Who we are and what we do
Crawley / Horsham and Mid Sussex Clinical Commissioning Group (CCG) is responsible for securing, planning, designing and paying for NHS services, including planned and emergency hospital care, mental health, rehabilitation, community and primary medical care (GP) services.
This is known as commissioning. As Commissioners we need to use information about you to enable us to do this effectively, efficiently and safely, and to monitor the performance of these services. For further information please refer to the ‘About Us’ section.
What is this Fair Processing Notice about?
This Fair Processing Notice (FPN) is part of our programme to make it transparent as to what data processing activities we carry out in order to meet our commissioning obligations.
This FPN tells you about information we collect and hold about you, what we do with it, how we keep it secure (confidential), who we might share it with and what your rights are in relation to your information.
How do we keep your information confidential and safe?
Everyone working for the NHS is subject to the Common Law Duty of Confidentiality. This means that any information that you provide in confidence cannot normally be disclosed without your consent. However there are circumstances which may override this duty of confidence, for example where a disclosure is ordered by the courts.
The NHS Confidentiality Code of Practice requires all our staff to protect your information, tell you how it will be used, and allow you to decide if, and how, it can be shared.
We are also required to comply with other legislation relating to the use of personal information such as the Data Protection Act 20188, and General Data Protection Regulations (GDPR)
Who is Responsible for Looking after your data?
The individuals appointed to the following roles are responsible for all information about you held by the CCG, whether you are a patient, service user, member of staff, or member of the public.
Senior Information Risk Officer (SIRO), A Senior Information Risk Officer (known as a SIRO) is responsible for ensuring that your information is handled securely. Crawley CCG’ s SIRO is:
Data Protection Officer, (DPO) We have a Data Protection Officer who is a Data Protection and Information and Cyber Security expert, reporting directly to the highest level of management within the CCG.
The DPO acts independently and is responsible for informing and advising the CCG and our staff of their obligations under the existing and forthcoming Data Protection related law. The DPO is also responsible awareness-raising, staff training, the provision of advice and monitoring the CCG’s compliance with all European and UK data protection law and the CCG’s data protection related policies. Crawley CCG’s DPO is:
Caldicott Guardian: A Caldicott Guardian is responsible for making sure that your information is handled properly in line with your rights and the law. They ensure information is shared appropriately, effectively acting as the conscience of the organisation.
Crawley CCG’ s Caldicott Guardian is: Dr Laura Hill - CCCG.ContactUs-CrawleyCCG@nhs.net Tel: 01883 772800
Information Governance Team Information Governance services are provided to East Surrey CCG by South Central and West Commissioning Support unit (SCW CSU), The CSU Information Governance Team is responsible for supporting the Caldicott Guardian, Senior Information Risk Officer and the Data Protection Officer in ensuring that your personal information is collected, used and shared appropriately, securely and in line with the law.
Information Governance Team (East Surrey CCG): email@example.com - Tel: 02380 627453
What kind of information we use?
We use the following types of information/data:
- identifiable - containing details that identify individuals, such as NHS number, date of birth, name, address, etc.
- pseudonymised - about individuals but with identifying details (such as name or NHS number) replaced with a unique code
- anonymised - about individuals but with identifying details removed
- aggregated - anonymised information grouped together so that it doesn't identify individuals
What do we use anonymised data for?
We use anonymised data to plan health care services. Specifically we use it to:
- check the quality and efficiency of the health services we commission
- prepare performance reports on the services we commission.
- work out what illnesses people will have in the future, so we can plan and prioritise services and ensure these meet the needs of patients in the future – this is also called Risk Stratification
- review the care being provided to make sure it is of the highest standard
Risk stratification is a process that uses de-identified personal data from health care services to determine which people are at risk of experiencing certain outcomes, such as unplanned hospital admissions.
Data Processing activities for Risk Stratification
Risk stratification tools are used by CCGs to analyse the overall health of a population using data which is anonymised in line with the Information Commissioner's Office (ICO) Anonymisation Code of Practice. The combined CCGs Secondary Use Service (SUS) data and GP data which contains an identifier (usually NHS number) is made available to clinicians with a legitimate relationship with their patients to enable them to identify which patients should be offered targeted preventative support to reduce those risks.
The CCG has commissioned NHS South, Central and West Commissioning Support Unit (SCWCSU) to provide the risk stratification software solution on behalf of itself and its GP practices.
This processing takes place under contract following the below steps:
- NHS Digital has a legal obligation to obtain data from providers of NHS care such as the local hospital or community hospital. This data is then sent to the SCWCSU DSCRO and amended so that only your NHS number could identify you. The data is then provided to SCWCSU for processing in the risk stratification software. The CCG has signed a Data Sharing Contract with NHS Digital for the use of this data, called Secondary Use Services (SUS) data.
- Your GP practice enables an organisation called Graphnet Healthcare, to extract data from your records which again, is only identifiable by your NHS Number. This data will only be extracted and provided to SCWCSU for those patients that have not objected to Risk Stratification or where no other type of objection to information sharing has been recorded on your record. The data, containing the same verified NHS numbers, are sent via secure transfer, directly to SCWCSU by Graphnet.
- SCWCSU then link both sets of data using their risk stratification software. An algorithm is run on the data to generate a risk score for each Patient. The CCG is able to see data only after your NHS number has been removed and replaced by a pseudonymised reference. Your GP will be able to see the data with your NHS number in it so that it can identify if you require further support from them to manage your healthcare needs.
The risk scores are only made available to authorized users within the GP Practice where you are registered via a secure portal managed by SCWCSU.
If you do not wish information about you to be included in the risk stratification programme please contact your GP Practice. They can add a code to your records that will stop your information from being used for this purpose.
Further information about risk stratification is available from: https//www.england.nhs.uk/ourwork/tsd/ig/risk-stratification/
The use of identifiable data by CCGs and GPs for risk stratification has been approved by the Secretary of State, through the Confidentiality Advisory Group of the Health Research Authority and this approval has been extended to October 2018 which gives us a statutory legal basis under Section 251 of the NHS Act 2006 to process data for risk stratification purposes which sets aside the duty of confidentiality. We are committed to conducting risk stratification effectively, in ways that are consistent with the laws that protect your confidentiality.
CCGs and GPs use risk stratification tools as part of their local strategies for supporting patients with long-term conditions and to help and prevent avoidable admissions. Typically this is because patients have a long term condition such as Chronic Obstructive Pulmonary Disease. NHS England encourages CCGs and GPs to use risk stratification tools as part of their local strategies for supporting patients with long-term conditions and to help and prevent avoidable admissions.
Knowledge of the risk profile of our population will help the CCG to commission appropriate preventative services and to promote quality improvement in collaboration with our GPpractices.
What do we use your sensitive and personal, ‘identifiable’ information for?
There are some limited exceptions where we may hold and use sensitive personal information about you. For example the CCG is required by law to perform certain services that involve the processing of sensitive personal information.
The areas where we regularly use sensitive personal information include:
a process where you or your GP can request treatments that is not routinely funded by the NHS, which are known as Individual Funding Requests
- assessments for continuing healthcare and appeals
- responding to your queries, compliments or concerns
- assessment and evaluation of safeguarding concerns
- where there is a provision permitting the use of sensitive personal information under specific conditions, for example to: understand the local population needs and plan for future requirements, which is known as “Risk Stratification for commissioning"; ensure that the CCG is billed accurately for the treatment of its patients, which is known as “invoice validation”; monitor access to services, waiting times and particular aspects of care, for which the CCG is considered to be an “accredited safe haven”.
Sensitive personal information may also be used in the following cases:
- the information is necessary for your direct healthcare
- CCGs responding to patients, carers or Member of Parliament communication
- you have freely given your informed agreement (consent) for us to use your information for a specific purpose
- there is an overriding public interest in using the information e.g. in order to safeguard an individual, or to prevent a serious crime
- there is a legal requirement that will allow us to use or provide information (e.g. a formal court order).
Do you share my information with other organisations?
We commission a number of organisations (both within and outside the NHS) to provide healthcare services to you. We may also share anonymised statistical information with them for the purpose of improving local services, for example understanding how health conditions spread across our local area compared against other areas.
The law provides some NHS bodies, particularly NHS Digital, (formally the Health and Social Care Information Centre) ways of collecting and using patient data that cannot identify a person to help Commissioners to design and procure the combination of services that best suit the population they serve.
We may also share information with NHS England and NHS Digital. If you do not want your information to be used for purposes beyond providing your care you can choose to opt-out. If you wish to do so, please inform your GP practice and they will mark your choice in your medical record. You can opt out of your data being used for some purposes. You can withdraw your opt-out choice at any time by informing your GP practice. More information is available on NHS Digital Your personal information choices.
NHS Digital takes the responsibility for looking after care information very seriously. Please follow links on how we look after information for more detailed documentation.
NHS England recognises the importance of protecting personal and confidential information in all that we do, all we direct or commission, and takes care to meet its legal duties. Follow the links on the How we use your information page for more details.
Details of data linkage with other datasets
Data may be de-identified and linked so that it can be used to improve health care and development and monitor NHS performance. Where data is used for these statistical purposes, stringent measures are taken to ensure individual patients cannot be identified.
When analysing current health services and proposals for developing future services it is sometimes necessary to link separate individual datasets to be able to produce a comprehensive evaluation. This may involve linking primary care GP data with other data such as secondary uses service (SUS) data (inpatient, outpatient and A&E). When carrying out this analysis, the linkage of these datasets is always done using a unique identifier that does not reveal a person’s identity.
We may also contract with other organisations to process data. These organisations are known as Data Processors. We ensure external data processors that support us are legally and contractually bound to operate and prove security arrangements are in place where data that could or does identify a person are processed.
We share sensitive information with the following organisations:
We share anonymised data with the following organisations:
What are your rights?
Where information from which you can be identified is held, you have the right to ask to:
- View this or request copies of the records by making a Individual Rights Request ·
- request information is corrected
- have the information updated where it is no longer accurate
- ask to stop processing information about you where we are not required to do so by law – although we will first need to explain how this may affect the care you receive
What safeguards are in place to ensure data that identifies me is secure?
We only use information that may identify you in accordance with the Data Protection Act 2018, and General Data Protection Guidelines GDPR). These laws require us to process personal data only if there is a legitimate basis for doing so and that any processing must be fair and lawful.
Within the health sector, we also have to follow the common law duty of confidence, which means that where identifiable information about you has been given in confidence, it should be treated as confidential and only shared for the purpose of providing direct healthcare.
The NHS Digital Code of Practice on Confidential Information applies to all of our staff, and they are required to protect your information, inform you of how your information will be used, and allow you to decide if and how your information can be shared. All CCG staff are expected to make sure information is kept confidential and receive annual training on how to do this. This is monitored by the CCG and can be enforced through disciplinary procedures.
We also ensure the information we hold is kept in secure locations, restrict access to information to authorised personnel only, protect personal and confidential information held on equipment such as laptops with encryption (which masks data so that unauthorised users cannot see or make sense of it).
We ensure external data processors that support us are legally and contractually bound to operate and prove security arrangements are in place where data that could or does identify a person are processed.
The CCG is registered with the Information Commissioner’s Office (ICO) as a data controller and collects data for a variety of purposes. A copy of the registration is available through the ICO website. You can search by our CCG name or ICO Data Protection Register number Z3563040
How long do you hold confidential information for?
All records held by the CCG will be kept for the duration specified by national guidance from the Department of Health,https://digital.nhs.uk/data-and-information/looking-after-information/data-security-and-information-governance/codes-of-practice-for-handling-information-in-health-and-care/records-management-code-of-practice-for-health-and-social-care-2016
Gaining access to the data we hold about you
The CCG does not directly provide health care services and therefore does not hold personal healthcare records. If you wish to have sight of, or obtain copies of your own personal health care records you will need to apply to your GP Practice, the hospital or NHS Organisation which provided your health care.
Everybody has the right to see, or have a copy, of data we hold that can identify you, with some exceptions. You do not need to give a reason to see your data, and it is free to access.
If you wish to have a copy of any information the CCG may hold about you, you may submit an Subject Access Request (SAR), this is free of charge.
To make the request in writing, please contact:
The Information Governance Manager
Crawley Clinical Commissioning Group
Crawley Hospital, West Green Drive
What if I don’t want information about me shared with others?
If you do not want your information to be used for purposes beyond providing your care you can choose to opt out. If you wish to do so, please inform your GP practice and they will mark your choice in your medical record. You can opt out of your data being used for some purposes. You can withdraw your opt-out choice at any time by informing your GP practice. More information is available on NHS Digital Your personal information choices.
There are two types of opt-outs available at different levels. These include:
Type 1 opt-out
If you do not want personal confidential information that identifies you to be shared outside your GP practice, for purposes beyond your direct care, you can register a ‘Type 1 opt-out’ with your GP practice. This prevents your personal confidential information from being used other than in particular circumstances required by law, such as a public health emergency like an outbreak of a pandemic disease.
Patients are only able to register the opt-out at their GP practice.
Records for patients who have registered a ‘Type 1 opt-out’ will be identified using a particular code that will be applied to your medical records that will stop your records from being shared outside of your GP Practice.
Type 2 opt – out
NHS Digital collects information from many places where people receive care, such as GPs, hospitals and community services.
To support those NHS constitutional rights, patients within England are able to opt out of their personal confidential data being shared by NHS Digital for purposes other than their own direct care, this is known as a 'Type 2 opt-out'.
If you do not want your personal confidential information to be shared outside of NHS Digital, for purposes other than for your direct care, you can register a ‘Type 2 opt-out’ with your GP practice.
Patients are only able to register the opt-out at their GP practice.
Further Information and Support about Type 2 opt-outs:
For further information and support relating to Type 2 opt-outs please contact NHS Digital on:
Tel: 0300 303 5678
Alternatively visit the website http://content.digital.nhs.uk/article/7092/Information-on-type-2-opt-outs
What is the right to know?
The Freedom of Information Act 2000 (FOIA) gives people a general right of access to information held by or on behalf of public authorities, promoting a culture of openness and accountability across the public sector.
What sort of information can I request?
In theory, you can request any information that Crawley CCG holds that does not fall under an exemption. You may not ask for information that is covered by the Data Protection Act 20 under FOIA. However you can request this under a subject Access Request – see section above ‘Gaining access to the data we hold about you’.
How do I make a request for information?
Your request must be in writing and can be either posted or emailed to:
Post: Crawley CCG, Crawley Hospital, West Green Drive, Crawley, West Sussex, RH11 7DH
We use NHS South, Central and West Commissioning Support Unit, which is part of the NHS, to process our freedom of information request; however all responses will be carried out by the CCG. If you have any concerns about this process or would like further information please contact a member of the FOI team at the address above.
For independent advice about data protection, privacy, data sharing issues and your rights you can contact:
Information Commissioner’s Office
Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF
Telephone: 0303 123 1113 (local rate) or 01625 545 745
Visit the ICO website.
Complaints or questions
We try to meet the highest standards when collecting and using personal information. For this reason, we take any complaints we receive about this very seriously. We encourage people to bring concerns to our attention if they think that our collection or use of information is unfair, misleading or inappropriate. Please contact us.