Privacy Notice

Your Information And How We Use It

NHS Lincolnshire East CCG may hold some information about you. This document outlines how that information is used, who we may share that information with and how we keep it secure. Download the full document here >>

This notice does not provide exhaustive detail. However, we are happy to provide any additional information or explanation needed. The CCG is required to have a Data Protection Officer and for Lincolnshire East CCG this is Judith Jordan, NHS Arden & Greater East Midlands Commissioning Support Unit (AGEM CSU).  Any enquiries about our use of your personal data should be addressed to This email address is being protected from spambots. You need JavaScript enabled to view it. or c/o Data Protection Officer, Lincolnshire East CCG, Cross O’Cliff Court, Bracebridge Heath, LN4 2HN.  Telephone contact can be made on 0121 611 0730.
 

We keep our Privacy Notice under regular review. This Privacy Notice was last reviewed in June 2018.

1. What we do

2. How we use your information

3. What kind of information we use?

4. What do we use anonymised data for?

5. What do we use your special category and personal information for?

6. Do you share my information with other organisations?

7. Datasets accessed by the CCG

8. Currently, the external data processors we work with include (amongst others)

9. Paying Invoices – invoice validation

10. What are your rights?

11. What safeguards are in place to ensure data that identifies me is secure?

12. How long do you hold confidential information for?

13. Gaining access to the data we hold about you

14. What is the right to know?

15. What sort of information can I request?

16. How do I make a request for information under the Freedom of Information Act?

17.For independent advice about data protection, privacy, data sharing issues and your rights you can contact

18. Website technical details

19. Data retention policy

20. Server statistics

21. Analytics


1. What we do

Our CCG is responsible for planning, buying and monitoring (also known as commissioning) health services from healthcare providers such as hospitals and GP practices for our local population to ensure the highest quality of healthcare. We also have a performance monitoring role of these services, which includes responding to any concerns from our patients on services offered.

2. How we use your information

Our CCG holds some information about you and this document outlines the lawful basis on which we process information, how that information is used, who we may share that information with, how we keep it secure (confidential) and what your rights are in relation to this.

3. What kind of information we use?

We use the following types of information/data:

• identifiable - containing details that identify individuals

• pseudonomised - about individuals but with identifying details (such as name or NHS number) replaced with a unique code

• anonymised - about individuals but with identifying details removed

• aggregated - anonymised information grouped together so that it doesn't identify individuals

4. What do we use anonymised data for?

We use anonymised data to plan health care services. Specifically we use it to:

• check the quality and efficiency of the health services we commission

• Prepare performance reports on the services we commission

• work out what illnesses people will have in the future, so we can plan and prioritise services and ensure these meet the needs of patients in the future

• review the care being provided to make sure it is of the highest standard

5. What do we use your special category (perviously known as sensitive category) and personal information for?

There are some limited exceptions where we may hold and use sensitive personal information about you. For example the CCG is required by law to perform certain services that involve the processing of special category personal information.

The areas where we use special category and personal information include:

• a process where you or your GP can request special treatments that is not routinely funded by the NHS, which are known as Individual Funding Requests. The lawful basis for this processing is based on the consent you will have provided to enable this request to be processed

• assessments for continuing healthcare and appeals. The lawful basis for this processing is based on the consent you will have provided to enable these assessments to take place 

 
• responding to your queries, compliments or concerns.. . The lawful basis for this processing is to enable us to fulfil our legal obligations when you contact us in relation to the above.  If your information needs to be shared further in relation to complaints or concerns then your consent will be sought for this additional processing. 

 
• assessment and evaluation of safeguarding concerns. The lawful basis for this processing is to enable the CCG to fulfil a public task, in which case the processing has a clear basis in law.  


• where there is a provision permitting the use of special category personal information under specific conditions, for example to:

  • understand the local population needs and plan for future requirements, which is known as “Risk Stratification for Commissioning".

  • ensure that the CCG is billed accurately for the treatment of its patients, which is known as “invoice validation”.

The lawful basis for processing data in relation to the above is on the basis of fulfilling a public task, in which case the processing has a clear basis in law

Special category and personal information may also be used in the following cases: 

 where the information is necessary for your direct healthcare, in which case the processing will be based on consent you have provided

where we are responding to a Member of Parliament communication on our behalf where the processing will be based on consent you have provided

where you have freely given your informed agreement (consent) for us to use your information for a specific purpose

where there is an overriding public interest in using the information e.g., in order to safeguard an individual or to prevent a serious crime. The lawful basis for processing data in relation to the above is on the basis of fulfilling a public task, in which case the processing has a clear basis in law.  

• where there is a legal requirement that will allow us to use or provide information (e.g. a formal court order).  The lawful basis for processing data in relation to the above is on the basis of  fulfilling a public task, in this case the processing has a clear  basis in law. 

6. Do you share my information with other organisations?

We commission a number of organisations (both within and outside the NHS) to provide healthcare services to you. We may share anonymised statistical information with them for the purpose of improving local services, for example understanding how health conditions spread across our local area compared against other areas.

The law provides some NHS bodies, particularly NHS Digital (formerly the Health and Social Care Information Centre), with ways of collecting and using patient data that cannot identify a person, to help commissioners to design and procure the combination of services that best suit the population they serve.

We may also share information with NHS England and NHS Digital. If you do not want your information to be used for purposes beyond providing your direct care you can choose to opt-out. The ‘National Data Opt-out’ programme commenced on the 25th May, providing a facility for individuals to opt-out from the use of their data for research or planning purposes. This is provided in line with the recommendations of the National Data Guardian in her Review of Data Security, Consent and Opt-Outs.

A new website
https://www.nhs.uk/your-nhs-data-matters/ has been launched which enables you to find out more about how your data is used across health and care and to make a choice.

NHS Digital takes the responsibility for looking after care information very seriously. Please follow links on https://digital.nhs.uk/about-nhs-digital/our-work/keeping-patient-data-safe/how-we-look-after-your-health-and-care-information/understanding-the-health-and-care-information-we-collect for more detailed documentation.

NHS England recognises the importance of protecting personal and confidential information in all that they do, all that they direct or commission, and takes care to meet its legal duties. Follow the links on the How we use your information
page for more details.
 
 7. Datasets accessed by the CCG

GP Data and Secondary Uses Service (SUS) data (in-patient, out-patient and A&E) may be de-identified and linked so that it can be used by us to improve healthcare and development and monitor NHS performance. Where data is used for these statistical purposes, stringent measures are taken to ensure individual patients cannot be identified.

When analysing current health services and proposals for developing future services it is sometimes necessary to link separate individual datasets to be able to produce a comprehensive evaluation. This may involve linking primary care GP data with other data such as SUS data. In some cases there may also be a need to link local datasets which could include a range of acute-based services such as radiology, physiotherapy, audiology etc., as well as mental health and community-based services such as Improving Access to Psychological Therapies (IAPT), district nursing, podiatry etc.  When carrying out this analysis, the linkage of these datasets is always done using a unique identifier that does not reveal a person’s identity, as the CCG does not have any access to patient identifiable data through this process.

We also contract with other organisations to process data. These organisations are known as Data Processors. We ensure external data processors that support us are legally and contractually bound to operate and prove security arrangements are in place where data that could or does identify a person is processed.

8. Currently, the external data processors we work with include (amongst others):

  • NHS Arden & Greater East Midlands Commissioning Support Unit (AGEM CSU) and

  • Optum Commissioning Support Services (Optum CSS)

9. Paying Invoices – invoice validation

The validation of invoices is undertaken in line with NHS requirements to ensure that the CCG is paying for treatments relating to its patients only. NHS Lincolnshire east CCG receives identifiable data into their Controlled Environment for Finance (CEfF) to securely support the invoice validation process. As a Data Controller the CCG is allowed to process Personal Confidential Data (PCD) which is required for invoice validation purposes under an authorisation from NHS England. This approval is subject to a set of conditions. The legal basis for this processing is under the Health Service (Control of Patient Information) Regulations 2002 (a) also known as ‘section 251 support’) and details of Confidentiality Advisory Group (CAG) approval CAG 7-07(a-c)/2013 are provided at https://www.hra.nhs.uk/planning-and-improving-research/application-summaries/confidentiality-advisory-group-registers/

10. What are your rights?

Where information from which you can be identified is held, you have the right to ask to:

• view this or request copies of the records by making a subject access request

Under the General Data Protection Regulation, which is effective in UK law through the Data Protection Act 2018, individual rights are summarised as

  • The right to be informed
  • The right of access

  • The right to rectification

  • The right to erasure

  • The right to restrict processing

  • The right to data portability

  • The right to object

  • Rights in relation to automated decision making and profiling

In relation to healthcare records some of these rights are qualified rights.  If you require further information regarding these rights or to access records we may hold about you please contact the CCG Data Protection Officer using the details provided earlier in this document. 

11. What safeguards are in place to ensure data that identifies me is secure?

We only use information that may identify you in accordance with the Data Protection Act 2018. The Data Protection Act requires us to process personal data only if there is a lawful basis for doing so and that any processing must be fair and lawful.

Within the health sector, we also have to follow the common law duty of confidence, which means that where identifiable information about you has been given in confidence, it should be treated as confidential and only shared for the purpose of providing direct healthcare.

The law and the common law duty of confidentiality applies to all of our staff. They are required to protect your information, inform you of how your information will be used, and allow you to decide if and how your information can be shared. All CCG staff are expected to make sure information is kept confidential and receive annual training on how to do this. This is monitored by the CCG and can be enforced through disciplinary procedures.

We also ensure the information we hold is kept in secure locations, restrict access to information to authorised personnel only, protect personal and confidential information held on equipment such as laptops with encryption (which masks data so that unauthorised users cannot see or make sense of it).

We ensure external data processors that support us are legally and contractually bound to operate and prove security arrangements are in place where data that could or does identify a person are processed.

The CCG has an Executive Director, Tracy Pilcher (Chief Nurse), responsible for protecting the confidentiality of patient information. This person is also the Caldicott Guardian and can be contacted on This email address is being protected from spambots. You need JavaScript enabled to view it.

The CCG is registered with the Information Commissioner’s Office (ICO) as a data controller and collects data for a variety of purposes. A copy of the registration is available through the ICO website (search by CCG name).

12. How long do you hold confidential information for?

All records held by the CCG will be kept for the duration specified in the NHS national guidance “Records Management Code of Practice for Health and Social Care 2016”.

13. Gaining access to the data we hold about you

The CCG does not directly provide health care services and therefore does not hold personal healthcare records. If you wish to have sight of, or obtain copies of your of your own personal health care records please apply to your GP Practice, the hospital or NHS organisation which provided your health care.

Every individual has the right to see, or have a copy, of data held that identifies you, known as a Subject Access Request. You do not need to give a reason to see your data. Under special circumstances, some information may be withheld.

If you wish to have a copy of the information we hold about you, please contact the CCG Data Protection Officer using the details provided earlier in this document.

14. What is the right to know?

The Freedom of Information Act 2000 (FOIA) gives people a general right of access to information held by or on behalf of public authorities, promoting a culture of openness and accountability across the public sector.

15. What sort of information can I request?

You can request any information that we hold, that does not fall under an exemption.

16. How do I make a request for information under the Freedom of Information Act?

Your request must be in writing and can be either posted or emailed to OPTUM CSS at the address detailed below. The service is managed by the team at Optum Commissioning Support Services.

Email: This email address is being protected from spambots. You need JavaScript enabled to view it.

For postal requests, please send to the following address:

Optum Commissioning Support Services
South Kesteven District Council Offices
St. Peter’s Hill
Grantham
Lincolnshire NG31 6PZ

17. For independent advice about data protection, privacy, data sharing issues and your rights you can contact:

Information Commissioner’s Office
Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF

Telephone: 0303 123 1113 (local rate) or 01625 545 745

Email: This email address is being protected from spambots. You need JavaScript enabled to view it.

ICO website https://ico.org.uk/

18. Website technical details

a. Forms

We do use electronic forms on our website making use of an available ‘forms module’ which has a number of built-in features to help ensure privacy. We also aim to use secure forms where appropriate.

In compliance with EU legislation, the following table lists the use of cookies on this web site:

Cookie Name

Purpose

useTextOnly

This is used to store whether you are in textOnly mode or not.
Persistent for three months.

setString

This is used to store user preferences for viewing sites in textOnly mode e.g. font-size and colour.
Persistent for one month.

SitekitLogin

This is used to store the username and password for ‘remember my login’ feature on extranets.
Persistent for one month.

SKSession

This cookie has two functions.
Firstly it serves as a session cookie for extranet users. Without this cookie, an extranet user will have to login to each individual page in the extranet.
It also enables us to track the pages that a user visits while they navigate around the site.

AcceptCookies

This is used to store whether you have agreed to receive cookies.
Persistent for one year.

Google Analytics
_utma
_utmb
_utmc
_utmz

These cookies are used to collect information about how visitors use our site. We use the information to compile reports and to help us improve the site. The cookies collect information in an anonymous form, including the number of visitors to the site, where visitors have come to the site from and the pages they visited.

Cookies are small. We do not make use of cookies to collect any private or personally identifiable information. The technical platform of this website uses cookies solely to aid the proper technical functioning of the website. The cookies used contain random strings of characters alongside minimal information about the state and session of the website – which in no way collects or discloses any personal information about you as a visitor.

If you chose to, for any secure pages of this website, you can elect to save login information in a cookie to facilitate faster login to a private area of this site. A notification is given before any such cookie is dropped, and the process is ultimately within your control. Even where this is used, the cookie still contains minimal authentication information, and does not contain any private or personal data.

Advanced areas of this site may use cookies to store your presentation preferences in a purely technical fashion with no individually identifiable information. Note also our statement on analytics software below – as analytics software also uses cookies to function.

Most web browsers allow some control of most cookies through the browser settings. To find out more about cookies, including how to see what cookies have been set and how to manage and delete them, visit www.allaboutcookies.org.

To opt out of being tracked by Google Analytics across all websites visit http://tools.google.com/dlpage/gaoptout.

19. Data retention policy

Our platform operates with a clear data-retention policy in order to comply with the Privacy Enhancing Technology guidance from the Information Commissioner. This means that data has predefined time limits for storage and is only retained by the system for as long as it is considered useful.

20. Server statistics

Like almost all websites, we have access to server statistics which provide aggregate statistics on bandwidth and server load. This load data is used to manage bandwidth effectively and for billing purposes. It is important for us to collect and monitor this information because we pay for a server bandwidth allowance and are liable for the costs of increases beyond our allowance.

The server statistics are not designed to collect any individually identifiable information and the reports we receive are generally numerical and in graph format.

Alongside the server statistics, our Content Management System, collects information on: popular search terms used on the website, which we have access to in order to arrange our pages better; visitor path information, which we have access to for future design considerations; and download popularity (numerical by month), which we use to organise the file libraries better.

21. Analytics

Like most websites, we make use of analytics software in order to help us understand the trends in popularity of our website and of different sections. We make no use of personally identifiable information in any of the statistical reports we use from this package.

We use an analytics package called Google Analytics who provides details of their privacy policy on the Google website.