Fair processing notice - How your information is used
NHS Northern, Eastern & Western Devon Clinical Commissioning Group (NHS NEW Devon CCG) recognises how important it is that you are fully aware of the information we collect and hold about you as well as how we share that information. This guide explains what information is collected about you, why it is collected and the ways it is used by NHS NEW Devon CCG.
To ensure that your information is kept confidential and that our data is kept safe and secure, all our staff are given training in data protection and information governance before they start work with us. Current staff must also undertake regular refresher training courses tailored to their individual roles.
More information about information governance can be found here.
Who we are and what we do
NHS NEW Devon CCG is responsible for planning, buying and monitoring (also known as commissioning) health services from healthcare providers such as hospitals and GP practices for our local population to ensure the highest quality of healthcare. We also have a performance monitoring role of these services, which includes responding to any concerns from our patients on services offered.
For more information about us can be found here.
Access to your information
Our staff will only have access to information and/or data that is necessary for them to complete the business activity they are involved in. This is reflected in Caldicott Principles that access to your information should be on a need to know basis only.
Staff access of confidential information is monitored through strict access controls to ensure your confidentiality is maintained.
Information we hold about you
This information is referred to as Personal Confidential Data (PCD) and we are mandated to ensure that it is treated in confidence and with respect, using the Caldicott Principles as our basis for managing your information.
NHS Digital - What we collect
NHS England - How we use your information
How we protect your information
Everyone working for the NHS is subject to the Common Law Duty of Confidence and governed by the Data Protection Act. Information provided in confidence will only be used for the purposes advised and consent given by the patient, unless there are other circumstances covered by the law.*
*Section 251 of the NHS Act 2006 and the Health Service (Control of Patient Information) Regs 2002 allows the Secretary of State for Health to make regulations to set aside the common law duty of confidentiality for defined medical purposes. It was recognised that there were essential activities of the NHS, and important medical research, that required the use of identifiable patient information but it is not always practical to obtain consent. More information is available from Health Research Authority - Section 251
Under the NHS Confidentiality Code of Conduct, all our staff are also required to protect your information, inform you of how your information will be used, and allow you to decide if and how your information can be shared. NHS England have produced some informative tools on how public information is shared.
NHS England- Better Information means Better Care:
How is your information used
Primary Care: Uses information which “directly contribute to the diagnosis, care and treatment of an individual”; or “the audit/assurance of the quality of the healthcare provided”.
Your records are used to guide healthcare professionals in the care you receive:
Using information for purposes other than direct healthcare
Secondary Care: Preventative medicine, medical research, financial audit and the management of health [and social] care services.
Healthcare organisations, such as your GP or the hospital that you visit, hold information about you in order to support the treatment that is provided. There are measures outlined in law which protect the information that is held by these organisations. These measures ensure that information is only shared appropriately and in line with your wishes.
Organisations will use this information to support you with any treatment or contact that you may have, which is known as for direct care purposes. It helps them provide the most appropriate care for you as an individual and they may share information with other health professionals to ensure that they can make informed decisions. Where this information is shared, your confidentiality and privacy will be protected. To make sure this takes place, there are clear rules in our own procedures as well as national legislation.
As well as this information supporting your care, reports are produced which contain information to help plan future healthcare services, which is termed as for non-direct care purposes. This information is used to identify areas where our services need to expand, to improve & to change, in order to support our population fully and also to support the flow of funding from one NHS organisation to another. There are clear processes in place to say how this information can be used and what safeguards must be in place to protect patients. The ways in which information should be made anonymous are governed by the Department of Health.
NHS NEW Devon CCG processes three different types of information:
Ensuring that our staff and clinical leaders are suitably equipped to manage this important area of work is a key priority for NHS NEW Devon CCG and integral to our capacity to deliver on plans to build local trust. These team members have all been approved to carry out this work by our Caldicott Guardians.
For all other uses of your personal information we will either directly ask for your consent or, used anonymised data that does not identify you. For example, it may be that we use anonymised and/or pseudonymised data for:
Third parties we share information with
There are circumstances where we need to share information without your consent. For example, when the health and safety of others (including members of staff) is at risk, to ensure we provide you with the correct care, to protect public health or when the law requires information to be passed on. Or for the prevention or investigation of serious crime, under a court order, when sharing is in the public interest, where there are safeguarding concerns for vulnerable people.
Information may be withheld if it is believed it may cause serious harm or distress to you or to another person.
Sometimes it is necessary for us to share information with another organisation. For example, you may be receiving care from social services and we may need to share information about you so we can all work together for your benefit.
We will only ever use or pass on information about you if others involved in your care have a genuine need for it. Anyone who receives information from us is also under a legal duty to keep it confidential and secure.
We may also share your information under a legal basis which is to ensure you have continuous care known as direct patient care or to satisfy payments for commissioning services to deliver your healthcare needs with organisations such as:
You have the right to confidentiality under the Data Protection Act 1998 (DPA), the Human Rights Act 1998 (HRA), the Health and Social Care Act 2012 (HSCA) as well as the common law duty of confidentiality. The Equality Act 2010 may also apply in some circumstances.
You have the right to know what information we hold about you, what we use it for and if the information is to be shared, who it will be shared with.
You have the right to:
Under normal circumstances we will not transfer your information outside of the European Economic Area, however there may be occasions where you require this information to be sent. In these instances, we will ask for and record your consent to do so and will take reasonable steps to ensure the safety of the information that is sent.
Your right to withdraw consent for us to share your personal information
At any time, you have the right to refuse/withdraw consent to information sharing. The possible consequences will be fully explained to you (this could include delays in receiving care).
Type 1 opt-outs: Personal confidential data not being shared outside your GP practice beyond direct care and circumstances required by law.
Type 2 opt-outs: Personal confidential data not being shared outside of NHS Digital (formerly HSCIC) beyond direct care and circumstances required by law.
For more information: NHS Digital - Your information choices
How do we keep your records confidential and secure?
The sharing of your information is strictly controlled. We will not pass on information about you to third parties without your permission unless there are exceptional circumstances, for example, where we are required to by law.
In all cases, where personal information is shared, either with or without your consent, a record will be kept. We also adhere to the revised Caldicott Principles to make sure information is accessed and held securely and appropriately.
Our secure networks, internal and external IT safeguards, use of the national NHS smartcard system and audits all ensure we protect your right to privacy and confidentiality. We only keep your records as long as we need to and are required to by law / national codes (for example, the IGA Records Management Code of Practice after which they are securely destroyed by shredding.
How you can access your records
The Data Protection Act 1998 allows you to find out what information about you is held on computer and in certain paper records. This is known as a ‘right of subject access’. If you would like to see your records you can make a written request to us. You are entitled to receive a copy of your records and do not have to give a reason for the request, however, there may be a charge, to cover the administrative costs.
Consent will be required when requesting information relating to someone else. To make such a request, please refer to the leaflet ‘How to access information’.
To help you to understand what information we collect and how we use it please see our leaflet(s) and website for further information.Your information: your rights, our responsibility (Patient leaflet)Click here to download this file
Hard copies are also available in our waiting areas and from reception.
Add this document to cartBetter information means better care (Patient leaflet)Click here to download this file
Add this document to cart
Queries, comments, concerns or objections
Should you have any queries or objections in relation to how we use your information or if you require this guide in an alternative format such as large print (or another language) please contact our Information Governance team via email: email@example.com
Information Governance Team
NHS NEW Devon Clinical Commissioning Group
Old Rydon Lane
You have the right at any time to request your information is not used in this way and to have your objections heard. We will comply with your request where we are able to do so in accordance with the law. We will discuss with you how this may affect our ability to provide care or treatment and any alternatives available to you.
To provide a safe, professional and efficient service, we need to keep information on record. Your personal details will be handled with sensitivity and confidentiality. We would encourage all patients to make sure their details are correct and kept up to date, especially if you change your name, address or telephone number. If you think any information we hold about you is not accurate, please let us know.
You have the right to view your records and request mistakes are corrected, but not to change the content as this may be clinically unsafe. If you are not happy with an opinion or comment, we will add your comments to your record.
We use your information in accordance with legislation such as the Data Protection Act 1998, the NHS Care Record Guarantee and the NHS Confidentiality Code of Conduct, all of which can be accessed online or posted on request. If you feel we are not following these commitments in any way, please tell us and we will fully investigate your concerns.
More information on how your personal information is used is available here.
Data Protection Act 1998
NHS Care Record Guarantee 2011
NHS Digital - A Guide to Confidentiality
Common Law Duty of Confidentiality
Confidentiality NHS Code of Practice
Information Commissioner's Office
Human Rights Act 1998
Appendix A - Our obligations under the Data Protection Act 1998 & the Human Rights Act 1998
Data Protection Act 1998Fair processing notice (pdf)Click here to download this file
The data protection act 1998 states:
Personal data shall be processed fairly and lawfully and, in particular, shall not be processed unless –
This is the first data protection principle. In practice, it means that you must:
Fairness generally requires you to be transparent – clear and open with individuals about how their information will be used. Transparency is always important, but especially so in situations where individuals have a choice about whether they wish to enter into a relationship with us.
Once it has been established that a data controller does have the “lawful” power to share personal data it would then need to satisfy a Schedule 2 condition for processing and where sensitive personal data is involved, a Schedule 3 condition. It should be remembered though that even where a condition or conditions for processing can be met this will not on its own ensure that the processing is fair or lawful.
These issues need to be considered separately.
It is also worth briefly looking at the issue of “consent” To the ICO “consent” means just that. For example someone is asked if their information can be used in a certain way. If they agree release of information can proceed, but if they refuse their consent, then in the view of the ICO, their wishes should be respected and the information should not be used.
In addition it needs to be remembered that in data protection terms “consent” is but one condition that could be relied on to process personal and sensitive personal data. There are several other conditions that it may be possible to rely on depending on the purpose of the processing (and which are set out in Schedule 2 and in Schedule 3).
In terms of meeting a Schedule 2 condition there are two that could be relied on these are:
Meeting a Schedule 3 condition is more difficult (and which is the way it should be). However in these circumstances the ICO considers that a condition provided for in SI 417 (2000) could be met, namely:
The processing –
The ICO stresses that where these conditions are being relied upon that there is the provision of fair processing information to the individuals involved, with more information being required where the data sharing is more extensive. Privacy notices should make it clear to individuals about how their information is being used and where they can find out more about the processing and/or object to the processing (s10 of the DPA).
As the conditions above require that the sharing is either in the substantial public interest or is for confidential counselling purposes added to the fact that public authorities must not act in any way that is incompatible with the Human Rights Act we will seek the explicit informed consent of the patient or individual. It is also important to ensure that the other Data Protection principles are complied with e.g. the information shared needs to be relevant and not excessive, it must be accurate and kept up to date, not kept for longer than necessary and kept secure.
If individuals know at the outset what we propose to use their information for, they will be able to make an informed decision about whether to:
If anyone is deceived or misled when the information is obtained, then this is likely to be unfair and will be a breach of the DPA.
The Data Protection Act says that information should be treated as being obtained fairly if it is provided by a person who is legally authorised, or required, to provide it. The Data Protection Act does not define ‘lawfully’. However, “lawful” refers to statute and to common law, whether criminal or civil. An unlawful act may be committed by a public or private-sector organisation.
If processing personal data involves committing a criminal offence, the processing will obviously be unlawful. However, processing may also be unlawful if it results in:
Human Rights Act 1998
S6 Human Rights Act 1998 (HRA) makes it unlawful for a public authority to act in a way that is incompatible with a person's rights under the European Convention on Human Rights.
Another way of putting this is to say that all public authorities must comply with the Human Rights Act and their decisions can be challenged in court.
Therefore staff must be aware of convention rights and must understand the ‘positive obligations’ of the Act.
The NHS Constitution also outlines the rights of patients and what they can expect from the NHS.
Add this document to cart