Purpose and details of activity

To process your personal information if it relates to a query or complaint where you have asked for our help or involvement, and to monitor the level of service we provide.

We usually have to disclose the complainant’s identity to whoever the complaint is about in order to investigate and respond.  If a complainant does not want identifiable information to be disclosed, we will try and respect that.  However, it may not be possible to handle a complaint on an anonymous basis.

Source of information

Data subject, primary care, secondary care, community care

Lawful basis for use

UK General Data Protection Regulation Article 6 (1) (a).  Other (UK General Data Protection Regulation Article 9 (2) (a)).

Before we can respond to your complaint, our Complaints Officer will obtain your explicit consent to investigate.

Purpose and details of activity

To process your personal information where you have asked us to undertake assessments for Continuing Healthcare (a package of care for those with complex medical needs), or where you have decided to appeal against a funding decision we have made.  This is a national process using standard information collection tools.  We will use the information you provide and may request further information from other care providers to identify eligibility for funding.  If agreed, arrangements will be made to provide and pay for the agreed funding packages with appointed care providers.

Source of information

Data subject/family members/legal representative, primary care, secondary care, local authority, community care

Lawful basis for use

UK General Data Protection Regulation Article 6 (1) (e) to process the data for the claim.  UK GDPR Article 6 (1) (a) to meet our obligations under the Common Law Duty of Confidentiality.  Other (UK General Data Protection Regulation Article 9 (2) (h)).

When you submit your claim form, your information will be processed to determine eligibility.  Your initial assessment will be carried out by a clinical professional who will obtain your consent to ensure we meet our obligations under Common Law.

Purpose and details of activity

To make an assessment for funding eligibility where you or your GP have requested special treatments that are not routinely funded by the NHS.

Source of information

Data subject, primary care and secondary care

Lawful basis for use

UK General Data Protection Regulation Article 6 (1) (a).  Other (UK General Data Protection Regulation Article 9 (2) (a)).

The clinical professional who first identifies that you may need the treatment will obtain your explicit consent and will explain to you the information that we need to collect and process in order for us to assess your needs and commission your care.

Purpose and details of activity

To provide advice and guidance to care providers to ensure that adult and children’s safeguarding matters are managed appropriately.  This may mean accessing identifiable information in limited circumstances where it is required for the safety of the individuals concerned.

Source of information

Primary care, secondary care, community care, member of the public or staff member

Lawful basis for use

UK General Data Protection Regulation Article 6 (1) (e).  Other (UK General Data Protection Regulation Article 9 (2) (h)).

Statutory legal obligation:

• Care Act 2012;
• Data Protection Act 2018, Amendment 85

Purpose and details of activity

To process your information where you have asked us to keep you regularly informed and up to date on the work of the CCG, or if you are actively involved in our engagement and consultation activities or patient participation groups.

Source of information

Data subject

Lawful basis for use

UK General Data Protection Regulation Article 6 (1) (a).

We will ask for your consent before collecting and storing your contact details.  You will be able to change your mind at any time by writing to us at the address provided or emailing us.

Purpose and details of activity

CCGs collaborate closely with the organisations involved in providing patient care, to jointly identify and agree the possible causes of, or factors that contributed to a patient’s infection.

CCGs lead the post infection reviews in accordance with the circumstances set out in the Post Infection Review Guidance, issued by NHS England.  They will then use the results of the post infection review to inform the mandatory healthcare associated infections reporting system.

Source of information

Primary care, secondary care, community care

Lawful basis for use

UK General Data Protection Regulation Article 6 (1) (e).  Other (UK General Data Protection Regulation Article 9 (2) (h)).

Statutory legal obligation:

• Health and Social Care Act 2008: Code of Practice for the NHS for the Prevention and Control of Healthcare Associated Infections (revised January 2015)
• Section 251* NHS Act 2006

Purpose and details of activity

CCGs are accountable for effective governance and learning from all serious incidents, and work closely with staff and with provider organisations to ensure that serious incidents are reported and managed appropriately.  The Francis Report (February 2013) emphasised that commissioners, as well as providers, should have a primary responsibility for ensuring quality.

Source of information

Primary care, secondary care, community care

Lawful basis for use

UK General Data Protection Regulation Article 6 (1) (e).  Other (UK General Data Protection Regulation Article 9 (2) (h)).

Statutory legal obligation:

• Serious Incident Framework 2015

Purpose and details of activity

CCG pharmacists work with GP practices to provide advice on medicines and prescribing queries, and to review prescribing of medicines to ensure that it is safe and cost-effective.  The NHS number is used by our pharmacists in order to review and authorise (if appropriate) requests for high cost drugs which are not routinely funded.  CCG pharmacists will also work with the risk team to provide advice on drug related deaths.

Source of information

Primary care, secondary care, community care

Lawful basis for use

UK General Data Protection Regulation Article 6 (1) (a) (e).  Other (UK General Data Protection Regulation Article 9 (2)(h)).

Statutory legal obligation:

• Misuse of Drugs Act 1971, amended 2012
• Medicines Act 1968
• Human Medicines Regulations 2012

Where a request is made for a high cost drug which is not routinely funded, consent will be obtained on a case by case basis in order to assess your needs and reach a funding decision.

Purpose and details of activity

Risk stratification is a process for identifying and managing patients who are at high risk of emergency hospital admission.  Risk stratification tools use various combinations of historic information about patients, for example, age, gender, diagnoses and patterns of hospital attendance and admission and primary care data collected in GP practice systems.  Your GP or staff within your GP Practice who are responsible for providing your care can see information that identifies you, but CCG staff will only be able to see information in a format that does not reveal your identity.

NHS England encourages CCGs and GPs to use risk stratification tools as part of their local strategies for supporting patients with long-term conditions and to help and prevent avoidable admissions.  Knowledge of the risk profile of our population helps the CCG to commission appropriate preventative services and to promote quality improvement in collaboration with our GP practices.  NHS Dorset CCG does not currently use risk stratification tools, but may at some point in the future.

Source of information

Primary care, secondary care and community care

Lawful basis for use

UK General Data Protection Regulation Article 6 (1) (e).  Other (UK General Data Protection Regulation Article 9 (2) (h)).

Statutory legal obligation:

• Section 251* NHS Act 2006.

Purpose and details of activity

Before paying an invoice for healthcare treatment, we will need to be sure that we, and not another CCG, are responsible for your treatment costs as well as checking to ensure that the amount that is being invoiced is correct.  This process is known as invoice validation.  We use the NHS number within a special secure area known as a Controlled Environment for Finance (CEfF) to validate the invoices, so that the organisations that have provided care for you can be paid.

Source of information

Primary care, secondary care, commissioned services, NHS Digital, South Central and West Commissioning Support Unit (CSU)

Lawful basis for use

UK General Data Protection Regulation Article 6 (1) (e).  Other (UK General Data Protection Regulation Article 9 (2) (h)).

Statutory legal obligation:

• Section 251* NHS Act 2006.  NHS Constitution (Health and Social Care Act 2012)

Purpose and details of activity

Hospitals and community organisations that provide NHS funded care must submit certain information to NHS Digital about services provided to our service users.  This information is generally known as commissioning datasets.  Dorset CCG obtains these datasets from NHS Digital via Data Services for Commissioners Regional Offices (DSCRO) and they relate to service users registered with GP Practices that are members of the CCG.

These datasets include data from a variety of sources listed below:

• Secondary Uses Services (SUS) for commissioners, this includes secondary care, community care and mental health providers in an inpatient, outpatient and emergency department setting;
• National Data Sets for community and mental health services. Including mental health minimum data set, mental health and learning disabilities data set, improving access to psychological therapies data set, children and young people health, mental health services data set, community services data set;
• National Performance Data Sets including cancer waiting times monitoring, referral to treatment monitoring, emergency department waiting times;
• Local Provider Flows including acute, ambulance, community, demand for service, diagnostic services, emergency care, experience quality and outcomes, mental health, population data, primary care services, public health and screening services, diagnostic imaging, maternity services.

The data we receive does not include patients’ names, dates of birth or home addresses, but may include information such as your NHS number.

When analysing current health services and proposals for developing future services, it is sometimes necessary to link separate individual data sets to be able to produce a comprehensive evaluation.

In some cases, there may also be a need to link local data sets which could include a range of acute-based services such as radiology, physiotherapy, audiology etc. as well as mental health and community based services such as Improving Access to Psychological Therapies (IAPT), district nursing, podiatry etc.  When carrying out this analysis, the linkage of these datasets is always done using a unique identifier that does not reveal a person’s identity.

Source of information

NHS Digital via South Central and West Commissioning Support Unit

Lawful basis for use

UK General Data Protection Regulation Article 6 (1) (e).  Other (UK General Data Protection Regulation Article 9 (2) (h)).

You can choose to opt-out of your personal information being used for secondary uses such as planning of health services by accessing the following link:  nhs.uk/your-nhs-data-matters.

Purpose and details of activity

NHS Dorset CCG is required by law to protect the public funds it administers.  We may share information provided to us with other bodies responsible for auditing or administering public funds, in order to prevent and detect fraud.  The Cabinet Office is responsible for carrying out the National Fraud Initiative and required the CCG to participate in any data matching exercise to assist in the prevention and detection of fraud.

Data matching involves comparing computer records held by one body against other computer records held by the same or another body to see how they match.  This is usually personal information.  Computerised data matching allows potentially fraudulent claims and payments to be identified.  Where a match is found it indicates that there is an inconsistency that requires further investigation.  No assumption can be made as to whether there is fraud, error or other explanation until an investigation is carried out.

Source of information

Source of information National Fraud Initiative team at the Cabinet Office

Lawful basis for use

UK General Data Protection Regulation Article 6 (1) (c).  Other (UK General Data Protection Regulation Article 9 (2) (b)).

Statutory legal obligation:  part 6 of Local Audit and Accountability Act 2014

Purpose and details of activity

To process potential and existing employee information for the purpose of staff recruitment, payroll and pension.

To process employee information for the purposes of employee relations, including the use of employee photographs for identification purposes, monitoring staff performance through appraisals and personal development reviews, monitoring training records, managing absence and sickness and ensuring fitness to return to work.

Source of information

Data subject, recruitment agencies, occupational health

Lawful basis for use

UK General Data Protection Regulation Article 6 (1) (b).  Other (UK General Data Protection Regulation Article 9 (2) (b)).

Performance of a contract: we need to share your personal data with our payroll provider in order to fulfil the employment contract and pay employees for work undertaken.

UK General Data Protection Regulation Article 6 (1) (c).  Other (UK General Data Protection Regulation Article 9 (2) (b)).

Statutory legal obligation: we are legally required to auto-enrol eligible employees into our pension scheme.  Additionally, we are required to process some employee data under employment law, health and safety legislation and tax legislation.

UK General Data Protection Regulation Article 6 (1) (a).  Other (UK General Data Protection Regulation Article 9 (2) (a)).

Consent:  we will ask for your consent before collecting and storing your personal details or photographs and you will be provided with a privacy notice explaining why we need to collect your information.

Section 251 of the NHS 2006 Act provides a mechanism which can enable to use of confidential information for certain purposes that would otherwise be unlawful, through and application made to the Confidentiality Advisory Group (CAG).

The CAG assesses applications against the Health Service (Control of Patient Information) Regulations 2002 and provides independent expert advice to the Health Research Authority and the Secretary of State for Health on whether an application to process patient information without consent should be approved.  The use of data for which an application is made must be for a medical purpose as defined in section 251 (12) of the NHS Act 2006.  This includes medical research and the management of health and social care services.   Where consent has been used, you can change your mind at any time and write to us at:

Data Protection Advisory Team

NHS Dorset Clinical Commissioning Group

Vespasian House

Barrack Road

Dorchester

DT1 1TG