Data protection

About this notice

The purpose of this notice is to tell you what information we – Birmingham and Solihull Clinical Commissioning Group – collect and hold about you, what we do with it, how we will look after it and who we may share it with. We also explain your rights in respect of your information and the choices you can make about the way your information is used and how you can opt out of any sharing arrangements that may be in place.

The notice covers information we collect directly from you, or collect indirectly from other people or organisations for people who are registered with a Birmingham and Solihull CCG practice.

This information is not exhaustive. We are happy to provide any additional information or explanation needed. Please see the section entitled Birmingham and Solihull CCG contacts below.

Letting you know when things change

We check these details regularly to make sure that they are up-to-date and tell you how we are using your information. The last time these details were checked was May 2018.

From 25 May 2018 data protection law changed. From that point forward the Data Protection Act 1998 was repealed (abolished) and a new law called the General Data Protection Regulations (GDPR)came into force. Shortly afterwards, the Data Protection Act 2018, which is to be read alongside GDPR, will also come into force.

Who we are and what we do

Birmingham and Solihull CCG is responsible for designing, securing, planning, buying, monitoring and improving the quality of healthcare for people who are registered with one of our 177 practices, this is known as commissioning.

The services we commission include: planned and emergency hospital care, mental health services, rehabilitation and most community services, but we don’t provide care directly. We are also responsible for monitoring the performance of the non-care services we provide directly, and those which we have paid for, which includes responding to any concerns raised by our patients.

The CCG was established on 1 April 2018 following the merger of Birmingham CrossCity, Birmingham South Central and Solihull CCGs and is clinically led by doctors, nurses and other professionals. The work of the CCG is overseen by NHS England.

The CCG has a legal duty to ensure that it makes arrangements for the provision of high quality, safe, effective and efficient healthcare for people who are registered with one of its member practices where this is not purchased centrally by NHS England. The CCG also has a duty to ensure that patients have equal access to services and are able to achieve the same outcomes, regardless of differences in their personal situation. The CCG has a duty to involve patients, their relatives and carers in any decisions about the prevention and diagnosis of illness and their care and treatment and, wherever possible, enable patients to make choices about the healthcare provided to them.

Further information on the duties and powers of the CCG can be found at: Duties and Powers of Clinical Commissioning Groups.

Birmingham and Solihull CCG contacts

Although all NHS staff have a legal duty to keep your personal information confidential, the CCG has identified specific people who are responsible for making sure that your information is handled properly and your rights and wishes are respected. If you have any concerns or queries about how we collect, use and share your information, you can contact the people below directly:

Caldicott Guardian

Our Caldicott Guardian is responsible for making sure that your information is handled properly in line with your rights and the law:

  • Dr Richard Mendelsohn, NHS Birmingham and Solihull CCG, Floor Four, Attwood Green Health Centre, 30 Bath Row, Birmingham, B15 1LZ. Telephone 0121 203 3300 or email This email address is being protected from spambots. You need JavaScript enabled to view it.

Senior Information Risk Officer (SIRO)

Our Senior Information Risk Officer (known as a SIRO) is responsible for ensuring that your information is handled securely:

  • Philip Johns, NHS Birmingham and Solihull CCG, Floor Four, Attwood Green Health Centre, 30 Bath Row, Birmingham, B15 1LZ. Telephone 0121 203 3300 or email This email address is being protected from spambots. You need JavaScript enabled to view it.

Data Protection Officer

Our Data Protection Officer (known as a DPO) is a Data Protection and Information and Cyber Security expert, reporting directly to the highest level of management within the CCG.

The DPO acts independently and is responsible for informing and advising the CCG and our staff of their obligations under the existing and forthcoming data protection related law. The DPO is also responsible awareness-raising, staff training, the provision of advice and monitoring the CCG’s compliance with all European and UK data protection law and the CCG’s data protection related policies.

  • Paul Sherriff, NHS Birmingham and Solihull CCG, Floor Four, Attwood Green Health Centre, 30 Bath Row, Birmingham, B15 1LZ. Telephone 0121 203 3300 or email This email address is being protected from spambots. You need JavaScript enabled to view it.

Information Governance team

The Information Governance team is responsible for supporting the Caldicott Guardian, Senior Information Risk Officer and the Data Protection Officer in ensuring that your personal information is collected, used and shared appropriately, securely and in line with the law.

  • Information Governance Team, NHS Birmingham and Solihull CCG, Floor Four, Attwood Green Health Centre, 30 Bath Row, Birmingham, B15 1LZ. Telephone 0121 203 3300 or email This email address is being protected from spambots. You need JavaScript enabled to view it.

Complaints team

The Complaints team is responsible for handling any complaints or concerns you may have about the handling of your information.

  • Complaints Team, NHS Birmingham and Solihull CCG, Floor Four, Attwood Green Health Centre, 30 Bath Row, Birmingham, B15 1LZ. Telephone 0121 203 3313 or email This email address is being protected from spambots. You need JavaScript enabled to view it.

How we use your information

So that we can commission services for you, ensure that they are safe, efficient, effective, and of good quality, we need to use certain information about you.

We make sure that any information we collect and use about you is protected and used in line with our duties under the Human Rights Act 1998, the Common Law Duty of Confidentiality, the General Data Protection Regulations, and the Data Protection Act 2018. 

The CCG uses different types of data/information which are:

  • Personal confidential data/identifiable – containing details that tells us who you are
  • Pseudonymised data/information – data which is about you, but does not tell us who you are because any identifiers will have been replaced with something which would not identify you
  • Anonymised data – all data or information which could identify who you are will have been removed
  • Aggregated data/information – data or information is grouped together so that it does not identify any person.

Birmingham and Solihull CCG is registered as a Controller with the Information Commissioner’s Office. A Controller is an organisation which is responsible for deciding how your information is handled and making sure that your information is protected and used appropriately. The Information Commissioner’s Office is the organisation which makes sure that your information is handled properly.

Our Data Protection Registration Number is ZA318600.  You can view our Data Protection Registration here.

How we make sure that your information is protected

Keeping your information safe and secure

We do a number of things to make sure that your information is safe, this includes controlling access to our building, making sure that the people we employ are honest and trustworthy and understand how they should handle your information safely.

We ensure that all laptops are encrypted, which means that any information held on them is scrambled so that someone who does not have the key cannot gain access to it.

We make sure that the computer systems we use are secure and protected against people who should not have access to your information being able to see it.

Monitoring

We carry out regular checks to make sure that the protection we have put in place is working properly and that your information is safe and secure.

External organisations

We also make sure that any organisations who provide services to us, or who we work with are honest and trustworthy and have the same sort of protection in place as we do, including making sure that the people they employ are fully trained and that checks have been made to make sure that they are trustworthy and honest before they are employed.

Sharing information with external health and social care organisations

The Health and Social Care Act (2012) requires health and social care organisations to work collaboratively to ensure you receive the best possible service from different organisations. To achieve this we need to ensure that relevant information is shared securely and in a timely manner between different health and social care organisations that provide you with care.

Information Sharing Agreements and contracts will be in place ensuring these arrangements meet the requirements of:

  • The Health and Social Care Act 2012;
  • General Data Protection Regulations and the Data Protection Act;
  • The Common Law Duty of Confidence and;
  • The Human Rights Act 1998

so that your confidentiality, data protection and human rights are not breached. 

Whenever we make a new arrangement to share information externally, we will undertake a Data Protection Impact Assessment Screening to identify any data processing which could result in a high risk to your privacy, to the protection of your data, or your confidentiality. If we find that any of the planned processing is likely to be high risk, we will conduct a full Data Protection Impact Assessment, to ensure that the risks are reduced. We also make sure that a legal basis has been identified for sharing the information before we share it.

Sharing information with external third party suppliers

We will also, in the course of our business, work with third party suppliers who process information on our behalf. Birmingham and Solihull CCG will work with partner organisations to ensure that appropriate Data Processing Agreements and contracts are in place, setting out the security standards and legal obligations required to be met to protect your information. Only the minimum necessary information for the purpose will be shared, and only where Pseudonymised/Anonymised data cannot be used.

Further details of the information we collect and use and the external organisations we work with can be found in the section entitled "Why we collect and use information" below.

NHS staff duties

Everyone working for the NHS is required to comply with the General Data Protection Regulations, the Data Protection Act 2018, the Human Rights Act 1998 and the Common Law Duty of Confidence.  Information provided to us in confidence will only be used for the purposes changes.

Under the General Data Protection Regulations and the Data Protection Act 2018, all of our staff have to protect your information, inform you of how your information will be used, and let you decide if and how your information can be shared. Any decisions you make about how we can use information we hold about you will be recorded along with that information.

Securely destroying your information when it is no longer needed

We only keep your information for as long as we need it to provide the service or comply with a legal obligation. When we no longer need to keep your information, we will securely destroy it.

If we have your information on paper, it will be stored in locked confidential waste bins. The confidential waste is then collected and securely shredded on-site by a commercial company. Once your information is shredded, we receive a certificate to confirm that your information has been securely destroyed.

If we have your information on a computer system, all copies will be deleted.  Before any electronic storage devices are disposed of by Midlands and Lancashire Commissioning Support Unit, who are our Information Technology services supplier, they will either physically destroy the device, so that information cannot be retrieved from it, or they will overwrite the information held on the device multiple times which results in the deleted information being completely removed from the device.

Information about Midlands and Lancashire Commissioning Support Unit can be found here.

Processing your information outside of the UK

We do not generally process your information outside of the UK, however, there are limited circumstances where information may be processed outside of the UK, for example when conducting surveys through an outside survey company. When data will be processed outside of the UK, we will tell you in this notice and within any individual notices specific to the purpose we are collecting and using your information.

Information we may share

Sharing with other NHS organisations

We may share your information with other NHS services who are involved in your direct care (for example, when you see a nurse or a doctor), this might include hospital and community trusts, General Practitioners (GPs), ambulance services and other clinical commissioning groups, where joint commissioning takes place.

We may also need to share your information with other organisations who buy services for you so that we can, for example, manage a complaint or investigation.

We also buy services from other organisations, for example data analysis and information technology services.  In these cases, we ensure that these organisations handle your information under strict conditions in line with the law.

Sharing with non-NHS organisations

For your benefit, we may also need to share information we hold about you with other non-NHS organisations that are providing care to you, such as external organisations providing healthcare services to the NHS. We may also share your information, subject to strict agreements with social services, education services, local authorities and voluntary sector providers. 

There are certain circumstances where we are legally required to share your information, this includes information requested under a court order, information requested for safeguarding purposes, information requested for the prevention or detection of crime and for the notification of infectious diseases.

We will not share your information with anyone else unless we have a legal basis to do so, or where there are exceptional circumstances, such as when the health or safety of others is at risk.

If we are asked to share information with a non-NHS organisation that does not directly relate to your care, we will always ask for your agreement prior to any information being shared. If you choose not to agree to this when asked, we will record your decision to ensure that we do not share your information with that organisation in future.

If information is shared, we will only share the minimum amount of information necessary for them to provide the service or comply with their legal duty. We also ensure that an agreement is put in place which tells them what they can and can’t do with your information and how they must protect it.

Further information about what information we may share is provided in the individual sections under the section entitled “Why we collect and use information” below.

How long we keep your information

We only keep your information for as long as is necessary for the purpose we have collected it. This will vary, depending upon the reason we have collected the information from you. We have provided information about the length of time we keep your information in each of the sub-sections under “Why we collect and use information” below, which is in line with the NHS Records Management Code of Practice for Health and Social Care 2016.

I have given consent for you to use my information and have changed my mind

If you have previously told us that we can use your information and you have now changed your mind, you can tell us using the Information Governance Team contact details above in the "Birminghman and Solihull CCG contacts" section.  We will discuss this with you, to make sure that you understand how this will affect you.

What to do if you are unhappy with the way we use your information

If you are concerned, or unhappy with the way we have collected or used your information, you can contact the Data Protection Officer, or the Information Governance Team using the contact details above.

You can also raise a complaint with our Complaints team using the "Birmingham and Solihull CCG contact" details above.

You can also tell the organisation which is responsible for making sure that your information is handled properly. This organisation is called the Information Commissioner’s Office:

  • Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF. Telephone: 08456 30 60 60 or 01625 54 57 45.

Requesting access to your information

You are entitled to ask for a copy of the information we hold about you, or you can ask someone else to ask for a copy on your behalf. This is known as a Subject Access Request.

A parent, guardian, a personal representative, or someone appointed by the court can also request a copy.

Please note: The CCG does not directly provide healthcare services and therefore does not hold personal healthcare records. If you wish to have sight of, or obtain copies of your own personal healthcare records, you will need to apply to your GP practice, the hospital or NHS organisation which provided your care.

How to request a copy of your records

From 25 May 2018 onwards, if you want to obtain a copy of any records we hold about you, you can make a written or oral request, providing enough information to help us find the records you are asking for. Please tell us which parts of your record you would like access to when you request your records, for example, records relating to a specific period of time. To make sure that we don’t give your information to someone else, we will also need you to provide us with proof of your identity which needs to be either:

  • Two forms of photo ID (for example a current passport and photo driving licence) and one official document confirming your current address (for example a utility bill - not a mobile phone bill), letter from HMRC or DWP, which must be dated within the last six months), (or council tax bill, or mortgage statement, which must be dated within the last 12 months), or;
  • One form of photo ID (see examples above) and two official documents confirming your current address (see examples above).

For a full list of acceptable identification you can contact us by calling 0121 255 0700 or email This email address is being protected from spambots. You need JavaScript enabled to view it.

As you will be sending your original identification documents to us, along with your request, we would advise that you send them to us using Royal Mail Special Delivery, as this provides better protection when sending identification documents, than the normal mail service. Once we have confirmed your identity, we will return the documents to you using Royal Mail Special Delivery, which will require your signature when you receive it.

Please send requests to the Information Governance team using the postal address, or email contact details in the "Birmingham and Solihull CCG contacts" section above.

If you are unable to put your request in writing, please telephone us on 0121 255 0700, so that we can make alternative arrangements for you.

How much does it cost?

There will be no charge for access to your records, unless the request is repeated or manifestly unfounded, in which case we can charge a reasonable fee to cover the costs of providing the information requested, or alternatively to refuse the request. For further information about your rights under the General Data Protection Regulations and the Data Protection Act 2018 see "Data Protection Rights".

How long will it take?

We must provide you with the information you have requested within one month starting from the day following receipt of your request, unless the request is complex, or if we have received a large number of requests, in which case, we are able to extend the time we have to respond up to a period of a further two months. If this is the case, we will tell you within one month of receiving your request, telling you why the extension is necessary. For further information about your rights see "Data Protection Rights".

Withholding information about you

We will not give you parts of your information which we believe could cause you, or someone else serious physical or mental harm. We will not provide you with parts of your information which relates to someone else (known as a third party), unless that third party is a healthcare professional who has provided care to you.

Correcting inaccurate information

We have to ensure that your information is correct and up-to-date. It is important that you tell us about any changes, for example if you move house, or change your telephone number.

If you believe that any information we hold about you is wrong, it is not complete, or is out-of-date, please contact us at the address below. If we agree that the information is wrong or not complete, we will put it right. If we do not agree that the information is wrong, we will make a note on your record that you believe that the information is wrong, not complete, or is out-of-date.

If you have told us that you believe your information is wrong and we don't agree, you have a right to ask us to restrict processing of your data until we have confirmed that the data is correct. If you wish to ask us to restrict processing of your data, contact the Information Governance Team, using the contact details above. For further information about your rights under the General Data Protection Regulations and the Data Protection Act 2018 see Data Protection Rights.

Further information

If you have any queries, or want to know more about the way we use your personal information, or if you don’t want us to use your information in any of the ways listed below, please contact us using the details for the Information Governance team above.

The information you have a right of access to includes:

  • A copy of the personal data we are processing about you
  • The purposes for processing your data
  • The categories of personal data we are, or have processed about you
  • The recipients or categories of recipients we have or will disclose your information to, including whether those recipients are outside of the UK, or are international organisations
  • The time we intend to keep your information, or alternatively, the criteria we will use to decide how long to keep your information
  • If the information was not obtained directly from you, you have a right to be told who provided your information to us
  • Whether we have, or are using automated decision making, to make decisions about you, or whether we are using your information for profiling purposes. Where this is the case you have a right to be told what logic is involved in this processing and what the potential consequences of this processing would mean for you
  • Whether we transfer any of your information outside of the UK, how your data protection rights are protected when your information has been transferred, and how you can view, or obtain a copy of the safeguards which have been put into place to protect it.

You also have the following rights:

  • The right to make a complaint to the Information Commissioner’s Office, the Regulator of the General Data Protection Regulations and the Data Protection Act 2018. See “What to do if you are unhappy with the way we use your information” for contact details
  • The right to have any information you believe is wrong, put right (known as the Right to rectification)
  • The right to have your information deleted (known as the Right to erasure, or the right to be forgotten)
  • The right to restrict the processing of your information (Right to restriction of processing)
  • The right to object to the processing of your information (Right to object)
  • The right to be provided with your information in a commonly used, machine readable format, and to have that information transmitted to someone else of your choosing, if it is technically feasible (Right to data portability).

Where you have submitted your request electronically, we will provide your information in a common electronic form, unless you have requested that we provided it in another specific format, in which case, we will endeavour to provide it in the requested format, unless it adversely affects the rights and freedoms of other people.

The types of information we can collect and use

Information which tells us who you are

We can only collect, use and share information which tells us who you are, like your name, date of birth, address (known as personal data) and information about your healthcare, your gender, your religion for example (known as sensitive personal data), if:

  • It relates to one of our duties or powers and;
  • We have specific, freely given consent from you, or;
  • The law tells us that we can or;
  • We are concerned about someone’s safety, or ;
  • To prevent or detect serious crime, or;
  • It is in your best interests, or;
  • We have permission from the Secretary of State for Health to use your confidential healthcare information when it is necessary for our work, or;
  • We need to use it to make sure that we have plans in place to deal with emergencies when the health and safety of people are at risk.

Within the health sector, we also have to follow the common law duty of confidence, which means that where identifiable information about you has been given in confidence, it should be treated as confidential and only shared for the purpose of providing direct healthcare.

Information which does not tell us who you are

We can also receive information where it does not tell us who you are (known as  Anonymised information), or where your personal details have been changed to an alias, so that we don’t know who you are (known as Pseudonymised information).

Some information we use is linked (using the alias) with other information about you. This means that we can make sure that any new services which we are testing are resulting in improved care for you across all areas of your healthcare.

Sometimes we use information about many people, which is grouped into categories and only shows total numbers, or total financial figures (this is known as aggregated information). Before we receive this information, steps are taken to make sure that we can’t tell who you are from it, for example by grouping everyone’s information into age bands, rather than showing specific ages and grouping everyone’s information into broad postcode areas, for example everyone in postcode area B90, rather than showing specific postcodes.

We can use information which does not tell us who you are, to enable us to plan and improve services, and check that hospitals and other healthcare providers we buy your care from are providing the care we have paid for.

Primary care and secondary care information

There are two types of information which are collected and used to provide you with healthcare. The first is primary care information. This is information which is collected and used when you visit your GP, the pharmacy, dentist and optician for example. The second is secondary care information; this is information which is collected when you go to hospital for an outpatient appointment, x-rays or other tests, when you are admitted to hospital, if you go into a rehabilitation unit, or if you are admitted as an emergency to hospital for example.

We do not normally have access to primary or secondary care information which identifies you. The main reasons we may need to see this type of information in a way which tells us who you are is for one of the following reasons:

  • If you, your GP or consultant make requests for treatments not normally funded by the NHS (known as Individual Funding Requests)
  • If you, someone who represents you, or your consultant makes a request for an assessment of suitability for packages of care for people with complex medical needs (known as Continuing Healthcare)
  • So that we can check that healthcare providers are paid correctly for the care and treatment they have provided to you
  • If you make a request to access information about yourself.

How we store your information

We keep your information as paper records, or on a computer system.

Why we collect and use information

We collect and use information for the reasons listed below:

  • If you visit our website
  • If you want to take part in online surveys
  • If you register to receive further information on specific topics
  • If you want to find out more about what the NHS is doing in the Birmingham and Solihull area
  • If you, your GP or consultant make requests for treatments not normally funded by the NHS (known as Individual Funding Requests)
  • If you, someone who acts for you, or your consultant makes a request for an assessment of suitability for packages of care for people with complex medical needs (known as Continuing Healthcare)
  • To tell you about changes to your GP practice
  • If you want to raise a query or concern, or if you want to make a complaint
  • To respond to Member of Parliament's letter
  • If we have received concerns about the safety of you or someone else, known as safeguarding
  • If we need to investigate a serious incident
  • So that we can check that healthcare providers are paid correctly for the care and treatment they have provided to you
  • To provide Personal Health Budgets
  • To help us identify high risk groups of patients, for example, patients who may have falls and have to be admitted to hospital as an emergency. This will enable their doctors and other people caring for them to take action to prevent this happening. This is known as risk stratification
  • To help us make sure that the healthcare services we buy are of good quality and are safe
  • To enable research to be carried out
  • To enable clinical audit to be carried out
  • To process staff job applications
  • To provide information for National Registries
  • To provide learning disabilities and autism data for the Assuring Transformation Project
  • If you make a request to access information about yourself, about a deceased patient, or about how our organisation is run, how much money it spends, or the decisions we make.

You can find out more information in the sections listed below this one.

If you visit our website

The first time you visit our website, you will be asked if you want to accept cookies. A cookie is a small text file which contains the name of our website. You can choose whether you want to accept cookies or not. If you have chosen to accept cookies, the small text file will be saved to your PC. The next time you view our website, your PC will check the cookie to see if you have been to our website before. If you have, your PC sends the information from the cookie back to our site. The site will then know that you have visited it before. If you have, your PC sends the information from the cookie back to our site. The site will then know that you have visited it before and may change what you see on the screen, based on things you have looked at before. We do not collect IP addresses, MAC addresses etc when you visit our website.

When you visit our website, we collect information about how you use the site, including which parts of the site you visit. We are not able to tell who you are from this information, but it helps us to improve the site. We use a service called Google Analytics to help us do this. We will not, and we will not allow Google to try to find out who visits our website from the information we collect. You can opt out of Google Analytics by downloading the Google Analytics Opt Out Browser which can be downloaded directly from Google’s website here.

If we do want to collect any information about you which would tell us who you are, we will tell you about it. We will also tell you why we want to collect the information and how we intend to use it.

Please note this Privacy Notice does not cover websites which are linked to this website, you should therefore take the time to read the Privacy Notices on any external websites you visit.

Online surveys

Sometimes we run surveys on our website so that we can get feedback from you. If we were thinking about changing existing services, or if we are thinking about adding new services, or if we want to find out which services need to be made better, we may run a survey to find out what you think.

When we run surveys on our website, we make sure that we cannot tell who you are. Sometimes, we might ask if we can contact you if we want to ask you some more questions, or if we want to understand what you think better. We will tell you how your information will be used on the first page of the survey.

Information which would identify you

This may vary from survey to survey; check the specific Privacy Notice for each survey to confirm this.

Legal basis for collection

The legal bases for us to collect and use your information for this purpose:

Article 6(1)(e) – “For the performance of a task carried out in the public interest, or in the exercise of official authority vested in the controller” – namely:

Health and Social Care Act 2012, Section 14Z(1) and (2) – Duty as to Public Involvement and Consultation.

Article 9(2)(h) – “processing is necessary for the purposes of…” “…medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems …”

Processing your information outside of the UK

We run our surveys using an online survey company called Survey Monkey. Survey Monkey store data collected through surveys on servers located in the United States. Any personal information of EU Citizens stored outside of the European Economic Area must be given the same level of protection as that it would receive within the EU. In order to meet the requirements of European Data Protection law, they have certified under and complies with the EU-US Privacy Shield Programme and its principles which covers the collection, use and retention of personal data from EU Member States.

Further information on the Survey Monkey Privacy Policy is available here.

How long we keep your information

We keep information about our public consultations for a period of five years following the end of the consultation.

Organisations we share your information with

We do not share your data with other organisations.

Registering to receive further information on specific topics

We collect information that tells us who you are if you request to receive further information on specific topics.

Information which would identify you

We collect equality monitoring information, this is based on the nine protected characteristics. We may also collect your contact details, if you provide them, so that we can follow up with you.

Legal basis for collection

The legal bases for us to collect and use your information for this purpose:

Article 6(1)(e) – “For the performance of a task carried out in the public interest, or in the exercise of official authority vested in the controller” – namely:

Health and Social Care Act 2012, Section 14Z(1) and (2) – Duty as to Public Involvement and Consultation.

Section 149 Equality Act 2010 – Public Sector Equality Duty

Article 9(2)(h) – “processing is necessary for the purposes of…” “…medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems …”

Processing your information outside of the UK

We run our surveys using an online survey company called Survey Monkey. Survey Monkey store data collected through surveys on servers located in the United States. Any personal information of EU Citizens stored outside of the European Economic Area must be given the same level of protection as that it would receive within the EU. In order to meet the requirements of European Data Protection law, they have certified under and complies with the EU-US Privacy Shield Programme and its principles which covers the collection, use and retention of personal data from EU Member States.

Further information on the Survey Monkey Privacy Policy is available here.

How long we keep your information

We keep information about our public consultations for a period of five years following the end of the consultation.

Organisations we share your information with

We do not share your information with any other organisations.

Your right to object

If you tell us that you do not want us to use your information in order enable you to comment on forum threads, contact the Information Governance team using the contact details above. For further information about your right to object, please see "Right to object".

People’s Health Panel

The People's Health Panel is a database of people who have signed up to find out more about the work the NHS is doing in Birmingham and Solihull.

Information which would identify you

This collects a range of information including protected characteristic (age, gender, ethnicity etc) as well as contact details and preferences, and health condition interest. All answers have a function to ‘prefer not to say’.

Legal basis for collection

The legal bases for us to collect and use your information for this purpose:

Article 6(1)(e) – “For the performance of a task carried out in the public interest, or in the exercise of official authority vested in the controller” – namely:

Health and Social Care Act 2012, Section 14Z(1) and (2) – Duty as to Public Involvement and Consultation.

Section 149 Equality Act 2010 – Public Sector Equality Duty

Article 9(2)(h) – “processing is necessary for the purposes of…” “…medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems …”

Processing your information outside of the UK

We use survey monkey to collect people’s details registering for the Panel. Survey Monkey store data collected through surveys on servers located in the United States. Any personal information of EU Citizens stored outside of the European Economic Area must be given the same level of protection as that it would receive within the EU. In order to meet the requirements of European Data Protection law, they have certified under and complies with the EU-US Privacy Shield Programme and its principles which covers the collection, use and retention of personal data from EU Member States.

Further information on the Survey Monkey Privacy Policy is available here.

As part of being a member of the panel, we send a regular newsletter, using software called MailChimp. MailChimp is used to design the content of the newsletter and send the newsletter to panel members. MailChimp will track if someone opens the newsletter email or not, the time, and the location it was opened by city and country. MailChimp will also collect information about your device and applications you use to access emails sent via MailChimp, including your IP address, your operating system, your browser ID and other information about your system and connection. MailChimp use cookies, web beacons and other tracking technologies to collect some of this information. MailChimp’s use of cookies and other tracking technologies is discussed in more detail in their Privacy Policy, see the link below.

MailChimp stores data relating to subscribers to the People’s Health Panel on servers located in the United States. Any personal information of EU Citizens stored outside of the European Economic Area must be given the same level of protection as that it would receive within the EU. In order to meet the requirements of European Data Protection law, they have certified under and comply with the EU-US Privacy Shield Programme and its principles which covers the collection, use and retention of personal data from EU Member States.

We do not have “Social Profiles” enabled and, as such, MailChimp does not collect publicly available social media information about you.

Further information on the MailChimp Privacy Policy is available here.

How long we keep your information

We will keep your information until you decide to unsubscribe to the panel.

Organisations we share your information with

We do not share your information with any other organisations.

Your right to object

If you tell us that you do not want us to use your information in order enable you to comment on forum threads, contact the Information Governance team using the contact details above. For further information about your right to object, please see "Right to object".

Individual Funding Requests

When you, your GP or consultant makes a request for us to pay for treatments or drugs which are not normally paid for by the NHS, but which they feel is the best treatment for you, we need information to help us to decide whether you are eligible for the requested funding.

This may include information you have told us and healthcare information which we request from healthcare professionals, including GPs, hospitals and other organisations who have been involved in your care to help us come to a decision.

The information used for this purpose tells us who you are, but we also use information where anything which tells us who you are has been removed, so that we can plan, report on trends, or calculate the amount of money we have spent.

Information which would identify you

We will be using the following information to identify you:

  • NHS number
  • Name
  • Address
  • Postcode
  • Date of birth.

Legal basis for collection

Article 6(1)(e) – “For the performance of a task carried out in the public interest, or in the exercise of official authority vested in the controller” – namely:

National Health Service Commissioning Board and Clinical Commissioning Groups (Responsibilities and Standing Rules) Regulations 2012, Regulation 34 – Duty to have in place arrangements for making decisions and adopting policies on whether a particular health care intervention is to be made available for persons for whom the CCG has responsibility.

And for monitoring Individual Funding Requests:

Article 9(2)(h) – “processing is necessary for the purposes of…” “…medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems …”

Processing your information outside of the UK

We process all information relating to Individual Funding Request on servers in the UK.

How long we keep your information

Where a request for funding has been rejected, your information will be kept for two years following the date of rejection, it will then be reviewed to confirm whether there is any need to keep it for a long period.

Where a request has been approved, your information will be kept for eight years after approval, it will then be reviewed to confirm whether there is any need to keep it for a longer period.

Organisations we share your information with

Individual Funding Requests are handled on our behalf by Arden and GEM Commissioning Support Unit. We have a contract in place with Arden and GEM which tells them how they have to protect and use your information and checks are made to make sure that they are protecting your information properly. Information about how Arden and GEM Commissioning Support Unit use your information can be found here

Arden and GEM Commissioning Support Unit’s website can be found here.

Your right to object

If you tell us that you do not want us to use your information to ask for funding, we may not be able to decide you are eligible to receive funding for the drug or treatment you had asked for.  If you still wish to object, please contact the Information Governance team using the contact details above. For further information about your right to object, please see "Right to object".

Continuing healthcare

When you, or someone who is acting for you, have asked us to decide whether we can pay for a package of care to meet your complex health needs (known as Continuing Healthcare), we need information which allows us to know who you are, so that we can come to a decision.

If you agree, we will also contact other care providers who have been involved in your care and ask them to provide us with information about your healthcare to help us decide what type of care you need and whether we can pay for your care. The types of information me may collect and use for this purpose fall include information about:

  • Behaviour
  • Cognition (understanding)
  • Communication
  • Psychological/emotional needs
  • Mobility
  • Nutrition (food and drink)
  • Continence
  • Skill (including wounds and ulcers)
  • Breathing
  • Symptom control through drug therapies and medication
  • Altered states of consciousness
  • Other significant needs.

This information may be taken from care home records, social care records and health records (including GP, hospital, mental health and district nursing records).

The information used for continuing healthcare decisions tells us who you are, but we also use information where anything which tells us who you are has been removed so that we can plan, report on trends, or calculate the amount of money we have spent. This information is known as anonymised information.

Additionally, in order to comply with its duty to reduce inequalities in respect of patients’ ability to access health services and reduce inequality of outcome and its duty in respect of the improvement in the quality of services, Birmingham and Solihull CCG’s Continuing Healthcare Team conduct reviews of decisions made in relation to Continuing Healthcare requests. This work will involve review of all information associated with the Continuing Healthcare request, including personally identifiable and confidential information. In all circumstances the CCG will only use the minimum necessary to enable it to comply with its legal duties.

Information which would identify you

We will use the following information to identify you:

  • NHS number
  • Name
  • Address
  • Postcode
  • Date of birth

Legal basis for collection

The legal basis for us to collect and use your information for this purpose is:

Article 6(1)(e) – “For the performance of a task carried out in the public interest, or in the exercise of official authority vested in the controller” – namely:

National Health Service Commissioning Board and Clinical Commissioning Groups (Responsibilities and Standing Rules) Regulations 2012, Regulations 21 to  24 – NHS Continuing Care Duties

Article 9(2)(h) – “processing is necessary for the purposes of…” “…medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems …”

Processing your information outside of the UK

We process all information relating to individual funding request on servers in the UK.

How long we keep your information

Where a request for funding has been rejected, your information will be kept for two years following the date of rejection, it will then be reviewed to confirm whether there is any need to keep it for a long period.

Where a request has been approved, your information will be kept for eight years after approval, it will then be reviewed to confirm whether there is any need to keep it for a longer period.

Once records have reached their retention period they will be securely disposed of.

Organisations we share your information with

Midlands and Lancashire Commissioning Support Unit

Continuing Healthcare requests are handled on our behalf by an organisation called Midlands and Lancashire Commissioning Support Unit. We have a contract in place with Midlands and Lancashire Commissioning Support Unit which tells them how they have to protect and use your information and checks are made to make sure that they are protecting your information properly. Information about Midlands and Lancashire Commissioning Support Unit can be found here.

Local authority social services

The Midlands and Lancashire Commissioning Support Unit Continuing Healthcare Team will collect and securely share information with the local authority social services department to inform the Continuing Healthcare assessment process.

Other organisations or individuals

The Midlands and Lancashire Continuing Healthcare Team will also share your information with other organisations or individuals who are who are directly or indirectly involved in your assessment.  These may include care homes, GPs, hospitals, district nursing for example. Some information may also be shared with an Independent Review Panel – further information about the Independent Review Panel can be found here.

Your right to object

If you tell us that you do not want us to use your information to ask for funding, we may not be able to decide whether you are eligible to receive funding for the continuing Healthcare you had asked for.  If you still wish to object, please contact the Information Governance Team using the contact details above. For further information about your right to object, please see Right to object.

To process personal health budgets

A Personal Health Budget is an amount of money used to support the identified healthcare and wellbeing needs of an individual which is planned and agreed between the individual, or their representative and the CCG.

To support the process, the CCG will process personal confidential data including sensitive personal data to evaluate, agree and monitor any personal health budgets.

Information which would identify you

We will be using information including the following data items to identify you:

  • Patient name
  • Patient date of birth
  • Patient address
  • Patient NHS number
  • Patient telephone number
  • Patient email.

Legal basis for collection

The legal basis for us to process your information for this purpose is:

Article 6(1)(e) – “For the performance of a task carried out in the public interest, or in the exercise of official authority vested in the controller” – namely:

National Health Service (Direct Payments) Regulations 2013 The National Health Service (Direct Payments) (Amendment) Regulations 2013 Schedule 3, Condition 1 – Explicit Consent - Sensitive Personal Data

And

Mental Capacity Act 2005

And

Safeguarding Vulnerable Groups Act 2006 as amended by the Protection of Freedoms Act 2012

Article 9(2)(h) – “processing is necessary for the purposes of…” “…medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems …”

Processing your information outside of the UK

We process all information relating to Personal Health Budgets on servers in the UK.

How long we keep your information

We will keep your information for eight years after funding has ceased.

Organisations we share your information with

We share your information with Arden and GEM Commissioning CSU who process funding requests on our behalf.

We have a contract in place with Arden and GEM which tells them how they have to protect and use your information and checks are made to make sure that they are protecting your information properly. Information about how Arden and GEM Commissioning Support Unit use your information can be found here.

Arden and GEM Commissioning Support Unit’s website can be found here.

Your right to object

If you tell us that you do not want us to use your information to process your funding, we may not be able to process your personal health budget. If you still wish to object, please contact the Information Governance team using the contact details above. For further information about your right to object, please see "Right to object".

Collecting and tracking data for people with learning disabilities and/or autism – Assuring Transformation

We hold manage and maintain a register of people with learning disabilities and/or autism for people in in-patient settings that cover their current care provision. We collect the number of people who are going into hospital each month, the type of hospital they are in, when their care and treatment is checked, how long they have been in hospital. How many people have moved from hospital into the community, this information is collected from CCGs every month.

NHS gives the Assuring Transformation data to NHS England every month and published a monthly report. Progress reports don’t include any personal information.

Information which would identify you

The information which will identify you includes:

  • NHS number
  • Date of birth
  • Gender
  • Ethnic category
  • The address and postcode where you were admitted from
  • The postcode of your usual address.

Legal basis for collection

The legal basis for us to process your information for this purpose is:

Article 6(1)(e) – “For the performance of a task carried out in the public interest, or in the exercise of official authority vested in the controller” – namely:

Health and Social Care Act 2012, Section 14R – Duty as to the Improvement in Quality of Services

And

Health and Social Care Act 2012, Section 14T – Duty as to Reducing Inequalities

Processing your information outside of the UK

We process all information relating to collecting and tracking data for people with learning disabilities and/or autism on servers in the UK.

How long we keep your information

We keep your information for up to eight years after you were last seen, after which it will be securely destroyed.

Organisations we share your information with

NHS Digital collect the Assuring Transformation data from the CCG. They then put it into a form where they cannot tell who you are (known as anonymised information). They then give the anonymised data in the form of progress reports, to NHS England.

Opt out details

If you do not want your information included in the information collected by the CCG and NHS Digital, and then shared with NHS England please see the information about the Assuring Transformation section of the NHS England website here to find out how to opt out.

National registries and national audits

National registries, such as the Learning disabilities register have legal permission to collect patient information without needing to obtain consent. National registers are used in the NHS to provide support to particular groups of patients to ensure that they are receiving the care and support they require. NHS Digital is responsible for collecting the information used in the Registries and ensure that your information is kept securely and confidentiality.

Legal basis

The legal basis upon which NHS Digital rely on to use your information for this purpose is:

Article 6(1)(c) “…for compliance with a legal obligation…” including:

The Health and Social Care (Establishment of Information Systems for NHS Services: National Diabetes Audit) Directions 2017

And

The Health and Social Care (Information Centre (Female Genital Mutilation) Directions 2015

Your GP Practice will provide this information to NHS Digital using a secure transfer method.   The CCG does not process any of the data associated with National Registers. Further information on the data collected by NHS Digital and their associated legal bases is available here.

Opt out details

If you do not want your information included in the information collected by the CCG and NHS Digital, and then shared with NHS England please see the information about the National Data Opt Out Programme at Your right to opt out of sharing some types of information. If you choose to opt out of providing your information for this purpose, this may result on us not being able to adequately ensure that all services we buy are safe and of good quality.

To tell you about changes to your GP practice

If a change is going to be made to your GP practice, for example, if it is going to close down, we need to contact you to tell you and to advise you how to register with another GP practice. Your contact details will need to be used so that we can tell you about the change.

When we do this, the practice you’re currently registered with will securely share your name and address information with the company which we have contracted with to print the letters, so that they can print and send the letter to you.

Information which would identify you

We will be using the following information to identify you:

  • NHS number
  • Name
  • Address
  • Postcode

Legal basis for collection

The legal basis for us to use your information for this purpose is:

Article 6(1)(e) – “For the performance of a task carried out in the public interest, or in the exercise of official authority vested in the controller” – namely:

Health and Social Care Act 2012, Section 14Z(1) and (2) – Duty as to Public Involvement and Consultation.

Processing your information outside of the UK

We process all information relating to changes to your GP practice on servers in the UK.

How long we keep your information

The company we contract with to print and send the letters are required to securely destroy your name and address information two weeks after your letter has been sent out.

When you re-register with a new GP practice, your GP healthcare information will be transferred to your new GP by your old GP.

Organisations we share your information with

The printing and sending of letters for this purpose will be provided by a commercial organisation. Checks will be made to make sure that the organisation we use keeps your information safe and secure. We will put an agreement in place to make sure that the commercial organisation we select only uses your information to send you the letter and protects your information in the same way as we do. Once the letters have been sent out, we will check that the organisation has met the terms of the agreement.

Your right to object

We have a legal obligation to tell you about changes to your GP practice. If you told us not to contact you for this purpose, you may not be aware of changes which are to take place in your practice which may affect you. If you still wish to object, please contact the Information Governance team using the contact details above. For further information about your right to object, please see "Right to object."

To respond to a Member of Parliament's letter

From time to time the CCG will receive letters from MPs regarding issues constituents who have asked for their assistance in attempting to resolve an issue they may have.

 Information which would identify you

We will be using the following information to identify you:

  • Name
  • Address
  • Postcode
  • Date of birth
  • NHS number

Legal basis for collection

The legal basis for us to use your information for this purpose is:

Article 6(1)(e) – “For the performance of a task carried out in the public interest, or in the exercise of official authority vested in the controller” – namely:

Health and Social Care Act 2012, Section 14R – Duty as to the Improvement in Quality of Services

And

Health and Social Care Act 2012, Section 14T – Duty as to reducing inequalities

Article 9(2)(h) ‘...medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems…”

Processing your information outside of the UK

We process all information relating to the handling of Member of Parliament's’ letters on servers in the UK.

How long we keep your information

We will keep your information for 10 years after the MP’s letter has been received.

Organisations we share your information with

We may need to contact and obtain information from other organisations and people who were either witnesses or who have been involved in your complaint, or concern, so that we can understand what has happened and sort it out for you. 

Your right to object

If you tell us that you have changed your mind and do not want us to use your information in order to investigate  the complaint or concern you MP has raised on your behalf, else, this may impact on our ability to investigate the complaint or concern properly, particularly, if you were a witness to the situation being complained about. If you still wish to object, please contact the Information Governance team using the contact details above. For further information about your right to object, please see "Right to object".

If you want to raise a query or concern, or if you want to make a complaint

Queries, concerns and complaints about secondary care

When you tell us about a query, concern or complaint you have about a service we provide directly, or about a service which we have paid for, such as hospital care, mental health services, out of hours services and community services such as district nurses, we will need information which tells us who you are so that we can find out what has happened, sort it out for you and make sure that it doesn’t happen again in future.

Queries, concerns and complaints about primary care

If your query, concern or complaint is about a GP practice, optician or a dentist, you will need to contact the GP practice, optician or dentist directly, or contact NHS England. Details of how to contact NHS England to make a complaint can be found here.

When a complaint has been upheld, user stories will be reviewed during our Governing Body’s Meeting, without them knowing who you are. This gives our Governing Body a summary of your concern, any improvements to services which have been identified and how well the complaints procedure has been applied. This will help our Governing Body to make sure that the complaints process is working correctly.

Information which would identify you

Depending upon your query, concern or complaint we will be using the following information to identify you:

  • NHS number
  • Name
  • Address
  • Postcode

Depending upon the situation, we may also use information which tells us who other people involved in the complaint are.

If a service user’s story is being used within our Governing Body’s Meeting, the information given to them will include what the concern was, what improvements have been made to the service as a result of the concern being raised.

Legal basis for collection and use

The legal basis for us to use your information for this purpose is:

Article 6(1)(e) – “For the performance of a task carried out in the public interest, or in the exercise of official authority vested in the controller” – namely:

Health and Social Care Act 2012, Section 14R – Duty as to the Improvement in Quality of Services

And

Health and Social Care Act 2012, Section 14T – Duty as to reducing inequalities

Article 9(2)(h) ‘...medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems…”

If we want to include a service user story in our Governing Body’s Meeting which includes information about you, we will ask you for your specific consent (known as explicit consent) first, before any of your information is shared with them, or published on our website.

Processing your information outside of the UK

We process all information relating to queries, concerns and complaints on servers in the UK.

How long we keep your information

We will keep information about your complaint, including your contact details, information about what has happened, information which we have found out which relates to your complaint and the outcome of your complaint is kept for 10 years after your complaint has been closed.

Organisations we share your information with

We may need to contact and obtain information from other organisations and people who were either witnesses or who have been involved in your complaint so that we can understand what has happened and sort it out for you.  We will only do this once you have provided your specific consent (known as explicit consent).

Individuals we may share your information with

Where you have made a complaint about another person, we are normally required to disclose who you are, as the person who has made the complaint, to the person who has been complained about, this likely to be the case where someone’s record of events is in dispute.

Publication of upheld complaints via the Governing Body

We may wish to include a service user story in our Governing Body’s Meeting, which includes information about you. The minutes of all Governing Body Meetings are published on our website and will be available to anyone who wants to see them.   

Your right to object

If you tell us that you have changed your mind and do not want us to use your information in order to investigate a complaint about care you have received, we may not be able to investigate your complaint. If you tell us that you do not want us to use your information in order to investigate a complaint you have made on behalf of someone else, this may impact on our ability to investigate the complaint, particularly, if you were a witness to the care being complained about. If you still wish to object, please contact the Information Governance team using the contact details above. For further information about your right to object, please see "Right to object".

If we have received concerns about the safety of you or someone else, known as safeguarding

We may receive information relating to concerns about the safety of you or someone else. This information might be from you directly, your relatives or through other health and social care organisations. 

All health and social care professionals have a legal duty to share information with appropriate agencies where safeguarding concerns about children or adults have been received. 

Where it is appropriate to do so the sharing organisations will keep you informed of when information is required to be shared to provide you with assurance that the information will be shared securely, and the benefit to you or the person you are raising Safeguarding concerns about. Access to this information is strictly controlled and where there is a requirement to share information, for example with police or social services, all information will be transferred safely and securely ensuring that only those with a need to know about those concerns are appropriately informed.

Information which would identify you

Depending on the concerns raised, we may need to use the following information to identify you or the person you are concerned about:

  • NHS number
  • Name
  • Address
  • Postcode

Legal basis for collection

The legal basis for us to use your information for this purpose is:

Article 6(1)(e) – “For the performance of a task carried out in the public interest, or in the exercise of official authority vested in the controller” – namely:

Children Act 1989/2004

And

Care Act 2014

Article 9(2)(h) ‘...medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems…”

Processing your information outside of the UK

We process all information relating to safeguarding concerns on servers in the UK.

How long we keep your information

We will keep information about the concerns raised, including your contact details, information about what has happened, information which we have found out which relates to those concerns for eight years after we are sure that the person  is safe.

Organisations we share your information with

If we are told about someone who may be at risk of harm, we have a legal duty to share that information with Safeguarding Boards and Multi-Agency Safeguarding Hubs and safeguarding partners.

Your right to object

We have a legal requirement to provide information where there are Safeguarding concerns due to public interest issues, for example, to protect the safety and welfare of vulnerable children and adults.

If we need to investigate a serious incident

Information is sent to us when you have been involved in a serious incident, for example when you have been in hospital, or when you have visited your GP, dentist or optician. This may be because you were directly involved in the incident, or if you witnessed it. This information is provided as part of a serious incident report sent to us by primary and secondary care providers to make sure that incidents are handled properly and lessons are learned from them.

When we receive the serious incident form, any information which would tell us who you are will have been removed, unless you have agreed that we can receive it, or there is a legal reason which allows us to know who you are.

You will be told what requirements we have to meet and you will be asked for your consent if we want to share your information externally, unless we have an alternative legal basis which allows or requires us to do this.

Information which would identify you

Depending on the incident, we may need to use the following information to identify you:

  • NHS number
  • Name
  • Address
  • Postcode

Legal basis for collection

The legal basis for us to use your information for this purpose is:

Article 6(1)(e) – “For the performance of a task carried out in the public interest, or in the exercise of official authority vested in the controller” – namely:

Children Act 2004, Section 11 – Children’s Services: Arrangements to safeguard and promote welfare

Health and Social Care Act 2012, Section 14R – Duty as to the improvement in quality of services

Article 9(2)(h) ‘...medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems…”

Processing your information outside of the UK

We process all information relating to serious incidents on servers in the UK.

How long we keep your information

We will keep information about serious incidents, including your contact details, information about what has happened, information which we have found out which relates to the serious incident for 20 years after the incident has been reported.

Organisations we share your information with

Arden and GEM Commissioning Support Unit and Midlands and Lancashire Commissioning Support Unit process information about Serious Incidents on our behalf.

Arden and GEM Commissioning Support Unit’s website can be found here.

Midlands and Lancashire Commissioning Support Unit’s website can be found here.

If we are required to share incident reports externally

If we are required to provide incident reports outside of the CCG, all of the data or information which could identify you will have been removed (known as anonymised). We will tell about the requirements that we have to meet and will ask you for your specific agreement (explicit consent) if we need to share your information outside of the CCG in a way which will identify you, unless we have another legal basis which allows or requires us to do this.

Your right to object

We have a legal duty to investigate all serious incidents relating to secondary care, however, in the majority of cases we are only able to see information which identifies you in limited circumstances. If you say that you do not want your information to be passed to us as part of the investigation, this may mean that we cannot properly investigate the incident. There may be times when the law allows us to be provided with your information, for example where the information is vital to the investigation of an incident which has, or is very likely to have serious impacts on the health and wellbeing of one or more people.

So that we can check that healthcare providers are paid correctly for the care and treatment they have provided to you

We aim to spend public money wisely, so we need to ensure that we are paying the right amount of money for the right services to the right people. Before we pay for care, we may ask for evidence of treatment or on the outcome of the care. Invoices are checked within a special secure area known as a Controlled Environment for Finance (CEfF) to make sure that the right amount of money is paid, by the right organisation, for the treatment provided.

The process followed makes sure that only the minimum amount of information about you is used, and by a limited number of people. The process is designed to protect your confidentiality. The process is known as invoice validation.

Organisations that provide treatment submit invoices to us for payment.

The secure area (Controlled Environment for Finance, provided by AGEM CSU) receives additional information, including the NHS Number, or occasionally the date of birth and postcode, from the organisation that provided treatment.

The information is then checked and any discrepancies are investigated and sorted out between the Controlled Environment for Finance and the care provider. The invoices will be paid when the checks are completed.  We do not receive any identifiable information for the purpose of Invoice Validation, but we do receive reports to help with financial management.

Information which would identify you

We use the following information to check that we are paying for your care correctly

  • NHS number, or;
  • Date of birth, and;
  • Postcode

Legal basis for collection

Article 6(1)(e) – “For the performance of a task carried out in the public interest, or in the exercise of official authority vested in the controller” – namely:

                                Section 14Z7 NHS Act 2006

Article 9(2)(h) ‘...medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems…”

Processing your information outside of the UK

We process all information relating to paying healthcare providers, on servers in the UK.

How long we keep your information

We will keep information about invoices and the checks made for 6 years after the end of the financial year they relate to.

Organisations we share your information with

Arden and GEM Commissioning Support Unit uses your information for invoice validation on our behalf.  Information about how Arden and GEM Commissioning Support Unit uses your information can be found here.

Arden and GEM Commissioning Support Unit’s website can be found here.

Information about how NHS Digital uses your information can be found here.

Opt out details

If you do not want your information included in the information collected by the CCG and NHS Digital, and then shared for contracted invoice validation, please see the information about the National Data Opt Out Programme at "Your right to opt out of sharing some types of information". The right to opt out does not apply to non-contracted invoice validation.

Risk stratification

Risk stratification is a process for identifying and caring for patients with long term health conditions and patients who are at high risk of emergency hospital admission. NHS England encourages CCGs and GPs to use risk stratification tools as part of their local strategies for supporting patients with long-term conditions, such as chronic obstructive pulmonary disease (COPD) and diabetes, to help prevent hospital admissions that could have been avoided. As well as helping general practices to provide direct care support, risk stratification is used by the CCG to support planning and commissioning, for example, understanding the numbers of patients in the region who require services to support COPD will enable us to commission the right services to better manage periods of ill health and to improve the quality of the services we are able to offer you.

Risk stratification tools use a mix of historic information about patients such as age, gender, diagnoses and patterns of hospital attendance and admission, as well as data collected in general practice.

NHS Digital provides information, identifiable by your NHS Number only, about hospital attendances. General Practices provide information from GP records also identifiable by your NHS number only. Both sets of information are sent via secure transfer to the risk stratification system where they are immediately Pseudonymised and linked to each other. The risk stratification system uses a formula to analyse the Pseudonymised data to produce a risk score. These risk scores are available to the general practice you are registered with, where authorised staff who are responsible for providing direct care for you are able to see these scores in a format that identifies you. This will help the clinical team make better decisions about your future care, for example you may be invited in for a review or if they think you may benefit from a referral to a new service they will discuss this with you. We are provided with reports containing aggregate information, which does not identify you, to ensure we are commissioning and planning for these services as required by the population we serve.

Information which would identify you

We use the following information to identify you and to enable linking data from different sources:

  • NHS number

Legal basis for collection

Article 6(1)(e) – “For the performance of a task carried out in the public interest, or in the exercise of official authority vested in the controller” – namely:

                                14X NHS Act 2006 – Duty to Promote Innovation

Article 9(2)(h) ‘...medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems…”

Processing your information outside of the UK

We process all information relating to risk stratification on servers in the UK.

How long we keep your information

We will keep information about risk stratification for 10 years after death.

Organisations we share your information with

Arden and GEM Commissioning Support Unit uses your information for risk stratification on our behalf.  Information about how Arden and GEM Commissioning Support Unit uses your information can be found here.

Arden and GEM Commissioning Support Unit’s website can be found here.

Information about how NHS Digital uses your information can be found here.

Opt out details

If you do not want your information included in the information collected by the CCG and NHS Digital, and then shared for purposes not related to your direct care, please see the information about the National Data Opt Out Programme at "Your right to opt out of sharing some types of information". The right to opt out does not apply to Risk Stratification when this is carried out by the provider involved in your care, or where your information has been anonymised in accordance with the Information Commissioner’s Office Anonymisation Code of Practice.

To help us make sure that the healthcare services we buy are of good quality and are safe

Hospitals and community organisations that provide NHS-funded care must by law submit certain information to NHS Digital about services provided to you and the population we serve. This information is known as commissioning information. We obtain this information from NHS Digital which relates to patients registered with our general practices. This enables us to plan, design, purchase and pay for the best possible care available for you.

Different types of commissioning information are legally allowed to be used by different organisations within, or contracted to, the NHS:

  • Information from which we can tell who you are (known as identifiable information) – when disclosed from primary and secondary care services to NHS Digital,
  • Summary information (known as Aggregated information) – we can only receive this information in aggregated form which does not identify you

The datasets we receive from NHS Digital are in a format that does not directly identify you. The information may include your age, ethnicity and gender as well as coded information about clinic or accident and emergency attendances, hospital admissions and treatment. We also receive information from the general practices and other local providers within the CCG; this information does not identify you. We use these datasets for:

  • Contract / performance management
  • Reviewing the care delivered by providers, to ensure quality and cost effective care
  • Providing statistics on NHS performance, to understand health needs and to help service re-design, modernisation and improvement
  • Planning future services to ensure they continue to meet local population needs
  • Reconciling claims for services received in your General Practice
  • Auditing NHS accounts and services.

Legal basis for collection

Article 6(1)(e) – “For the performance of a task carried out in the public interest, or in the exercise of official authority vested in the controller” – namely:

                                Section 14R NHS Act 2006 - Duty as to the improvement in quality of services

Article 9(2)(h) ‘...medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems…”

Processing your information outside of the UK

We process all information relating to the safety and quality of the healthcare services we buy on servers in the UK.

How long we keep your information

We keep commissioning information for six years after the end of the financial year it relates to.

Organisations we share your information with

Arden GEM Commissioning Support Unit and Midlands and Lancashire Commissioning Support Unit process commissioning data on our behalf.

Information about how Arden and GEM Commissioning Support Unit uses your information can be found here.

Arden and GEM Commissioning Support Unit’s website can be found here.

Information about how NHS Digital uses your information can be found here.

Opt out details

If you do not want your information included in the information collected by the CCG and NHS Digital, and then shared with NHS England please see the information about the National Data Opt Out Programme at "Your right to opt out of sharing some types of information". If you choose to opt out of providing your information for this purpose, this may result on us not being able to adequately ensure that all services we buy are safe and of good quality.

To enable research to be carried out

Research can provide direct benefit to patients who take part in medical trials, and indirect benefits to the population as a whole. Information can be used to identify people, and to invite them to take part in clinical trials, other interventional studies or studies purely using information from medical records.

Where identifiable information is needed for research, you will be approached by the organisation where you were treated, to ask if you wish to participate in the research study. You will be provided with information about the research, and the way in which your identifiable information will be used and kept safe and secure, before you are asked to provide explicit consent for confidentiality purposes to take part. Where a Section 251 approval has been granted, you will be informed of the project and will be able to make a decision as to whether you wish to opt out. Information related to research projects will be kept safe and secure with access limited to authorised research team members only.

Information which would identify you

Depending upon the type of research and the legal basis we are relying upon, we may use any of the following information to identify you:

  • NHS number
  • Name
  • Address
  • Postcode
  • Date of birth

Legal basis for collection

Article 6(1)(e) – “For the performance of a task carried out in the public interest, or in the exercise of official authority vested in the controller” – namely:

                                Section 14Y NHS Act 2006 – Duty in respect of research

9(2)(j) ‘…scientific or historical research purposes or statistical purposes in accordance with Article

89(1) based on Union or member State law which shall be proportionate…and provide for suitable

and specific measures to safeguard the fundamental rights and interests of the data subject

…’

Processing your information outside of the UK

We process all information relating to research on servers in the UK.

How long we keep your information

We will keep research information for no more than 20 years.

Organisations we share your information with

Arden and GEM Commissioning Support Unit and Midlands and Lancashire Commissioning Support Unit provide the information for us. 

Information about how Arden and GEM Commissioning Support Unit uses your information can be found here.

Arden and GEM Commissioning Support Unit’s website can be found here.

Opt out details

If you do not want your information included in the information collected by the CCG and NHS Digital, and then shared for this purpose, please see the information about the National Data Opt Out Programme at "Your right to opt out of sharing some types of information". If you choose to opt out, this would mean that you would not be invited to be involved in clinical trials which may relate to a medical condition you have. This may also impact on improvements and benefits which may be achieved for other patients.

To enable clinical audit to be carried out

Clinical audit is a process by which the care provided to you is reviewed, to make sure that it meets the standards of quality we expect it to. It also helps us to identify any areas where improvement should, or could be made.  Effective clinical audit can provide direct benefit to you as a patient and to the people who the CCG buys services for. Clinical audit makes sure that the services we plan and commission offer high quality and effective care.

Information which would identify you

When the CCG undertakes an audit of your care, we are not allowed to use any information which tells us who you are, unless we have specific agreement from you (this is known as explicit consent). 

We can carry out a clinical audit using information which does not tell us who you are (known as anonymised data), or we can buy the services of an external auditor to do the work on our behalf.

If we need to use information which tells us who you are, to be able to carry out the clinical audit, we will ask you for your specific agreement (known as explicit consent). Because each type of clinical audit is different, we will tell you what information we need, why we need it, what we are going to do with it, who we are going to share it with, how long we are going to keep it and the rights you have over it, when we ask you for your consent. This is known as a Privacy Notice.

Legal basis for collection

When we use information which does not tell us who you are, we do not need your consent, but if we need to use information which tells us who you are, we will ask you for your specific agreement (known as explicit consent).

Processing your information outside of the UK

We process all information relating to clinical audit on servers in the UK.

How long we keep your information            

When we use information which tells us who you are (with your specific agreement), we will keep this for 5 years from the date we start the audit.

Organisations we share your information with

Midlands and Lancashire Commissioning Support Unit provide the information for us. Their website can be found here.

Withdrawal of consent

If you have previously agreed to let us use information which tells us who you are to perform a clinical audit, but you have since changed your mind and do not want us to use your information for this purpose, contact the Information Governance team using the contact details above.

To process staff job applications

When you apply to work at the CCG, we have to collect and use information about your past career, qualifications and experience, criminal records as appropriate, references, and certain necessary health related information as part of our recruitment, selection and pre-employment checks.

Information which would identify you

The information which would tell us who you are would include:-

  • Name
  • Address and postcode
  • Email address
  • Telephone numbers
  • Date of birth
  • National insurance number

Legal basis for collection

Article 6(1)(e) – “For the performance of a task carried out in the public interest, or in the exercise of official authority vested in the controller”

9(2)(b) ‘…is necessary for the purposes of carrying out the obligations and exercising the specific rights of the controller or of the data subject in the field of employment…social protection law in so far as it is authorised by Union or Member State law..’

Processing your information outside of the UK

We process all information relating to clinical audit on servers in the UK.

How long we keep your information         

We will keep the general employment records of staff who have been successful up until 6 years after they have left if an employment summary has been made, or up until age 75 if not.

Organisations we share your information with

You will submit your Application Form to us electronically via the NHS Jobs website.

NHS Jobs website can be found here.

Your right to object

Objection to the processing of your personal data would mean that we would be unable to process your application any further.

If you make a request to access information about yourself, about a deceased patient, or about how our organisation is run, how much money it spends, or the decisions we make

Asking for your own information

If you ask for a copy of your own information, for example your health record, we will ask you to provide your name and contact details and any other information to help us find the information you want us to provide. We will need to see various forms of identification such as your passport, your birth certificate, a utility bill for example.  When we are processing your request, we will also use your health record.

The legal basis for us providing you with a copy of your information is:

6(1)(c) ‘…for compliance with a legal obligation…’ – namely:

The subject access provisions of the General Data Protection Regulations and the Data Protection Act 2018

We process all information relating to requests for your own information on servers in the UK.

Where the information requested relates to Continuing Care Records, or Individual Funding records, Arden and GEM Commissioning Unit will provide them to us.

If you change your mind and decide that you do not wish to receive a copy of your records we will close off your request.

In all circumstances we will to keep your information for 3 years after we have closed it.  If you have appealed our decision, we will keep the information for 6 years after we have closed it.

If you are requesting information relating to visits to your GP, to a hospital or another healthcare provider, you will need to approach each of the healthcare providers you visited in order to request your records from them.  The CCG does not hold patient records, with the limited exceptions of the circumstances included in this Privacy Notice, for example, Continuing Healthcare Requests, Individual Funding Requests etc.

Asking for information about deceased patients

If you ask for a copy of a deceased patient’s health records, we will ask you to provide your name and contact details and any other information to help us find the information you want us to provide. We will need to see various forms of identification such as your passport, your birth certificate, a utility bill for example and evidence that you have a right of access to the deceased patient’s information. When we are processing your request, we will also use the deceased patient’s health record.

The legal basis for us to use your information is:

6(1)(c) ‘…for compliance with a legal obligation…’ – namely:

The Access to Health Records Act 1990

We process all information relating to requests to access information about deceased patients on servers in the UK.

Where the information requested relates to Continuing Care Records, or Individual Funding records, Arden and GEM Commissioning Unit will provide them to us.

If you change your mind and decide that you do not wish to receive a copy of the deceased patient’s health records, we will close off your request.

In all circumstances we will to keep your information for 3 years after we have closed the request.

Asking for information about how the CCG is run

If you send us a request for information about how we are run, how we make decisions, how much we spend for example, we will need to know your name and contact details, so that we can respond to your request.

The legal basis that allows us to use your information for this purpose is:

6(1)(c) ‘…for compliance with a legal obligation…’ namely:-

                                The Freedom of Information Act 2000 and;

The Environmental Information Regulations 2003

We process all information relating to requests for information about the CCG, on servers in the UK.

If you change your mind and do not wish us to provide the information you have requested, we will close the request. 

We will keep information about the request, including your name and contact details for 3 years following closure of your request.

If we receive an appeal about a decision we have made to withhold information, we will keep this information, including your contact details for 6 years following closure of your request.

Your right to object

If you change your mind and object to us using your information to process your request for information, we will be unable to provide you with the information requested, as we are required by law to collect specific information about you as an applicant, for example, name, address and where the request relates to information about yourself or a deceased person, we will also need to see proof of your identity if you are requesting personal information or information about a deceased patient.

Your right to opt out of sharing some types of information

Whenever you use a health or care service, such as attending Accident & Emergency or using community care services, important information about you is collected in a patient record for that service. Collecting this information helps to ensure you get the best possible care and treatment.

The information collected about you when you use these services can also be used and provided to other organisations for purposes beyond your individual care, for instance to help with:

  • Improving the quality and standards of care provided
  • Research into the development of new treatments
  • Preventing illness and diseases
  • Monitoring safety
  • Planning service.

This may only take place when there is a clear legal basis to use this information. All these uses help to provide better health and care for you, your family and future generations. Confidential patient information about your health and care is only used like this where allowed by law.

Most of the time, anonymised data is used for research and planning so that you cannot be identified in which case your confidential patient information isn’t needed.

You have a choice about whether you want your confidential patient information to be used in this way. If you are happy with this use of information you do not need to do anything. If you do choose to opt-out your confidential patient information will still be used to support your individual care.

To find out more or to register your choice to opt out, please visit www.nhs.uk/your-nhs-data-matters

On this web page you will:

  • See what is meant by confidential patient information
  • Find examples of when confidential patient information is used for individual care and examples of when it is used for purposes beyond individual care
  • Find out more about the benefits of sharing data
  • Understand more about who uses the data
  • Find out how your data is protected
  • Be able to access the system to view, set or change your opt-out setting
  • Find the contact telephone number if you want to know any more or to set/change your opt-out by phone
  • See the situations where the opt-out will not apply.

You can also find out more about how patient information is used at:

You can change your mind about your choice at any time.

Data being used or shared for purposes beyond individual care does not include your data being shared with insurance companies or used for marketing purposes and data would only be used in this way with your specific agreement.

Health and care organisations have until 2020 to put systems and processes in place so they can apply your national data opt-out choice. Our organisation is not currently able to apply your national data opt-out choice to any confidential patient information we may use or share with other organisations for purposes beyond your individual care.

The General Data Protection Regulations and the Data Protection Act 2018 give you some additional rights to decide how your information is handled they are:

Right to rectification

You have a right to have inaccurate information we hold about you corrected as soon as possible.

Depending upon the purpose for processing, you have the right to complete incomplete records, which may include making a statement which can be added to it.

Right to erasure

You have a right to have your information deleted, or erased (also known as the right to be forgotten).  If you ask us to erase your information, we have an obligation tell anyone we have shared your information with that you want your information deleted, unless to do so would involve disproportionate effort.

Applies when

This right only applies either where:

  • the only legal basis we are relying on to process your information is your consent, or;
  • we no longer need your information for the purpose we collected it, or;
  • you have objected to processing of your information where the legal basis we were relying on was either that the processing was:
    • being carried out in the public interest, or;
    • being carried out under an authority given to the Controller, or;
  • where processing was in the legitimate interests of the us (as the Controller) or a third party

Unless:

  • We can demonstrate that we have justifiable grounds for processing which override your interests, rights and freedoms, or;
  • Where we are, or will be processing your information to establish, exercise, or defend a legal claim

Right to restriction of processing

You have a right to restrict the processing of your information where:

  • You have disputed the accuracy of your information
  • The processing is unlawful, but you do not want your information deleted, but want it kept in a restricted state, for restricted use only
  • We no longer need your information, but you want us to keep it so that you can establish, exercise, or defend a legal claim
  • You have objected to the processing of your information, but you are waiting for clarification as to whether the out legitimate grounds override your legitimate grounds

With the exception of storing your information, processing will only be carried out:

  • With your consent, or
  • For the establishment, exercise, or defence of a legal claim, or;
  • For the protection of the rights or freedoms of someone else, or;
  • For reasons of important public interest

Where you have asked us to place a restriction on the processing of your data, if we intend to remove a restriction, we will inform you before the removal takes place.

Right to data portability

You have a right to ask us to provide you with your information in a commonly used, machine readable format, for example in CSV format.

You also have the right to ask us to transfer your information to another Controller, where it is technically feasible.

Applies where

  • You provided the data directly to us, that is, we didn’t obtain, or receive it from someone else and;
  • The legal basis for processing is consent, or;
  • The processing is based on a contract, and;
  • The processing has been carried out by automated means, and;
  • Where the exercise of the right to portability does not affect the rights and freedoms of someone else

Right to object

You have the right to object to the processing of your information at any time where the legal basis we are relying on is either that the processing is:

  • Being carried out in the public interest, or;
  • Being carried out under an authority given to the Controller, or;
  • Where the processing is in our legitimate interests (as the Controller) or that of a third party, unless:
  • We can demonstrate that we have justifiable grounds for processing which overrides your interests, rights and freedoms, or;
  • Where we are, or will be processing your information to establish, exercise, or defend a legal claim, or;

You also have a right to object to the processing of your information where it is for direct marketing purposes, including profiling relating to direct marketing. Where your objection relates to processing for direct marketing purposes, we must stop any further processing for that purpose

Where we are processing your information in Pseudonymised form for scientific or historical research, or for statistical purposes you have a right to object to the processing, unless it is necessary for reasons of public interest.

Right not to be subject to automated decision making, or profiling

You have the right not to be the subject of a decision made entirely based on automated processing, including profiling, which has a significant effect on you.

The right does not apply if

  • The decision is necessary to enable you to enter into a contract with us (as the Controller)
  • The decision is authorised by a UK or EU Law we have to comply with, where the law lays down safeguards for your rights, freedoms and interests , or;
  • Where the decision is based on your specific agreement (known as explicit consent)

Automated Individual Decision-Making will not be carried out on special categories of data (which includes healthcare data) unless:

  • You have given us your specific agreement (explicit consent), or;
  • If it is necessary for reasons of substantial public interest, and;
  • Suitable measures have been put into place to protect your rights, freedoms and legitimate interests, which should, as a minimum include the right to human intervention

National Fraud Initiative

Birmingham and Solihull CCG is required by law to protect the public funds it administers. It may share information provided to it with other bodies responsible for; auditing, or administering public funds, or where undertaking a public function, in order to prevent and detect fraud. We are required to provide particular sets of data to the Minister for the Cabinet Office for data matching. You can view further information here.