Please click on the highlighted text within the notice for links to further information.
 

Who we are and what we do

Data Controller:                                  NHS South Yorkshire Integrated Care Board

Address:                                               722 Prince of Wales Road
                                                             Darnall
                                                             Sheffield
                                                             S9 4EU

Data Protection Officer (DPO):           Caroline Million, CM Associates

DPO Contact Details:                           caroline.million@outlook.com

 

NHS South Yorkshire ICB is responsible for planning and designing local health services across South Yorkshire. We do this by ‘commissioning’ or buying health and care services in each of our four ‘places’ in Sheffield, Barnsley, Rotherham and Doncaster including:

  • Planned hospital care
  • Unplanned care (urgent care)
  • Rehabilitation care
  • Community Health Services
  • Mental Health and learning disability services

We are also responsible for arranging unplanned care services for our registered patients and for commissioning services for any unregistered patients who live in South Yorkshire.

We manage the performance of services that we commission to make sure that they are safe, provide high quality care and meet the needs of local people. Part of this performance management role includes responding to any concerns from our patients about these services.

For further information, please refer to the “About Us” page on our website.
 

How we use your personal information

The purpose of this notice is to inform you of the type of information (including personal information) that the ICB holds as a Data Controller, how that information is used, the legal basis for using the information, who we may share that information with, and how we keep it secure and confidential.

It covers information we collect directly from you or collect indirectly from other individuals or organisations for the ICB’s registered population.

This notice applies to all information held by the ICB relating to individuals, whether you are a patient, service user or a member of staff. This notice was last reviewed in July 2022.

 

Types of information we hold

We need to use information about you in various forms and will only use the minimum amount of information necessary for that purpose. Where possible we will use information that does not identify you.

The ICB uses and processes several different types of information:

  1. Identifiable - information which contains personal details that identify individuals such as name, address, email address, NHS Number, full postcode, date of birth.
  2. Pseudonymised - individual level information where individuals can be distinguished by using a coded reference, which does not reveal their ‘real world’ identity
  3. Anonymised - data which is about you but from which you cannot be personally identified.
  4. Aggregated – grouped information about individuals that has been combined to show general trends or values without identifying individuals

Throughout this Notice you will see reference to an organisation called NHS Digital within NHS England. They are the national provider of information, data and IT systems for commissioners (such as the ICB), analysts and clinicians in health and social care. NHS Digital provides information based on identifiable data passed securely to them by Primary and Secondary Care Providers who are legally obliged to provide this information.

Our records may be held on paper or in a computer system.
 

Details of information used for specific purposes

Use of Anonymised Data

We use anonymised data (from which individuals cannot be identified) to plan health care services including:

  • Checking the quality and efficiency of the health services we commission;
  • Preparing performance reports on the services we commission;
  • Working out what illnesses people will have in the future, so we can plan and prioritise services and ensure these meet the needs of patients;
  • Reviewing the care being provided to make sure it is of the highest standard.

Use of Pseudonymised (De-identified) Information

We use de-identified information (using a coded ‘reference’ which does not reveal an individual’s identity) in our role as commissioner including:

To plan, design, purchase and pay for the best possible care available for you ; look at the care provided by different providers across our area to make sure that together they support the needs of the local population; performance manage contracts; to  prepare statistics on NHS performance to understand health needs and support service redesign, modernisation and improvement; to help us plan future services to ensure they continue to meet our local population needs.

To identify groups of patients who would benefit from some additional help from their GP or care team. The aim is to prevent ill health and possible future hospital stays, rather than wait for you to become sick. Only de-identified information is accessible to the ICB in order to help us plan the most appropriate health services for our population.

Use of Personal and Sensitive (Identifiable) Information

There are some categories of personal data for which special safeguards are required by law, known as special category or sensitive data. This includes records relating to health, sex life, race, ethnicity, political opinions, trade union membership, religion, genetics and biometrics.

The following list includes examples of where we collect and use personal information. Please click on each of the following examples for information on the purpose, the type of information used, the legal basis identified for the collection and use of the information, how we collect and use the information required, any third parties we may share the information with and your rights regarding the use of the information including, where relevant, your right to opt out.

Patient and the Public Information:

Data Controller(s)

SYICB

Purpose

Hospitals and community setting organisations that provide NHS-funded care must by law submit certain information to NHS Digital about services provided to you and the population we serve. This information is known as commissioning datasets. The ICB obtains these datasets from NHS Digital which relate to patients registered within the GP Practices in South Yorkshire. This enables us to plan, design, purchase and pay for the best possible care available for you.

Type of Information Used

Different types of commissioning data are legally allowed to be used by different organisations within, or contracted to, the NHS.

Identifiable – when disclosed from Primary and Secondary care services to NHS Digital

Pseudonymised – the ICB may only receive this information in a pseudonymised format which does not identify individuals.

Legal Basis

Statutory requirement for NHS Digital to collect identifiable information.

For use by the ICB:

GDPR Article 6(1)(e) – processing is necessary for the performance of a task carried out in the exercise of official authority vested in the controller

GDPR Article 9(2)(h) processing is necessary for the purposes of the provision of health or social care or treatment or the management of health or social care systems and services.

A section 251 approval from the Secretary of State, through the Confidentiality Advisory Group, enables the pseudonymised information to be sent to the ICB via NHS Digital for our Commissioning purposes.

How we collect (the source) and use the information

The datasets we receive from NHS Digital have been linked and are in a format that does not directly identify you. Information such as your age, ethnicity and gender, as well as coded information about any clinic or Accident and Emergency attendances, hospital admissions and treatment will be included.

We also receive information from the GP Practices within the ICB that does not identify you.

We use these datasets for a number of purposes such as:

Performance managing contracts

Reviewing the care delivered by providers to ensure service users are receiving quality and cost-effective care

To prepare statistics on NHS performance to understand health needs and support service redesign, modernisation and improvement

To help us plan future services to ensure they continue to meet our local population needs

Data Processors

Yorkshire Data Services for Commissioning Regional Office (DSCRO)   hosted by North of England Commissioning Support (NECS) obtains the identifiable information from the Secondary Uses Service (SUS)  at NHS Digital. The DSCRO also receives identifiable information directly from providers They pseudonymise the information and pass it to the ICB.

Your Rights

If you do not want the NHS to use information about you, collected by your GP then you can opt out by completing an opt-out form and returning it to your GP practice. There are different types or levels of opt-out available; Type 1 opt out is where you do not wish for your information to be shared outside of your GP Practice for any purpose other than your direct care. Where you are happy for your information to be shared outside of your GP (to NHS Digital for example) but do not wish for your information to be shared further than this, for purposes other than your direct care, you may choose to opt out using the national patient opt out.

Details of the national patient opt out can be found here: https://www.nhs.uk/your-nhs-data-matters/

 

With regards to Commissioning under UKGDPR you have the right:

  • To be informed about the processing of your information (this notice)
  • Of access to the information held about you
  • To have the information corrected in the event that it is inaccurate
  • To restrict or stop processing
  • To object to it being processed or used
  • Not to be subject automated decision-taking or profiling
  • To be notified of data breaches

How long we will keep the information

Information is retained in accordance with the Records Management Code of Practice 2021. Datasets received via NHS Digital are retained for as long as the Data Sharing Agreement is in place.

Who we will share the information with (recipients)

The University of Sheffield 

Sheffield Hallam University 

Data Controller(s)

SYICB

Purpose

Information from health and social care records, using the NHS Number provided via the Secondary Uses Service (SUS) at NHS Digital, is looked at to identify groups of patients who would benefit from some additional help from their GP or care team. This is known as ‘Risk Stratification.’ The aim is to prevent ill health and possible future hospital stays, rather than wait for you to become sick. You have the right to opt out of your information being shared by NHS Digital; please see the Your Right to Opt Out section below.

Type of information Used

Only de-identified information (NHS number removed) is accessible to the ICB (known as aggregate data).

Only GP Practices have access to identifiable information (Name and NHS Number) of their own patients in order to see who may benefit from additional help.

Legal basis

UKGDPR Article 6(1)(e) – processing is necessary for the performance of a task carried out in the exercise of official authority vested in the controller.

UKGDPR Article 9(2)(h) processing is necessary for the purposes of the provision of health or social care or treatment or the management of health or social care systems and services.

A section 251 approval (CAG 7-04(a)/2013) from the Secretary of State, through the Confidentiality Advisory Group of the Health Research Authority, enables the pseudonymised information to be sent to the ICB via NHS Digital in order to help us plan the most appropriate health services for our population.

How we collect (the source) and use the information

Primary Care data extracted from individual GP practices and Secondary Care data (collected nationally via the Secondary Uses Service): Inpatient, Outpatient, Accident and Emergency, Out of Hours, Urgent Care, Community Nursing, Community Mental Health is passed to the Data Services for Commissioners Regional Office (DSCRO) so that the information can be linked. This information is passed to North of England Commissioning Support (NECS) who provides the Risk Stratification tool to GP Practices on behalf of the ICB.

De-identified information is made available to the ICB to provide a picture of the health and needs of their local population, which enables:

  • priorities to be determined in the management and use of resources;
  • planning services; cover the range of potential questions, and issues they may need to consider, and
  • to support and evidence decisions.

Data Processors

North of England Data Services for Commissioners Regional Office (DSCRO) hosted by North of England Commissioning Support (NECS)

North of England Commissioning Support (NECS) – suppliers of the Risk Stratification solution.

Prescribing Services Ltd.

Your Rights

If you do not wish for your information to be shared outside of your GP practice for any purpose other than your direct care, you can opt at your GP practice. Where you are happy for information to be shared outside of your GP (to NHS Digital for example) but do not wish for your information to be shared further than this, for purposes other than your direct care, you may choose to opt out using the National Data Opt-Out. Details of the national patient opt out can be found here: https://www.nhs.uk/your-nhs-data-matters/

With regards to Risk Stratification under GDPR you have the right:

  • To be informed about the processing of your information (this notice)
  • Of access to the information held about you
  • To have the information corrected in the event that it is inaccurate
  • To restrict or stop processing
  • To object to it being processed or used
  • Not to be subject to automated decision-taking or profiling
  • To be notified of data breaches

How long we will keep the information

Information is retained in accordance with the Records Management Code of Practice 2021. Datasets received via NHS Digital are retained for as long as the Data Sharing Agreement is in place

Who we will share the information with (recipients)

This information is not shared outside of the ICB other than with the Data Processors named in this section.

 

Data Controller(s)

SYICB

Purpose

Monitoring how the ICB’s website is used. This is done to find out things such as the number of visitors to the various parts of the site.

Type of information Used

Identifiable: Personal (IP address)

Legal basis

UKGDPR Article 6(1)(f) – processing is necessary for the purposes of the legitimate interests pursued by the Controller

How we collect (the source) and use the information

When someone visits the ICB’s website information is collected in a standard internet log to enable the ICB to monitor how the website is used. This is done to find out things such as the number of visitors to the various parts of the site. This information is only processed in a way that does not identify anyone. We do not make, and do not allow our website provider, FRANK Design Ltd, to make, any attempt to find out the identities of those visiting our website.

Please see our Privacy and Cookies policies on our website

Data Processors

FRANK Design Ltd – website provider

 

Your Rights

Under UKGDPR you have the right:

  • To be informed about the processing of information (this notice)
  • To object to it being processed. There are legitimate reasons why we may refuse your objection, which depend on why we are processing it.

How long we will keep the information

Logs are kept for 6 months

Who we will share the information with (recipients)

This information is not shared outside of the ICB.

 

 

 

Data Controller(s)

SYICB

Purpose

As a public authority, the ICB has a duty to respond to requests made under the Freedom of Information Act 2000 (FOIA), Environmental Information Regulations 2004 (EIR), and the Re-Use of Public Sector Information Regulations 2015 (RPSI).

Type of information Used

Identifiable:  Personal (name and either email or postal address only)

Legal basis

UKGDPR Article 6(1)(c) ‘processing is necessary for compliance with a legal obligation to which the controller is subject’

Relevant legislation: FOIA, EIR and RPSI.

UKGDPR Article 6(1)(e) ‘processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority…’

Relevant legislation: FOIA, EIR and RPSI

How we collect (the source) and use the information

We will only collect identifiable information such as name and contact details provided by individuals making requests under the Freedom of Information Act 2000 (FOIA), Environmental Information Regulations 2004 (EIR) and the Re-Use of Public Sector Information Regulations 2015 (RPSI). This information will only be used to respond to such requests and in correspondence with individuals following appeals.

The personal data we process is freely provided by applicants who wish to exercise their right to use the above legislation in order to access information held by or on behalf of the ICB.

Where the individual is making a request under the Re-Use of Public Sector Regulations 2015, by law we also require the name of the organisation and the re-use purpose.

Data Processors

None

Your Rights

With regards to Freedom of Information Requests under UKGDPR you have the right:

  • To be informed about the processing of your information (this notice)
  • Of access to the information held about you
  • To have the information corrected in the event that it is inaccurate
  • To restrict or stop processing
  • To object to it being processed or used
  • Not to be subject automated decision-taking or profiling
  • To be notified of data breaches

How long we will keep the information

FOIA requests and associated responses will be kept for 3 years following the closure of the request except in cases where there has been a subsequent appeal. For those cases, information will be kept for 6 years following the closure of the appeal.

Who we will share the information with (recipients)

This information is not shared outside of the ICB.

Data Controller(s)

SYICB

Purpose

Under the NHS Complaints Procedure, individuals have a right to complain to both providers and commissioners about services provided by the NHS.

A complaint may relate to a service which the ICB is directly responsible for providing, or it may relate to a service which we have commissioned for the patients who we are responsible for, for example hospital services. The ICB requires this information in order to investigate and help to resolve complaints.

Type of information Used

Identifiable:  Personal (such as name, address, date of birth) and Special Category (health information)

Legal basis

UKGDPR Article 6(1)(e) – processing is necessary for the performance of a task carried out in the exercise of official authority vested in the controller

UKGDPR Article 9(2)(h) processing is necessary for the purposes of the provision of health or social care or treatment or the management of health or social care systems and services.

How we collect (the source) and use the information

When the ICB receives a complaint from a person, a complaint file is made up which will normally contain the identity of the complainant, the identity of the patient (where this is a different person) and any other individuals involved, plus details of the complaint, including health information.

The ICB will only use the identifiable information we collect to process the complaint and to check the level of service we provide.

Where the complainant is not the patient, the ICB will usually need to disclose the complainant’s identity to whoever the complaint is about in order to obtain consent under the Common Law Duty of Confidentiality to proceed with the complaint and for the complainant to correspond with us on behalf of the patient.

Data Processors

None

Your Rights

With regards to Complaints under UKGDPR you have the right:

  • To be informed about the processing of your information (this notice)
  • Of access to the information held about you
  • To have the information corrected in the event that it is inaccurate
  • To restrict or stop processing
  • Object to it being processed or used
  • Not to be subject automated decision-taking or profiling
  • To be notified of data breaches

How long we will keep the information

Complaint files are kept for a maximum of ten years.

Who we will share the information with (recipients)

Where complaints relate to a service we commission, such as hospital care, the complaint will be shared with that organisation. The complainant will be informed where this occurs.

Data Controller(s)

SYICB

Purpose

Invoice validation is part of the process by which providers of care or services get paid for the work they do.

Invoices, with supporting information, are submitted to the ICB for payment, but before payment can be released, the ICB needs to ensure that the activity claimed for each patient is their responsibility. These invoices are validated within a special secure area known as a Controlled Environment for Finance (CEfF) within the ICB to ensure that the right amount of money is paid, by the right organisation, for the treatment provided. The process followed ensures that only the minimum amount of information about individuals is used by a very limited number of people and is designed to protect confidentiality.

Type of information Used

Identifiable (NHS number, date of birth or postcode) and Special Category (health information)

Legal basis

UKGDPR Article 6(1)(e) – processing is necessary for the performance of a task carried out in the exercise of official authority vested in the controller.

UKGDPR Article 9(2)(h) processing is necessary for the purposes of the provision of health or social care or treatment or the management of health or social care systems and services.

A section 251 approval (CAG 7-07(a-c)/2013) from the Secretary of State, through the Confidentiality Advisory Group of the Health Research Authority, enables the ICB to process identifiable information for the purpose of invoice validation within a Controlled Environment for Finance.

How we collect (the source) and use the information

Organisations that provide treatment submit their invoices to the ICB for payment. The secure area within the ICB (Controlled Environment for Finance) receives additional information, including the NHS Number, or occasionally date of birth and postcode, from the organisation that provided the treatment.

NHS Digital sends information into the secure area, including the NHS number and details of the treatment received. The information is then validated ensuring that any discrepancies are investigated and resolved between the Controlled Environment for Finance and the organisation that submitted the invoice. The invoices will be paid when the validation is completed.

Outside of the Controlled Environment for Finance the ICB does not receive any identifiable information for purposes of invoice validation; however we do receive aggregated reports to help us manage our finances.

Data Processors

The Controlled Environment for Finance within the ICB uses NHS Shared Business Services as a Data Processor

Transfers of Data Overseas

 

NHS SBS carry out some of their processing activity in India. Where this occurs it is governed by the use of approved Model Contract Clauses.

Your Rights

With regards to Invoice Validation under UKGDPR you have the right:

  • To be informed about the processing of your information (this notice)
  • Of access to the information held about you
  • To have the information corrected in the event that it is inaccurate
  • To object to it being processed or used
  • Not to be subject automated decision-taking or profiling
  • To be notified of data breaches

 

Invoice Validation has been granted an exemption from the National Data Opt-Out by the Confidentiality Advisory Group.

How long we will keep the information

Invoices are retained for 6 years after the end of the financial year to which they relate.

Who we will share the information with (recipients)

This information is not shared outside of the ICB.

Data Controller(s)

SYICB

Purpose

To fund specific treatment for you for a particular condition that is not covered in our contracts with providers. Individual Funding Requests provide payments required to receive specialist treatment, not routinely provided on the NHS, on a case by case basis.

Type of information Used

Identifiable: Personal (such as name, address, date of birth) and Special Category (health information) – to make payments

 

Anonymous – to provide reports for analysis of payments made

Legal basis

UKGDPR Article 6(1)(e) – processing is necessary for the performance of a task carried out in the exercise of official authority vested in the controller

UKGDPR Article 9(2)(h) processing is necessary for the purposes of the provision of health or social care or treatment or the management of health or social care systems and services.

How we collect (the source) and use the information

Information required to make payments in relation to funding treatments is provided by you, along with relevant information from primary and secondary care regarding the referral for specialist treatment. The ICB will only use the identifiable information we collect to process the request for funding.

This process is carried out with the consent of the patient to satisfy the Common Law Duty of Confidentiality.

Data Processors

Blueteq Ltd

Your Rights

With regards to Individual Funding Requests under UKGDPR you have the right:

  • To be informed about the processing of your information (this notice)
  • Of access to the information held about you
  • To have the information corrected in the event that it is inaccurate
  • To restrict or stop processing
  • To object to it being processed or used
  • Not to be subject automated decision-taking or profiling
  • To be notified of data breaches

How long we will keep the information

Information relating to Individual Funding requests where the funding has been granted will be retained as per the standard care records retention set out in the Records Management Code of Practice for Health and Social Care 2021

Where requests have been rejected information will be retained for 2 years.

Who we will share the information with (recipients)

This information is not shared outside of the ICB.

Data Controller(s)

SYICB

Purpose

Where you have asked us to undertake assessments for Continuing Healthcare – a package of care for those with complex medical needs. We use your information in order to be able to make the appropriate arrangements for resulting care packages.

Section 117 of the Mental Health Act 1983 (MHA 1983) imposes duties on NHS ICBs and Local Social Services Authorities (LSSAs) to provide after-care for patients who have been detained under section 3, 37, 45A, 47 and 48 of the MHA 1983 once they leave hospital.

Type of information Used

Identifiable: Personal (such as name, address, date of birth) and Special Category (health information)

Legal basis

UKGDPR Article 6(1)(e) – processing is necessary for the performance of a task carried out in the exercise of official authority vested in the controller

UKGDPR Article 9(2)(h) processing is necessary for the purposes of the provision of health or social care or treatment or the management of health or social care systems and services.

The CHC process is carried out with the consent of the patient to satisfy the Common Law Duty of Confidentiality.

How we collect (the source) and use the information

The CHC/Section 117 team will collect, use, share and securely store information from/with the Local Authority (Social Services) and other organisations or individuals that are either directly or indirectly involved in the assessment, decision making process, the arranging of care, the funding and payment of care and appropriate monitoring of and audit of the safety and quality of care.

Data Processors

In Rotherham and Barnsley:

CHS Healthcare (system suppliers of the Broadcare system)

TPP – suppliers of SystmOne electronic patient records system

 

In Sheffield:

QAPlus Ltd - Suppliers of the QA CHC records system

TPP - suppliers of SystmOne electronic patient records system

 

In Doncaster:

Carehome Selection Ltd, trading as CHS HEALTHCARE to undertake Continuing Healthcare Eligibility Reviews and High Cost Care Commissioning Reviews

CHS Healthcare (system suppliers of the Broadcare system)

TPP – suppliers of SystmOne electronic patient records system

Your Rights

With regards to Continuing Healthcare under UKGDPR you have the right:

  • To be informed about the processing of your information (this notice)
  • Of access to the information held about you
  • To have the information corrected in the event that it is inaccurate
  • To restrict or stop processing
  • To object to it being processed or used
  • Not to be subject automated decision-taking or profiling
  • To be notified of data breaches

How long we will keep the information

Information relating to Continuing Healthcare/Section 117 requests where the funding has been granted will be retained as per the standard care records retention set out in the Records Management Code of Practice for Health and Social Care 2021. 

Where requests have been rejected information will be retained for 2 years.

Who we will share the information with (recipients)

The Local Authority (Social Services), Care Homes, health and care organisations involved in delivering or arranging the continuing care required.

Data Controller(s)

SYICB

Purpose

A Personal Health Budget is an amount of money allocated to pay for your health and wellbeing needs agreed between you and your local NHS team. Personal Health Budgets help people with long term health conditions manage their care and support in a way that suits them. It helps them to have more choice and flexibility in the way their care and support needs are met. Any adult or child who is eligible for NHS Continuing Healthcare can have a Personal Health Budget if they want one. There are plans to widen the availability of Personal Health Budgets in the future.

Type of information Used

Identifiable: Personal (such as name, address, date of birth) and Special Category (health information)

Legal basis

UKGDPR Article 6(1)(e) – processing is necessary for the performance of a task carried out in the exercise of official authority vested in the controller

UKGDPR Article 9(2)(h) processing is necessary for the purposes of the provision of health or social care or treatment or the management of health or social care systems and services.

Relevant legislation: National Health Service (Direct Payments) Regulations 2013

How we collect (the source) and use the information

Personal Health Budgets are managed in one of three ways or a combination of all three.

  • Notional - We tell you have much money is available for your care; you say how you want us to spend the money. If your local NHS team agree this meets your needs, they arrange the care and support for you.
  • Third Party - An organisation looks after the money for you and you say how you want to spend it. If your local NHS team agrees this meets your needs, the organisation pays for the care and support you have chosen.
  • Direct Payments - Once your care plan has been agreed, we give you or your representative the money to buy and manage your own healthcare and support. Your local NHS team must agree that this meets your needs.

You can spend your Personal Health Budget on any care or services that are set out in your care plan and agreed with your local NHS team. You will be able to use your Personal Health Budget for a range of things to help you meet your goals, for example therapies, personal care and equipment. You do not have to change the healthcare and support that is working well for you, but if there is something that is not working, you can change that.

Things you cannot include in your plan will be explained to you at the beginning of the planning process. You will not need to pay for emergency care and care you normally get from a GP.

This process is carried out with the consent of the patient to satisfy the Common Law Duty of Confidentiality.

Data Processors

For Rotherham and Barnsley and Doncaster:

None

 

For Sheffield:

Sheffield City Council who arrange and administer jointly funded packages of care agreed as part of the PHB scheme.

Your Rights

With regards to Personal Health Budgets under UKGDPR you have the right:

  • To be informed about the processing of your information (this notice)
  • Of access to the information held about you
  • To have the information corrected in the event that it is inaccurate
  • To restrict or stop processing
  • To object to it being processed or used
  • Not to be subject automated decision-taking or profiling
  • To be notified of data breaches

How long we will keep the information

Information relating to Personal Health Budgets where the funding has been granted will be retained as per the standard care records retention set out in the Records Management Code of Practice for Health and Social Care 2021

Where requests have been rejected information will be retained for 2 years.

Who we will share the information with (recipients)

The Local Authority (Social Services), health and care organisations involved in delivering or arranging the care required. The third party looking after your money where this has been arranged.

Data Controller(s)

SYICB

Purpose

Information for safeguarding purposes is used to assess and evaluate safeguarding concerns to ensure individuals (adults at risk of abuse and children) within the ICB boundary are effectively protected by the services we commission.

Type of information Used

Identifiable: Personal (such as name, address, date of birth, date of death) and Special Category (health information)

Legal basis

UKGDPR Article 6(1)(e) ‘processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority…’

UKGDPR Article 9(2)(b) ‘processing is necessary for the purposes of carrying out the obligations and exercising the specific rights of the controller or of the data subject in the field of …social protection law in so far as it is authorised by Union or Member State law..’

For the purposes of Article 9(2)(b) the provisions of the Children Acts 1989 and 2004, and the Care Act 2014 are relevant.

How we collect (the source) and use the information

The ICB receives information relating to safeguarding concerns directly or partner notifications of concerns from health, police and/or social care organisations. All health, police and social care professionals have a legal requirement to share information with appropriate agencies where safeguarding concerns about children or adults have been received.

 

Where appropriate to do so the organisations keep the ICB Safeguarding Team informed and cooperate with information sharing when appropriate.

 

Access to Patient indefinable information is strictly controlled and where there is a requirement to share information, e.g. with police or social services, all information will be transferred safely and securely ensuring only those with a requirement to know of any concerns are appropriately informed.

 

The Children Act 1989 establishes implied powers for local authorities to share information to safeguard children. Local authorities have a duty to investigate where a child is the subject of an emergency protection order, is in police protection or where there is reasonable cause to suspect that a child is suffering or is likely to suffer significant harm.

 

The Children Act also requires local authorities ‘to safeguard and promote the welfare of children within their area who are in need’ and to request help from specified authorities including NHS Trusts and Foundation Trusts, NHS England and ICBs. These are required by the Children Act to comply with such requests. Under the Children Act 2004 local authorities must make arrangements to promote cooperation with relevant partners and others, to improve well-being.

 

The Care Act 2014 outlines the responsibilities of organisations to comply with requests for information from the Safeguarding Adults Board to enable or assist the Board to exercise its functions. This may include information required to undertake a Safeguarding Adult Review.

 

The statutory guidance to the Care Act emphasises that early sharing of information is the key to providing an effective response where there are emerging concerns, and that partner organisation should ensure that they have the mechanisms in place that enable early identification and assessment of risk through timely information sharing and targeted multi-agency intervention.

Data Processors

None

Your Rights

With regards to Safeguarding under UKGDPR you have the right:

  • To be informed about the processing of your information (this notice)
  • Of access to the information held about you
  • To have the information corrected in the event that it is inaccurate
  • To be notified of data breaches

How long we will keep the information

Information is kept in accordance with the Records Management Code of Practice for Health and Social Care 2021 – depending on the nature of the records held, some records will be kept for longer than the standard retention periods within the Code of Practice.

Who we will share the information with (recipients)

Information may be shared with Safeguarding Boards and Safeguarding Partnerships, Multi-Agency Safeguarding Hubs (MASH), Multi-Agency Risk Assessment Conference (MARAC), Multi Agency Public Protection Panels, Local Authority, other Health and Social Care organisations or the Police. If it is appropriate to do so and proportionate to the issue being shared.

 

Data Controller(s)

SYICB

Purpose

If you have asked the ICB to keep you regularly informed and up to date about the work of the ICB or of you are actively involved in our engagement and consultation activities or patient participation groups, we will collect and use information you share with us. Where you submit your details to us for involvement purposes, we will only use your information for this purpose.

Type of information Used

Identifiable: Personal (such as name, address, date of birth)

Special Category (health information) voluntarily disclosed as part of personal views and care experiences

Legal basis

UKGDPR Article 6(1)(e) ‘processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority…’

Relevant legislation – Health and Social Care Act 2012 – ICBs have a statutory duty to consult with the public.

UKGDPR Article 9(2)(h) processing is necessary for the purposes of the provision of health or social care or treatment or the management of health or social care systems and services.

How we collect (the source) and use the information

We will be collecting and using your information to enable us to keep you informed of any news, consultation activities or patient participation groups.

Your information will be held securely and accessible only to those who need it for the purposes it was collected. Information provided about care experience will not be disclosed in an identifiable manner without your explicit written consent

Data Processors

Survey Monkey survey hosting and reporting

Mailchimp Bulk email, engagement management, click analysis

Twitter Click Analysis

Eventbrite Event management

Facebook  Click Analysis

SiteKit Ltd   Website hosting

Traktivity Contacts information

FrankLTD Website design / hosting

Instagram  Click analysis

Objective Corporation

Your Rights

With regards to Patient and Public Involvement under GDPR you have the right:

  • To be informed about the processing of your information (this notice)
  • Of access to the information we hold about you.
  • To have that information amended in the event that it is not accurate.
  • To have the information deleted
  • To restrict processing
  • To object to processing
  •  Not to be subject automated decision-taking or profiling
  • To be notified of data breaches

How long we will keep the information

Information in relation to public consultations will be kept for 5 years following the end of the consultation.

Membership database data will be kept for two years after explicit consent was last obtained

Who we will share the information with (recipients)

This information is not shared outside of the ICB

 

Data Controller(s)

SYICB

Purpose

ICBs collaborate with Public Health services (both Public Health

England and Local Authorities) and NHS England and work closely

with provider organisations involved in patient care, to jointly

identify and agree the possible causes of or factors that contributed to and learning related to the prevention and reduction of, patients’ Health Care Associated infections in relation to national guidance.

Type of information Used

Identifiable:  Personal (such as name, address, date of birth) and Special Category (health information)

Legal basis

UKGDPR Article 6(1)(e) ‘processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority…’

UKGDPR Article 9(2)(j) ‘…necessary for reasons of public interest in the area of public health…or ensuring high standards of quality and safety of health care and of medicinal products or medical devices…’

Related legislation:

The Health and Social Care Act 2008: Code of Practice for the NHS for the Prevention and Control of Healthcare Associated Infections (revised January 2015) and

Regulation 3 of The Health Service (Control of Patient Information) Regulations 2002

How we collect (the source) and use the information

ICBs participate in Post Infection Review in the circumstances set

out in the Post Infection Review Guidance, issued by NHS England.

The ICB receives this information from healthcare providers.

The ICB uses the results of the Post Infection Review to inform the

mandatory healthcare associated infections reporting system and

identify learning in order to reduce and prevent further Health care

associated infections.

Data Processors

Barnsley NHS Foundation Trust 

Doncaster and Bassetlaw Teaching Hospital NHS Foundation Trust 

Your Rights

With regards to Infection Prevention and Control under UKGDPR you have the right:

  • To be informed about the processing of your information (this notice)
  • Of access to the information held about you
  • To have the information corrected in the event that it is inaccurate
  • Not to be subject automated decision-taking or profiling
  • To be notified of data breaches

How long we will keep the information

Post infection reviews may be kept for up to six years.

Who we will share the information with (recipients)

Information may be shared with Primary and Secondary healthcare providers and with Local Authorities who are responsible for Public Health with the ICB boundary.

Data Controller(s)

SYICB

Purpose

Assuring Transformation (AT) data collects information about individuals with learning disabilities and/or autism, who may have a mental health condition or behaviour that challenges, in in-patient settings, and provides it to the ICB. It gives the ICB broad oversight of their care.

An Easy Read description is available from: https://www.england.nhs.uk/publication/what-is-assuring-transformation/

Type of information Used

Identifiable: Personal (such as name, address, date of birth) and Special Category (health information)

Legal basis

UKGDPR Article 6(1)(e) – processing is necessary for the performance of a task carried out in the exercise of official authority vested in the controller.

It is a statutory duty for the ICB to participate in this data collection. There are formal directions from the Secretary of State mandating the collection.

UKGDPR Article 9(2)(h) processing is necessary for the purposes of the provision of health or social care or treatment or the management of health or social care systems and services.

A section 251 approval (CAG 8-02(a-c)/2014) from the Secretary of State, through the Confidentiality Advisory Group, enables the flow of personal confidential data from organisations to commissioners, about the services that they provide for:

  • people in in-patient beds with learning disabilities and/or autism of,
  • any age
  • any level of security (general / low / medium / high)
  • any status under the Mental Health Act (informal or detained)

However, the information cannot be shared if:

  • the individual has objected to the use of their information as part of the AT data
  • the individual lacks capacity to make their own decision

How we collect (the source) and use the information

The AT data is sent to the ICB from healthcare providers and collected by NHS Digital on NHS England’s behalf. It covers all people with learning disabilities and/or autism that are being cared for in in-patient settings and includes: the number of people in in-patient settings; discharges and admissions; whether individuals have a care plan, a care co-ordinator, regular care reviews and access to independent advocacy; the age and gender of individuals; and the type of in-patient setting that is providing their care. The information collected is published in reports by NHS Digital. The reports do not include any personal information, like names, birthdays or NHS numbers in them.

Data Processors

None

Your Rights

Under the NHS constitution you have the right to be informed about how your information is used. You also have the right to request that your confidential information is not used beyond your own care and treatment, and to have your objections considered, and where your wishes cannot be followed, to be told the reasons including the legal basis. If you do not wish for your information to be included in the information sent to NHS Digital, then please let us know.

With regards to Assuring Transformation under UKGDPR you have the right:

  • To be informed about the processing of your information (this notice)
  • Of access to the information held about you
  • To have the information corrected in the event that it is inaccurate
  • To restrict or stop processing
  • To object to it being processed or used
  • Not to be subject automated decision-taking or profiling
  • To be notified of data breaches

How long we will keep the information

Information is kept for no longer than 8 years.

Who we will share the information with (recipients)

Information will be received from healthcare providers and shared with NHS Digital and NHS England.

Data Controller (s)

SYICB

Purpose

Controlled Drugs Monitoring - The ICB has a duty to assist the relevant Controlled Drug Accountable Officer (CDAO) of NHS England in the carrying out of the CDAO’s functions under The Controlled Drugs (Supervision of Management and Use) Regulations 2013. These regulations aim to strengthen the governance arrangements for the use and management of controlled drugs.

Minor Ailments - The Minor Ailments Scheme enables you to receive prescription medications, to treat a range of common conditions, direct from the pharmacist without a GP prescription.

Medicines Management Care Home Team

The Medicines Management Care Home Team work with Care Homes to assist with medication ordering, and medicines queries.

Type of information Used

Identifiable: Personal (such as name, address, date of birth) and Special Category (health information)

Legal basis

UKGDPR Article 6(1)(e) – processing is necessary for the performance of a task carried out in the exercise of official authority vested in the controller.

Relevant legislation: The Controlled Drugs (Supervision of Management and Use) Regulations 2013

UKGDPR Article 9(2)(h) processing is necessary for the purposes of the provision of health or social care or treatment or the management of health or social care systems and services.

Common Law Duty of Confidentiality – for Controlled Drugs Monitoring it is a legal requirement for the ICB to undertake this work under The Controlled Drugs (Supervision of Management and Use) Regulations 2013

For the Care Homes Team this is for the provision of Direct Care

How we collect (the source) and use the information

Patient prescriptions of Controlled Drugs containing NHS number may be sent to the Medicines Management team at the ICB from the CDAO at NHS England, the ICB sends this to the relevant GP for further information in relation to the prescribing which is returned to the ICB.

Community Pharmacists enter records of patients seen along with their medical condition. The pseudonymised version are shared for payment and service planning purposes

The Care Home Team work with Care Homes in Rotherham and assist with medication ordering, and medicines queries. Once medication has been ordered by the Care Home Technician in the GP system, a copy of is sent to the Medicines Management team at the ICB in the event that any subsequent queries are raised in the absence of the Care Home Technician.

Data Processors

For Sheffield:

UKFAST web hosting

 

 

For Barnsley:

Prescribing Services Ltd.

 

For Rotherham and Doncaster:

None

Your Rights

With regards to Medicines Management under UKGDPR you have the right:

  • To be informed about the processing of your information (this notice)
  • Of access to the information held about you
  • To have the information corrected in the event that it is inaccurate
  • Not to be subject automated decision-taking or profiling
  • To be notified of data breaches

How long we will keep the information

Locally held controlled drugs information will be kept for 7 years.

NHS England and NHS Business Services Authority  guidance for controlled drugs can be found at: http://www.nhsbsa.nhs.uk/PrescriptionServices/1120.aspx  and https://www.england.nhs.uk/wp-content/uploads/2013/11/som-cont-drugs.pdf     

NHS BSA will keep primary data on controlled drugs for 20 years then review.

Copies of medication orders via the Care Homes team are retained at the ICB for 3 months then securely destroyed.

Who we will share the information with (recipients)

This information is shared between GP Practices, the ICB and NHS England.

 

Care Home Team – The information is shared between GP Practices, Care Homes and the ICB.

 

Data Controller(s)

SYICB

Purpose

Care, Education and Treatment Reviews (CETRs) are part of NHS England’s commitment to transforming services for people with learning disabilities, autism or both. CETRs are for people whose behaviour is seen as challenging and/or for people with a mental health condition who may be at risk of Hospital admission for treatment of a Mental Health admission, or for Children who are at risk of going into 38-53 week Residential provision They are used by commissioners for people living in the community and in learning disability and mental health hospitals.

Type of information Used

Identifiable: Personal (such as name, address, date of birth) and Special Category (health information)

Legal basis

 UKGDPR Article 6(1)(e) – processing is necessary for the performance of a task carried out in the exercise of official authority vested in the controller

UKGDPR Article 9(2)(h) processing is necessary for the purposes of the provision of health or social care or treatment or the management of health or social care systems and services.

This process is carried out with consent from the patient in order to satisfy the Common Law Duty of Confidentiality.

How we collect (the source) and use the information

Care, Education and Treatment Reviews are independent panel meetings about your care arranged by the ICB. The CETR panel is made up or professionals who are not involved in your everyday care. The panel members listen to you and to everyone involved in your care. They look at your notes and check that your care and plans are working well. They use this information and their own experience to decide what will improve your care and plans for the future. They speak up when they think your care could be different or better.

ICBs have to understand people’s needs, to plan for different levels of support at different times. They work with other health and social care services to find out who needs extra support or contact to make sure things are okay.

A proactive monitoring and support register is maintained which is reviewed weekly. Individuals vulnerable to hospital admission are reviewed as an integral part of this process. A community CETR may be an outcome of this register if the additional health and social care support is unable to meet increasing needs.

In an emergency there may not be time to convene a community CETR in which case a local area emergency protocol (LAER) meeting will be called.

In the event an individual is admitted to hospital a CETR will be undertaken within four weeks of admission and reviewed every six months thereafter.

Data Processors

None

Your Rights

With regards to Care, Education and Treatment reviews under UKGDPR you have the right:

  • To be informed about the processing of your information (this notice)
  • Of access to the information held about you
  • To have the information corrected in the event that it is inaccurate
  • To restrict or stop processing
  • To object to it being processed or used
  • Not to be subject automated decision-taking or profiling
  • To be notified of data breaches

How long we will keep the information

8 Years from date of last contact for adult records

At least until their 25th or 26th birthday for Children’s records

Who we will share the information with (recipients)

Information may be shared with the Local Authority, and primary and secondary healthcare providers.

 

Data Controller(s)

SYICB

Purpose

The ICB collects and uses information from Serious Incident reports from Primary and Secondary Care Providers to ensure incidents are dealt with appropriately and lessons learnt.

Type of information Used

Identifiable:  Personal (such as name, address, date of birth) and Special Category (health information)

Legal basis

UK GDPR Article 6(1)(e) ‘processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority…’

Related legislation:

NHS Act 2006/Health and Social Care Act 2012.

UK GDPR Article 9(2)(h) processing is necessary for the purposes of the provision of health or social care or treatment or the management of health or social care systems and services.

How we collect (the source) and use the information

We are statutorily required to fully investigate and review incidents and will receive information from Primary and Secondary Care Providers. Where there is a requirement to provide incident reports externally, the information will be anonymised unless there is a legal requirement to provide your details. You will be kept informed of the requirements we are required to meet where information is to be shared externally.

Data Processors

None

Your Rights

With regards to Serious Incident Reports under UK GDPR you have the right:

  • To be informed about the processing of your information (this notice)
  • Of access to the information held about you
  • To have the information corrected in the event that it is inaccurate
  • Not to be subject automated decision-taking or profiling
  • To be notified of data breaches

How long we will keep the information

Serious Incident reports are retained for 20 years.

Who we will share the information with (recipients)

Your information may be shared with Primary and Secondary healthcare providers involved in the incident.

Data Controller(s)

SYICB, NHS England

Purpose

The Maternity and Neonatal Independent Senior Advocacy service exists to provide relevant support in relation to your experience with Maternity and Neonatal Services, this includes:

  • Engaging with the healthcare setting you are involved in to seek improvement, dialogue or understand issues
  • Provide you with any signposting for other support relevant to your situation
  • NHS England use your personal data to assess the viability of the service and ensure improvement in services; for both the MNISA and maternity services
  • De-identified information is used to help understand themes and trends raised, scope and reach of the service, to be able to report progress of the pilot and to help understand the impact of the MNISA work.

 

Type of information Used

  • Your contact information including name, telephone number and email address
  • Health related information 
  • Date and details relating to your experiences 
  • Racial or ethnic origin 

 

Legal basis

UKGDPR Article 6(1)(e) – processing is necessary for the performance of a task carried out in the exercise of official authority vested in the controller.

 

UKGDPR Article 9(2)(h) processing is necessary for the purposes of the provision of health or social care or treatment or the management of health or social care systems and services.

 

How we collect (the source) and use the information

We collect personal data from you when you approach the MNISA service to engage with an Advocate/the service

Data Processors

None

Your Rights

With regards to Maternity and Neonatal Independent Senior Advocacy service, under UKGDPR you have the right:

  • To be informed about the processing of your information (this notice)
  • Of access to the information held about you
  • To have the information corrected in the event that it is inaccurate
  • Not to be subject automated decision-taking or profiling
  • To be notified of data breaches

 

How long we will keep the information

10 Years

Who we will share the information with (recipients)

We may share your information with the healthcare setting you have told us about.

We will talk with you about what information we feel may be necessary to share in order to seek improvement or engage in discussions with them about your experiences.

Data Controller(s)

NHS Humber & North Yorkshire Integrated Care Board

 

Purpose

Primary care services provide the first point of contact in the healthcare system, acting as the ‘front door’ of the NHS. Primary care includes general practice, community pharmacy, dental, and optometry (eye health) services. The ICB manages a series of contracts for the above groups to support continued patient access and to enable the delivery of the most appropriate primary care services needed across the ICB footprint. The ICB also oversees the quality of these service contracts to ensure that contracts are compliant and responsive to national changes of service specifications or regulations.

 

Special Allocation Scheme:

It is important that practices can maintain a safe environment for their patients and all staff working in the practice.  NHS Regulations allow a GP practice to immediately remove a patient from their list following any incident where a GP or member of practice staff has feared for their safety or wellbeing, resulting in the incident being reported to the police.

Special Allocation Schemes were created to ensure that patients who have been removed from a practice patient list can continue to access healthcare services at an alternative, specific GP practice. The ICB has a responsibility to ensure that all patients can access good quality GP services and that patients are not refused healthcare following incidents that are reported to the police.

Patients are registered on the scheme by the submission of a request for immediate removal of the patient to Primary Care Support England by a GP practice. Patients are sent a letter informing them that they have been registered on the scheme and the ICB receives a copy of the request from PCSE.

 

Incidents:

Data is processed in relation to patient safety and other incidents reported to the ICB which affect a POD provider or contractor . Data is used to enable identification of patients involved, support investigation of incidents, and ensure remedial action is taken as necessary.

 

Requests:

Data is also processed for requests for substitution for domiciliary sight testing visits and for vouchers (for extra pairs of glasses) in the context of approving requests.

Type of information Used

Anonymised – for contracting.

Identifiable & Special Category for removal requests: Patient’s name, NHS number, DOB, contact details, and details of the incident for which the practice is requesting removal.

Incidents: - NHS Number

Requests: Name, address, D.O.B 

Legal basis

GDPR Article 6(1)(e) – processing is necessary for the performance of a task carried out in the exercise of official authority vested in the controller

GDPR Article 9(2)(h) processing is necessary for the purposes of the provision of health or social care or treatment or the management of health or social care systems and services.

How we collect (the source) and use the information

Patient identifiable data may be received from Primary Care Support England, from community pharmacy, optometry, and dental contractors, and from other health sector organisations such as hospital trusts. This information is used to allow the ICB to deliver key functions relating to the commissioning, contracting, and assurance of primary care services.

Data Processors

NHSE – These functions have transferred from NHSE to NHS H&NY ICB as of 1st July 2023. Data will continue to be stored and accessed on NHSE systems for the next 12 months at which time all data will transfer to the ICB.

Your Rights

  • To be informed about the processing of your information (this notice)
  • Of access to the information held about you
  • To have the information corrected in the event that it is inaccurate
  • To object to it being processed or used
  • Not to be subject to automated decision-taking or profiling
  • To be notified of data breaches

How long we will keep the information

The organisation has adopted the retention periods for health and non-health records as set out in the NHS Records Management Code of Practice 2021.

Who we will share the information with (recipients)

Details of incidents are shared with the contractor in which the incident occurred (who would usually have an existing relationship with the patient) and the NHSE professional adviser.

 

Data Controller(s)

SYICB

Purpose

Where our offices have CCTV, we may record images of people entering, approaching, entering or passing our buildings to:

  • help staff and visitors feel safer
  • act as a deterrent to opportunists
  • allow the collection of evidence to help find and convict offenders
  • prevent, detect, investigate and prosecute fraud.

 

There will be clear signs outside the relevant buildings to advise you that CCTV is in operation.

 

Type of information Used

Identifiable:  Personal (image from which an individual is identifiable)

Legal basis

UK GDPR Article 6(1)(f) ‘processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party

How we collect (the source) and use the information

To protect the health, safety and wellbeing of our staff and protect NHS property and funds.

Data Processors

None

Your Rights

With regards to CCTV under UK GDPR you have the right:

  • To be informed about the processing of your information (this notice)
  • Of access to the information held about you
  • To request that the CCTV recording be deleted if you believe the ICB is processing it for longer than is necessary.

How long we will keep the information

We will delete recordings 30 days after the CCTV footage was taken. This ensures that any subsequent investigations can be completed

Who we will share the information with (recipients)

Information is not shared outside of the ICB

Staff Information:

The ICB as an NHS Employer needs to process information in relation to staff. This information is used in a variety of ways to ensure staff are paid, that the ICB complies with employments law, or to provide other services related to their employment. For more details about how staff information is used please click on the following:

Data Controller(s)

SYICB

Purpose

The ICB will process information provided by applicants for the management of their application and the subsequent selection process.

Type of information Used

Anonymous – for shortlisting and selection purposes

Identifiable: Personal such as name, address, date of birth etc.) -  following the short-listing process

Legal basis

UKGDPR Article 6 – 6(1)(c) ‘…necessary for compliance with a legal obligation…’ 

For criminal conviction information (obtained via the Disclosure and Barring Service (DBS)) processing meets the requirements of Article 10 of the UKGDPR under Schedule 1, Part 1 of the Data Protection Act 2018 - processing in connection with employment, health and research - Processing necessary for the purposes of performing or exercising obligations or rights of the controller or the data subject under employment law, social security law or the law relating to social protection.

Relevant legislation: the provisions of the Safeguarding Vulnerable Groups Act 2006 as a basis for carrying our DBS checks.

How we collect (the source) and use the information

The recruitment process involves passing details provided by you on your application regarding your qualifications, skills and work experience, (but excluding your name, address and other personal data) to the short-listing and selection panels. After shortlisting, the names of those being interviewed will be provided to the interview panel. On occasion the interview panel may include colleagues external to the ICB, such as a Local Authority. Details provided by you are also used to help fulfil our obligations to monitor equality and diversity within the organisation and process your application.

Data Processors

Methods Consulting Ltd – management of NHS Jobs (recruitment website)

Your Rights

Under UKGDPR you have the right:

  • To be informed about the processing of your information (this notice)
  • Of access to the information held about you
  • To have the information corrected in the event that it is inaccurate
  • To restrict or stop processing
  • To be notified of data breaches

How long we will keep the information

For unsuccessful job applicants, information is retained for 1 year.

For successful applicants, job application information is retained for 3 years.

Who we will share the information with (recipients)

This information is not usually shared outside of the ICB unless an individual external to the ICB is included on the interview panel.

Data Controller(s)

SYICB

NHS Business Services Authority (for the Electronic Staff Record aspect)

Purpose

The ICB holds personal and confidential information if its staff for employment-related purposes, such as recruitment, payment of salary and expenses, sickness and absence monitoring and professional development purposes.

Type of information Used

Identifiable: Personal (such as name, address, date of birth) and Special Category (health, racial or ethnic origin information)

Information relating to criminal convictions (DBS checks).

Legal basis

UKGDPR Article 6(1)(e) – processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority

UKGDPR Article 9(2)(b) – processing is necessary for the purposes of carrying out the obligations and exercising the specific rights of the controller or of the data subject in the field of  employment…social protection law in so far as it is authorised by Union or Member State law.

For criminal conviction information (obtained via the Disclosure and Barring Service (DBS)) processing meets the requirements of Article 10 of the UKGDPR under Schedule 1, Part 1 of the Data Protection Act 2018 - processing in connection with employment, health and research - Processing necessary for the purposes of performing or exercising obligations or rights of the controller or the data subject under employment law, social security law or the law relating to social protection.

Relevant legislation: the provisions of the Safeguarding Vulnerable Groups Act 2006 as a basis for carrying our DBS checks.

How we collect (the source) and use the information

The ICB uses information for the purposes of employment in a variety of ways including:

  • Recruitment – application forms, collecting references, carrying out DBS checks, payroll, expenses  and pension information.
  • Managing and monitoring annual leave and sickness.
  • Carrying our personal development reviews.
  • Referrals to Occupational Health
  • Disciplinary procedures.
  • Processing staff leavers, retirements and providing references.
  • Recruitment of temporary staff/student placements

Data Processors

Victoria Pay Services (Payroll) NHS Sheffield Teaching Hospitals

IBM (system supplier of the Electronic Staff Record - ESR)

Methods Consulting Ltd – management of NHS Jobs (recruitment website)

NHS SBS (finance system) for payroll purposes

Health Management Limited – provider of Occupational Health services

Transfer of information overseas

NHS SBS carry out some of their processing activity in India. Where this occurs it is governed by the use of approved Model Contract Clauses.

Your Rights

Under UKGDPR you have the right:

  • To be informed about the processing of your information (this notice)
  • Of access to the information held about you
  • To have the information corrected in the event that it is inaccurate
  • To be notified of data breaches

How long we will keep the information

In accordance with the Records Management Code of Practice 2021

Who we will share the information with (recipients)

In addition to the sharing with our named Data Processors above - the ICB shares information with a variety of organisation and individuals for a number of lawful purposes including:

  • Public disclosure under Freedom of Information - e.g. requested names or contact details of senior managers or those in public-facing roles;
  • Disclosure of job applicant details - e.g. to named referees for reference checks, to the Disclosure & Barring Service for criminal record checks
  • Disclosure to employment agencies - e.g. in respect of agency staff;
  • Disclosure to banks & insurance companies - e.g. to confirm employment details in respect of loan/mortgage applications/guarantees;
  • Disclosure to professional registration organisations - e.g. in respect of fitness to practice hearings;
  • Disclosure to Occupational Health professionals (subject to explicit consent);
  • Disclosure to police or fraud investigators - e.g. in respect of investigations into incidents, allegations or enquiries.

 

Data Controller(s)

SYICB

Purpose

The ICB is required to maintain and publish on its website registers of interests, gifts and hospitality for all staff of the ICB.

Type of information Used

Identifiable: Personal (name and job role)

Legal basis

UKGDPR Article 6(1)(e) – processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority

Statutory guidance for ICBs on Managing Conflicts of Interest  under Section 14O of the National Health Service Act 2006 (as amended by the Health and Care Act 2022 and the Integrated Care Boards (Establishment) Order 2022 )

How we collect (the source) and use the information

The ICB maintains and publishes Registers of Interest and Gifts and Hospitality containing names, job roles, details of the interest and/or receipt of gifts/hospitality including the details of those supplying the gift/hospitality as per the guidance on Managing Conflicts of Interest.

Data Processors

None

Your Rights

In exceptional circumstances, where the public disclosure of information could lead to a real risk of harm or is prohibited by law, a person’s name or other information may be withheld from the published registers. If you feel that substantial damage or distress may be caused to you or somebody else by the publication of information in the registers, you are entitled to request that the information is not published. Such requests must be made in writing to the ICB.

Under UKGDPR you have the right:

  • To be informed about the processing of your information (this notice)
  • Of access to the information held about you
  • To have the information corrected in the event that it is inaccurate
  • To restrict or stop processing
  • To object to it being processed or used
  • Not to be subject automated decision-taking or profiling
  • To be notified of data breaches           

How long we will keep the information

The ICB will keep a private record of historic interests and offers/receipt of gifts and hospitality for a minimum of 6 years after the date on which it expired.

Who we will share the information with (recipients)

The registers are published on the ICB’s website.

Information may be shared with NHS England.

Data Controller(s)

SYICB

Purpose

The ICB is required by law to protect the public funds it administers. It may share information provided to it with other bodies responsible for; auditing, or administering public funds, or where undertaking a public function, in order to prevent and detect fraud under the National Fraud Initiative.

The Cabinet Office is responsible for carrying out data matching exercises.

Type of information Used

Identifiable: Personal

Legal basis

UKGDPR Article 6 (1)(c) – processing is necessary for compliance with a legal obligation to which the controller is subject.

Relevant Legislation: Part 6 of the Local Audit and Accountability Act 2014 (LAAA).

How we collect (the source) and use the information

We participate in the Cabinet Office’s National Fraud Initiative: a data matching exercise to assist in the prevention and detection of fraud. We are required to provide particular sets of data to the Minister for the Cabinet Office for matching for each exercise, as detailed here.

Data matching involves comparing computer records held by one body against other computer records held by the same or another body to see how far they match. This is usually personal information.

Computerised data matching allows potentially fraudulent claims and payments to be identified. Where a match is found it may indicate that there is an inconsistency which requires further investigation. No assumption can be made as to whether there is fraud, error or other explanation until an investigation is carried out.

 

Data matching by the Cabinet Office is subject to a Code of Practice.

Data Processors

None

Your Rights

Under UKGDPR you have the right:

  • To be informed about the processing of your information (this notice)
  • Of access to the information held about you
  • To have the information corrected in the event that it is inaccurate
  • To be notified of data breaches

How long we will keep the information

The datasets used in the matching exercise by the Cabinet Office will be kept as per the Code of Data Matching Practice

Who we will share the information with (recipients)

The Cabinet Office and Counter Fraud Authority

Sharing Information with Health and Care organisations

Information Sharing Agreements and contracts will be in place ensuring that where we share information, this meets both the requirements of the Health and Care Act 2022 and the current Data Protection legislation ensuring that your confidentiality and rights are not breached.

The ICB is actively working with health and social care partners to ensure that where you receive a referral, for example for community services, all the relevant information that organisation requires in order to offer you the right service is available. We are also working with the hospitals that provide services to our population to ensure that if you find yourself in an emergency situation, relevant and potentially lifesaving information from your GP record will be available, showing any latest tests and any allergies you may suffer from, which the hospital clinicians will need to know.

Whenever a new arrangement is made to share information externally, both with health and social care organisations and with third party suppliers, we will ensure that a legal basis has been identified, using a tool called a Data Protection Impact Assessment, which will highlight any risks to your information and ensure they are resolved before any sharing takes place.

 

Our Commitment to Data Privacy and Confidentiality

We are committed to protecting your privacy and will only process personal confidential data in accordance with the UK General Data Protection Regulation, the Data Protection Act 2018, the Common Law Duty of Confidentiality, Professional Codes of Practice and the Human Rights Act 1998.

In the circumstances where we are required to use personal identifiable information, we will only do this if:

  • The information is necessary for your direct healthcare, or
  • We have received explicit consent from you to use your information for a specific purpose, or
  • There is an overriding public interest in using the information:
    • In order to safeguard an individual,
    • To prevent a serious crime or in the case of Public Health or other emergencies, to protect the health and safety of others, or
  • There is a legal requirement that allows or compels us to use or provide information (e.g. a formal court order or legislation), or
  • We have permission from the Secretary of State for Health and Social Care to use certain confidential patient identifiable information when it is necessary for our work

Everyone working for the NHS has a legal and contractual duty to keep information about you confidential.

All identifiable information that we hold about you will be held securely and confidentially. We use administrative and technical controls to do this. All health and social care organisations are required to provide annual evidence of compliance with applicable laws, regulations and standards through the Data Security and Protection toolkit.

 Our staff, contractors and committee members receive appropriate and ongoing training to ensure that they are aware of their personal responsibilities and have contractual obligations to uphold confidentiality, enforceable through disciplinary procedures. Staff are trained to ensure how to recognise and report and incident and the organisation has procedures for investigating, managing and learning lessons from any incidents that occur.

Your information will not be sent outside of the United Kingdom where the laws do not protect your privacy to the same extent as the law in the UK. We will never sell any information about you.

The ICB maintains a set of regularly updated policies and procedures covering all aspects of information governance.

 

Your Rights

Under the UK General Data Protection Regulation all individuals have certain rights in relation to the information which the ICB holds about them. Not all rights apply equally to all our processing activity as certain rights are not available depending on the lawful basis for the processing.

When you view a link in our ‘Use of Personal and Sensitive Information’ section, we have highlighted which rights apply and which may not. To help understand why some may not apply the following should help.

Examples of where rights may not apply - where our lawful basis is:

  • Processing is necessary for the performance of a task carried out in the exercise of official authority vested in the controller - then rights of erasure, portability do not apply.
  • Legal Obligation - then rights of erasure, portability, objection, automated decision making and profiling do not apply.

If you require further detail each link below will take you to the Information Commissioner’s Office’s website where further detail is provided in section ‘When does the right apply.’

These rights are:

 

 

Under the NHS Constitution you have the right to privacy and to expect the NHS to keep your information confidential and secure.

You have the right to be informed about how your information is used.

Supporting these rights patients in England also have the right under the NHS Constitution to request that their personal confidential data is not used for reasons other than their individual care and treatment. The process for applying this right is called the ‘National Patient Data Opt-out’ this gives patients and the public the opportunity to make an informed choice about whether they wish their personally identifiable data to be used just for their individual care and treatment or also used for research and planning purposes.

However there are exemptions to this, the national patient data opt-out applies unless:

  • There is a mandatory legal requirement or an overriding public interest for the data to be shared e.g. Adults and Children safeguarding;
  • The opt-out does not apply when the individual has consented to the sharing of their data; or
  • Where the data is anonymised in line with the Information Commissioner’s Office (ICO) Code of Practice on Anonymisation.

To be compliant with the national data opt-out policy the ICB has put procedures in place to review uses or disclosures of confidential patient information against the national data opt-out operational policy guidance.

If you believe the ICB is using your personal information in a way you would object to or contrary to your National Patient Data Opt-Out request, you have the right to object and have your objections considered and where your wishes cannot be followed, to be told the reasons including the legal basis.

For further details of the national patient data opt out can be found here: https://www.nhs.uk/your-nhs-data-matters/

 

Queries and Complaints

If you would like to exercise any of your rights under the UK General Data Protection Regulation or Data Protection Act 2018, including access to the information we hold about you, or you have any questions or complaints regarding the information we hold about you, please contact us at the address below.

Address:          NHS South Yorkshire Integrated Care Board

                        Darnall, Sheffield S9 4EU

Email:              syicb-sheffield.icbsubjectaccessrequests@nhs.net                   

For independent advice about data protection, privacy and data-sharing issues, or to make a complaint about our handling of your information you can contact:

The Information Commissioner

Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF

Phone: 0303 1231113 or 01625 54 57 45

Website: https://ico.org.uk/