Our uses of information

These are the key scenarios when we might use your data and information, the reason we do so and some information about how we go about using it.

Complaints

What we do

When we receive a complaint from somebody we make up a file containing the details of the complaint. This normally contains the identity of the complainant and any other individuals involved in the complaint.

We will only use the personal information we collect to process the complaint and to check on the level of service being provided. We usually have to disclose the complainant’s identity to whoever the complaint is about. This is inevitable where, for example, the accuracy of a person’s record is in dispute.

If a complainant doesn’t want information identifying him or her to be disclosed, we will try to respect that. However, in some cases it might not be possible to handle a complaint on an anonymous basis.

We will keep personal information contained in complaint files in line with NHS retention policy. It will be retained in a secure environment and access to it will be restricted according to the ‘need to know’ principle.

What we use

Data Type
Personal Confidential Data – may include Primary and Secondary Care Data.

Legal Basis
We will need to rely on your explicit consent to undertake such activities.

Funding treatments

What we do

We will collect and process your personal information where we are required to fund specific treatment for you for a particular condition that is not already covered in our contracts. This might be called an Individual Funding Request (IFR).

What we use

Data Type
Personal Confidential Data – may include Primary and Secondary Care Data.

Legal Basis
The clinical professional who first identifies that you may need the treatment will explain to you the information that we need to collect and process. They’ll tell you what we need in order for us to assess your needs and commission your care, and will gain your explicit consent.

Continuing Healthcare

What we do

We will collect and process your identifiable information where you have asked us to undertake assessments for Continuing Healthcare (a package of care for those with complex medical needs) and commission resulting care packages.

What we use

Data Type
Personal Confidential Data – may include Primary and Secondary Care Data.

Legal Basis
The clinical professional who first sees you to discuss your needs will explain to you the information that they need to collect and process in order for us to assess your needs and commission your care and gain your explicit consent.

Safeguarding

What we do

We collect and process identifiable information where we need to assess and evaluate any safeguarding concerns.

Data Type
Personal Confidential Data – may include Primary and Secondary Care Data.

Legal Basis
Because of public interest issues – for example, to protect the safety and welfare of vulnerable children and adults – we will rely on a statutory basis rather than consent to process information for this use.

Summary Care Records

What we do

The NHS uses an electronic record called the Summary Care Record (SCR) to support patient care. The SCR is a copy of important information from your GP record. It provides authorised care professionals with faster, secure access to essential information about you when you need care. A log is updated whenever a care professional accesses your SCR.

What we use

Data Type
Personal Confidential Data – Primary Care Data

Legal Basis
Healthcare staff will ask your permission before they look at your record, except in certain circumstances (for example, if you are unconscious). We will rely on your consent for this purpose.

Read more about the Summary Care Record and opting out.

Risk Stratification

What we do

Risk stratification is a process for identifying and managing patients who are at high risk of emergency hospital admission. Typically, this is because patients have a long term condition such as Chronic Obstructive Pulmonary Disease.

What we use

Data Type
Personal Confidential Data and Pseudonymised – may include Primary and Secondary Care Data

Legal Basis
We are committed to conducting risk stratification effectively, in ways that are consistent with the laws that protect your confidentiality.

The use of identifiable data by CCGs and GPs for risk stratification has been approved by the Secretary of State, through the Confidentiality Advisory Group of the Health Research Authority and this approval has been extended to April 2017.

Commissioning Benefits
NHS England encourages CCGs and GPs to use risk stratification tools as part of their local strategies for supporting patients with long-term conditions and to help and prevent avoidable admissions.

Knowledge of the risk profile of our population will help us to commission appropriate preventative services and to support quality improvement in partnership with our GP practices.

Data Processing activities for Risk Stratification
Risk stratification tools use various combinations of historic information about patients, for example, age, gender, diagnoses and patterns of hospital attendance and admission.

We will use pseudonymised information to understand the local population needs. GPs will be able to identify which of their patients are at risk in order to offer a preventative service to them.

We have commissioned South, Central & West Commissioning Support Unit (SCWCSU) to conduct risk stratification on behalf of itself and its GP practices.

We use SCWCSU as our data processors for risk stratification. They use the following steps:

  • We ask NHS Digital to provide data identifiable by your NHS Number about your Acute Hospital attendances for risk stratification purposes and sign an NHS Digital data-sharing contract for the SUS (secondary care/hospital) data.
  • SCWCSU uses a nationally validated formula to analyse the data in pseudonymised form to produce a risk score for each patient. This information is available to SCWCSU. 
  • The risk scores are only made available to authorised users within the GP Practice where you are registered via a secure portal.
  • This portal allows only the GPs to view the risk scores for the individual patients registered in their practice in identifiable form.

If you do not wish for information about you to be included in our risk stratification programme, please contact your GP Practice. They can add a code to your records that will stop your information from being used for this purpose.

Read more about risk stratification

Invoice processing

What we do

A small amount of information that could identify you is used within a secure area, known as a Controlled Environment for Finance (CEfF). This is so that the organisations that have provided you with care or treatment are reimbursed correctly – known as Invoice Validation. This controlled area is within the CCG.

What we use

Data Type
Personal Confidential Data – may include Primary and Secondary Care Data

Legal Basis
A Section 251 exemption enables us to process patient identifiable information without patient consent for the purposes of invoice validation.

Section 251 applications are approved by the Secretary of State for Health, who imposes tight conditions on what information can be processed and by whom.

On behalf of CCGs, NHS England made a Section 251 application, which was approved by the Secretary of Health for invoice validation, and extended until 31 March 2017 to allow time for systems to be established to ensure that personal confidential data is processed lawfully.

Read more about Section 251

Commissioning Benefits
Where we pay for care we may ask for evidence before paying. In such instances, we may use your personal confidential data to ensure that we are paying the right organisation the right amount for the right service(s) to the right people.

Processing Activities
We take relevant organisational and technical measures to ensure the information we hold is secure, restricting access to information to authorised personnel and protecting personal/confidential information held on equipment such as computers with passwords/encryption.We use the minimum amount of information about you and we’ll only use personal identifiable information when absolutely necessary.

NHS Shared Business Services (SBS), based in Wakefield, are involved in the processing of the majority of our invoices on a daily basis. 

You can find out more about them at Shared Busines Services.  

SBS provide this service via a contract with NHS England, which requires them to meet information governance standards.

SBS receive invoices from suppliers of goods and services to process on behalf of the CCG. They do not need and should not receive any patient confidential data to do this.

For other invoices, the invoice validation process may currently involve us occasionally using your name or initials.

Where possible, we use GP Practice codes (each GP Practice has one and use of this confirms services are being provided to our patients) and/or another agreed identifier which does not include personal confidential data.

Commissioners, like us, have a duty to detect, report and investigate any incidents where there has been a breach of confidentiality. If we receive any invoices which include personal confidential data we have a responsibility to work with suppliers to ensure that the invoices do not breach patient confidentiality.

NHS England has published guidance on how invoices must be processed.

Patient and public involvement

What we do

If you have asked us to keep you informed and up to date about our work or if you are actively involved in our engagement and consultation activities or patient participation groups, we will collect and process personal confidential data which you share with us. We will only use your information for involvement purposes. You can opt out at any time by contacting us.

What we use

Data Type
Personal Confidential Data – may minimal include Primary and Secondary Care Data that you have provided to us.

Legal Basis
We will rely on your consent for this purpose.

Bristol Referral Service

What we do

The Bristol Referral Service is a team of local clinicians and administrators who support your GP in finding the best care available for you. The Service will process information about patients in order to advise GPs, makes referrals and suggest treatments.

What we use

Data Type 
Personal Confidential Data – may include Primary and Secondary Care Data.

Legal Basis
Our legal basis for processing information for this purpose is implicit consent as it is directly linked to the provision of care. Wherever possible the clinical professional who first sees you to discuss your needs will explain to you the information that they need to collect and process in order for us to provide this service.

Connecting Care

What we do

Connecting Care is a local, electronic record allowing health and social care professionals who are directly involved in your care to share a summary of information about you. It enables them to coordinate your care more efficiently.

Connecting Care contains Personal Confidential Data which only available in health settings across Bristol, North Somerset and South Gloucestershire. It can only be accessed by authorised staff with a legitimate legal basis.

Connecting Care only shares:

  • who is involved in your care
  • any allergies you have
  • your medications
  • recent appointments you have attended 
  • diagnoses

We will only access information on Connecting Care for direct care or safeguarding purposes.

What we use

Data Type 
Personal Confidential Data – may include Primary and Secondary Care Data.

Legal Basis
We will rely on a statutory basis rather or consent to process information for this use. Each time a record is accessed the user must state their legal basis for accessing the record.

Commissioning

What we do

We collect NHS data about service users that we are responsible for to inform what we commission. Hospitals and community organisations that provide NHS-funded care must submit certain information to NHS Digital about services provided to our service users.

This information is generally known as commissioning datasets. The CCG obtains these datasets from NHS Digital and they relate to service users registered with GP Practices that are members of the CCG.

What we use

Data Type
Personal Confidential Data, Pseudonymised Data, Anonymous Data – may include Primary and Secondary Care Data.

Legal Basis
Our legal basis for collecting and processing information for this purpose is statutory.

Processing Activities
These datasets are used in a format that does not directly identify you. They’re used for wider NHS purposes such as managing and funding the NHS, monitoring activity to understand and plan the health needs of the population, and to gain evidence that will improve health and care through research.

These datasets are then used in a format that does not directly identify you, for wider NHS purposes such as managing and funding the NHS, monitoring activity to understand and plan the health needs of the population, and to gain evidence that will improve health and care through research.

They include information about the service users who have received care and treatment from those services that we are responsible for funding. They do not include your name, home address, NHS number, post code or date of birth. Information such as your age, ethnicity and gender, as well as coded information about any clinic or accident and emergency attendances, hospital admissions and treatment will be included.

The specific terms and conditions and security controls that we are obliged to follow when using these commissioning datasets can also be found at NHS Digital.

Outcomes Based Healthcare (OBH) are a company that we are using to process data for these purposes. OBH will feed this data into a dashboard to show, at population level, whether services are meeting patients’ needs.

We also receive similar information from GP Practices within our CCG membership that does not identify you. We use these datasets for a number of purposes such as:

  • Performance managing contracts; 
  • Reviewing the care delivered by providers to ensure quality and cost effective care; 
  • To prepare statistics on NHS performance to understand health needs and support service redesign, modernisation and improvement; 
  • To help us plan future services to ensure they meet our local population needs;
  • To reconcile claims for payments for services received in your GP Practice; 
  • To audit NHS accounts and services.

If you do not wish your information to be included in these datasets – even though it does not directly identify you – please contact your GP Practice and they can apply a code to your records that will stop your information from being included.

When other organisations provide support services

What we do

We have entered into contracts with other NHS organisations to provide some services for us or on our behalf. These organisations are known as “data processors”. Below are details of our data processors and the function that they carry out on our behalf:

  • NHS South, Central and West Commissioning Support Unit: Risk Stratification, Invoice Validation, Commissioning Intelligence analysis (add value to the analyses of data that does not directly identify individuals)
  • NHS South Gloucestershire CCG / NHS North Somerset CCG / NHS Somerset CCG (shared services)
  • Audit South West: Audit our accounts and services (add value to the analyses of data that does not directly identify individuals)
  • NHS Litigation Authority – Claims Management (we rely on your consent)
  • ShredIt - Confidential Waste Disposal Company used by the CCG to shred information in a secure environment 
  • NHS Shared Business Service –Invoice Validation (see page 10)
  • Bristol City Council – Jointly commission services, safeguarding (individuals not identified).

What we use

Data Type
Personal Confidential Data, Pseudonymised Data, Anonymous Data – may include Primary and Secondary Care Data.

Legal Basis

Before awarding any contract, we ensure that organisations will look after your information to the same high standards that we do. These organisations can only use your information for the service we have contracted them for. They cannot use it for any other purpose.

National registries

What we do

National Registries (such as the Learning Disabilities Register) have statutory permission under Section 251 of the NHS Act 2006, to collect and hold service user identifiable information without the need to seek informed consent from each individual service user.

What we use

Data Type
Personal Confidential Data – may include Primary and Secondary Care Data.

Research

What we do

Sometimes crucial research projects use information about patients to help inform studies. This information would never reveal who you are. Researchers provide direct benefit to individuals who take part in medical trials and indirect benefit to the population as a whole.

Service user records can also be used to identify people to invite them to take part in clinical trials, other interventional studies or studies purely using information from medical records.

Data Type
Personal Confidential Data, Pseudonymised Data, Anonymous Data – may include Primary and Secondary Care Data.

Legal Basis
Your consent will be obtained by the organisation holding your records before identifiable information about you is disclosed for any research.

Sometimes research can be undertaken using information that does not identify you. The law does not require us to seek your consent in this case, but the organisation holding your information will make notices available on the premises and on the website about any research projects that are undertaken.

Processing Activities

Where identifiable data is needed for research, service users will be approached by the organisation where treatment was received, to see if they wish to participate in research studies.

If you do not wish your information to be used for research, whether identifiable or non-identifiable, please let your GP Practice know. They will add a code to your records that will stop your information from being used for research.

Summary Care Records

The Summary Care Record (SCR) is a secure national electronic record, enabling doctors and health specialists to access information about you that could be vital in an emergency or out-of-hours situation.

Connecting Care

Connecting Care is a local electronic patient record that allows health and social care professionals directly involved in your care to share a summary of your medical record.

NHS care.data is now closed

NHS care.data is a national information-sharing project managed by the Health and Social Care Information Centre (HSCIC).