment may be booked for you.
If you have any concerns or questions about your information being passed to the Patient Choice Navigators then please speak to a member of the practice team.
We will collect and process identifiable information where we need to assess and evaluate any safeguarding concerns.
Because of public interest issues, e.g. to protect the safety and welfare of vulnerable children and adults, we will rely on a statutory basis rather than consent to process information for this use
With your consent, we use information to enable pharmacists, pre-registration pharmacist trainees and technicians to work with CWS GP practices to optimise prescribing and medicines use; to enable the processing of financial, clinical and usage information about specialist medicines prescribed by our healthcare partners and paid for by the CCG;
We are committed to supporting GPs and hospitals that we commission services from to optimise your medicines effectively, in ways that are consistent with the laws that protect your confidentiality. The use of identifiable data by pharmacists, CCGs and GPs for managing medicines use is supported through NHS England policy and direction. Your clinician will ask for your consent to share information with us.
Data processing activities
Your GP will discuss your medicines needs with you, and when together you have agreed that you would benefit from a review of your medicines with or by a pharmacist, your GP practice will forward your details to our team of pharmacists working with your GP surgery. The pharmacists will be employed by the CCG, but working as a member of the practice team and will follow all practice processes to protect your confidentiality.
For processing patient data about certain specialist medicines prescribed and supplied to you by hospitals, the CCG works with a system called Blueteq, which processes patient information using a secure hosted system. The doctor or specialist nurse completes one of a choice of ‘tick box forms’ to provide assurance that the treatment is clinically and financially appropriate, the Blueteq system then creates an individual patient record held in a central secure location, the hospital pharmacy team view the partially completed submission on Blueteq and add further information about the medicine, basic details such as your NHS number, hospital number and your age, along with information about your health and wellbeing relevant to your application is then available for the CCG to view to ensure all such treatments are clinically appropriate and match the invoices sent to CCG.
Pro-active care management is a process that helps your GP to help you manage your health. To do this population data is analysed to provide lists of patients to GPs where a person may benefit from a targeted healthcare intervention: we call this risk stratification. Risk stratification is based on research that shows a person who has a recognised history and characteristics may avoid an undesirable health outcome if the signs are recognised and a particular action is taken early enough.
We are committed to conducting risk stratification effectively, in ways that are consistent with the laws that protect your confidentiality.
The use of identifiable data by CCGs and GPs for risk stratification has been approved by the Secretary of State, through the Confidentiality Advisory Group of the Health Research Authority and this approval has been extended to April 2017.
NHS England encourages CCGs and GPs to use risk stratification tools as part of their local strategies for supporting patients with long-term conditions and to help and prevent avoidable admissions.
Knowledge of the risk profile of our population will help the CCG to commission appropriate preventative services and to promote quality improvement in collaboration with our GP practices.
Data processing activities for risk stratification
Risk stratification tools use various combinations of historic information about patients, for example, age, gender, diagnoses and patterns of hospital attendance and admission and primary care data collected in GP practice systems. The CCG will use pseudonymised information to understand the local population needs, whereas GPs will be able to identify which of their patients are at risk in order to offer a preventative service to them.
The risk stratification system commissioned by the CCG is called the ‘Sussex Combined Predictive Model’ and is provided by South East Commissioning Support Unit, who are based at 1 Lower Marsh, Waterloo, London SE1 7NT, they are our data processors. This processing for risk stratification takes place under contract with South East Commissioning Support Unit, following these steps below:
South East Commissioning Support Unit has set up a formula to analyse the data in pseudonymised form to produce a risk score for each patient. The risk scores are only made available to authorised users within the GP practice where you are registered via a secure portal managed by CWS CCG.
This portal allows only the GPs to view the risk scores for the individual patients registered in their practice in identifiable form.
If you do not wish information about you to be included in our risk stratification programme, please contact your GP practice. They can add a code to your records that will stop your information from being used for this purpose.
Further information about risk stratification is available from NHS England.
The process ensures that those who provide you with care and treatment can be paid.
NHS Shared Business Services process invoices on behalf of NHS CWS CCG. They do not require and should not receive any patient confidential data to provide their services. NHS England has published guidance on how invoices must be processed and commissioners have a duty to detect, report and investigate and breaches of confidentiality.
Further information about invoice processing is available from NHS England.
The validation of financial invoices is undertaken within a controlled environment for finance within the NHS South Central and West Commissioning Support Unit (SCW CSU) which is based at Omega House, 112 Southampton Road, Eastleigh, SO50 5PB. This service ensures that the invoice is accurate and genuine and supports our CCG in ensuring public monies are spent appropriately.
The dedicated SCW CSU team receives patient level information direct from the hospital providers and undertakes a number of checks to ensure that the invoice is valid and that it should be paid for by the CCG. The CCG does not receive or see any patient level information relating to these invoices. There may be occasions when patients contact us directly, or initiate the invoice, such as a claim for transport costs or a review of retrospective NHS Continuing Healthcare funding, when patient's details may be shared in order to pay the individual, and this process is communicated at the time.
Further information about invoice validation is available from NHS England.
To give members of the general public or staff at NHS trusts an additional option when contacting the CCG. The website form enables people to contact us even when they are using a computer which doesn't have an email client (e.g. Outlook) installed and configured for their use.
The form is one of several options provided on the website to contact us (also post, email, telephone or in person at our office). Use of the form and the nature of the information included is entirely at the user's discretion. There are two required fields (name and email) which enable us to contact the sender back if required, and a third free-text field for the user's message. Messages sent via the form are received at firstname.lastname@example.org. Automatic administrative emails from our website to our website users are provided by SMTP2GO.
If you are a member of the CWS CCG ePanel, we will collect and process personal confidential data which you share with us. This data is held offline locally and is managed by the Communications and Engagement Team.
If you have completed an online survey then the responses (but not your personal details unless you voluntarily included them within your response) are held by the survey tool Survey Monkey.
If you are actively involved in our engagement and consultation activities or patient participation groups, but you are NOT a member of the ePanel we will collect and process personal confidential data which you share with us. This data is held locally and is managed by the Communications and Engagement Team.
Where you submit your details to us for involvement purposes, we will only use your information for this purpose. You can opt out at any time by contacting us using our contact details at the end of this document.
To collect NHS data about service users that we are responsible for. Our legal basis for collecting and processing information for this purpose is statutory.
Hospitals and community organisations that provide NHS-funded care must submit certain information to NHS Digital about services provided to our service users.
This information is generally known as commissioning datasets. The CCG obtains these datasets from NHS England and they relate to service users registered with GP practices that are members of the CCG.
These datasets are then used in a format that does not directly identify you, for wider NHS purposes such as managing and funding the NHS, monitoring activity to understand and plan the health needs of the population, and to gain evidence that will improve health and care through research.
The datasets include information about the service users who have received care and treatment from those services that we are responsible for funding. The CCG is unable to identify you from these datasets. They do not include your name, home address, NHS number, post code or date of birth. Information such as your age, ethnicity and gender, as well as coded information about any clinic or accident and emergency attendances, hospital admissions and treatment will be included.
The specific terms and conditions and security controls that we are obliged to follow when using these commissioning datasets can also be found on the NHS Digital website.
More information about how this data is collected and used by NHS Digital, and the specific terms, conditions and security controls that we are obliged to follow when using these commissioning datasets is available on the NHS Digital website.
We also receive similar information from GP practices within our CCG membership that does not identify you. We use this datasets for a number of purposes such as:
If you do not wish your information to be included in these datasets, even though it does not directly identify you to us, please contact your GP practice and they can apply a code to your records that will stop your information from being included.
The CCG will use the services of these additional data processors, who will provide additional expertise to support the work of the CCG:
We have entered into contracts with other organisations to provide some services for us or on our behalf. These organisations are known as “data processors”. Below are details of our data processors and the function that they carry out on our behalf:
These organisations are subject to the same legal rules and conditions for keeping personal data confidential and secure and are underpinned by a contract with us.
Before awarding any contract, we ensure that organisations will look after your information to the same high standards that we do. Those organisations can only use your information for the service we have contracted them for and cannot use it for any other purpose.
To support research oriented proposals and activities in our commissioning system
Your consent will be obtained by the organisation holding your records before identifiable information about you is disclosed for any research.
Sometimes research can be undertaken using information that does not identify you. The law does not require us to seek your consent in this case, but the organisation holding your information will make notices available on the premises and on the website about any research projects that are undertaken.
Researchers can provide direct benefit to individuals who take part in medical trials and indirect benefit to the population as a whole.
Service user records can also be used to identify people to invite them to take part in clinical trials, other interventional studies or studies purely using information from medical records.
Where identifiable data is needed for research, service users will be approached by the organisation where treatment was received, to see if they wish to participate in research studies.
If you do not wish your information to be used for research, whether identifiable or non-identifiable, please let your GP Practice know. They will add a code to your records that will stop your information from being used for research.
Where information from which you can be identified is held, you have the right to ask to:
The CCG holds limited records containing personal information, for example continuing healthcare applications; it does not hold personal healthcare records. If you wish to have sight of, or obtain copies of your own personal health care records you will need to apply to your GP practice, the hospital or NHS organisation which provided your health care.
Everybody has the right to see, or have a copy, of data we hold that can identify you, with some exceptions. You do not need to give a reason to see your data, but you may be charged a fee.
If you want to access your data you must make the request in writing. Under special circumstances, some information may be withheld.
If you wish to have a copy of the information we hold about you, please note that there may be a charge for this (of up to £50). Please contact:
We only use information that may identify you in accordance with the Data Protection Act 1998. The Data Protection Act requires us to process personal data only if there is a legitimate basis for doing so and that any processing must be fair and lawful.
There may be certain circumstances where we are legally required to give your information to other people without your consent, for example:
In these circumstances, you will not be able to ‘opt-out’ of your information being shared.
Within the health sector, we also have to follow the common law duty of confidence, which means that where identifiable information about you has been given in confidence, it should be treated as confidential and only shared for the purpose of providing direct healthcare. Your information is also handled in line with the Caldicott principles.
The NHS Constitution makes certain pledges which go above and beyond your legal rights and are a commitment to provide high-quality health services. You can see all the pledges the NHS makes to patients by downloading the NHS Constitution. In respect of your information, the NHS Constitution sets out the following rights:
There is also a helpful handbook to the NHS Constitution, which is designed to give the public and patients, including their carers and families, all the information you may need about the NHS Constitution for England
This sets out the rules that govern how patient information is used in the NHS and what control you can have over this. It covers:
Everyone who works for the NHS or for organisations delivering services under contract to the NHS also has to comply with the NHS Care Record Guarantee which was first published in 2005 and is regularly reviewed by the National Information Governance Board to ensure it remains clear and continues to reflect the law and best practice. For more information you can download the NHS Care Record Guarantee version 5 (2011).
The NHS Digital Code of Practice on Confidential Information and NHS Confidentiality Code of Practice applies to all of our staff, and they are required to protect your information, inform you of how your information will be used, and allow you to decide if and how your information can be shared. All CCG staff are expected to make sure information is kept confidential and receive annual training on how to do this. This is monitored by the CCG and can be enforced through disciplinary procedures.
We also ensure the information we hold is kept in secure locations and on secure systems, and is securely destroyed when no longer required. We restrict access to information to authorised personnel only, protect personal and confidential information held on equipment such as laptops with encryption (which masks data so that unauthorised users cannot see or make sense of it).
We ensure external data processors that support us are legally and contractually bound to operate and prove security arrangements are in place where data that could or does identify a person are processed.
The CCG’s Clinical Director is responsible for protecting the confidentiality of patient information. This person is called the Caldicott Guardian. They are supported by another executive member of staff who is responsible for information risk and information security, this person is called the Senior Information Risk Owner or SIRO. The SIRO and Caldicott Guardian can be contacted via email@example.com (tel: 01903 708400).
The CCG is registered with the Information Commissioner’s Office (ICO) as a data controller and collects data for a variety of purposes. A copy of the registration is available through the ICO website (search by Coastal West Sussex Clinical Commissioning Group).
All records held by the CCG will be kept for the duration specified by national guidance from the Department of Health.
In some instances, you are allowed to request that your confidential information is not used beyond your own care and treatment and to have your objections considered. If your wishes cannot be followed, you will be told the reasons (including the legal basis) for that decision.
If you wish to exercise your right to opt-out, or to speak to somebody to understand what impact this may have, if any, please contact us.
There are several forms of opt-outs available at different levels. These include for example:
If you do not want personal confidential data information that identifies you to be shared outside your GP practice, for purposes beyond your direct care, you can register a ‘Type 1 opt-out’ with your GP practice. This prevents your personal confidential information from being used other than in particular circumstances required by law, such as a public health emergency like an outbreak of a pandemic disease.
Patients are only able to register the opt-out at their GP practice.
Records for patients who have registered a ‘Type 1 opt-out’ will be identified using a particular code that will be applied to your medical records that will stop your records from being shared outside of your GP Practice.
NHS Digital collects information from a range of places where people receive care, such as hospitals and community services.
To support those NHS constitutional rights, patients within England are able to opt out of their personal confidential data being shared by NHS Digital for purposes other than their own direct care, this is known as a 'Type 2 opt-out'
If you do not want your personal confidential information to be shared outside of the NHS Digital, for purposes other than for your direct care, you can register a ‘Type 2 opt-out’ with your GP practice.
Patients are only able to register the opt-out at their GP practice.
For further information and support relating to Type 2 opt-outs please contact NHS Digital at firstname.lastname@example.org referencing 'Type 2 opt-outs - Data requests' in the subject line; or
Alternatively, call NHS Digital on (0300) 303 5678; or visit the NHS Digital website for information about type 2 opt-outs.
The Freedom of Information Act 2000 (FOIA) gives people a general right of access to information held by or on behalf of public authorities, promoting a culture of openness and accountability across the public sector.
In theory, you can request any information that Coastal West Sussex CCG holds, that does not fall under an exemption. You may not ask for information that is covered by the Data Protection Act under FOIA. However you can request this under a Subject Access Request – see section above ‘Gaining access to the data we hold about you’.
Your request must be in writing and can be either posted or emailed to us as follows:
The FOI Co-ordinator, Coastal West Sussex Clinical Commissioning Group
1 The Causeway, Goring-by-Sea West Sussex BN12 6BT
Or email to: email@example.com
Freedom of Information Requests are managed by a team at South Central and West Commissioning Support Unit).
For independent advice about data protection, privacy, data sharing issues and your rights you can contact:
Information Commissioner’s Office
Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF
Visit the ICO website.
We try to meet the highest standards when collecting and using personal information. For this reason, we take any complaints we receive about this very seriously. We encourage people to bring concerns to our attention if they think that our collection or use of information is unfair, misleading or inappropriate. Please contact: