How we use your information

Show sub-pages

Our uses of information

Although this is not an exhaustive detailed listing, here we list key examples of the purposes and rationale for why we collect and process information.

Complaints

To process your personal information if it relates to a complaint where you have asked for our help or involvement.

Data Type
Personal Confidential Data – may include Primary and Secondary Care Data.

Legal Basis
We will need to rely on your explicit consent to undertake such activities.

Complaint Processing Activities
When we receive a complaint from a person we make up a file containing the details of the complaint. This normally contains the identity of the complainant and any other individuals involved in the complaint.

We will only use the personal information we collect to process the complaint and to check on the level of service being provided.

We usually have to disclose the complainant’s identity to whoever the complaint is about. This is inevitable where, for example, the accuracy of a person’s record is in dispute.

If a complainant doesn’t want information identifying him or her to be disclosed, we will try to respect that. However, it may not be possible to handle a complaint on an anonymous basis.

We will keep personal information contained in complaint files in line with NHS retention policy. It will be retained in a secure environment and access to it will be restricted according to the ‘need to know’ principle.

Funding treatments

We will collect and process your personal information where we are required to fund specific treatment for you for a particular condition that is not already covered in our contracts.

This may be called an Individual Funding Request (IFR).

Data Type
Personal Confidential Data – may include Primary and Secondary Care Data.

Legal Basis
The clinical professional who first identifies that you may need the treatment will explain to you the information that we need to collect and process in order for us to assess your needs and commission your care, and gain your explicit consent.

Continuing Healthcare

We will collect and process your identifiable information where you have asked us to undertake assessments for Continuing Healthcare (a package of care for those with complex medical needs) and commission resulting care packages.

Data Type
Personal Confidential Data – may include Primary and Secondary Care Data.

Legal Basis
The clinical professional who first sees you to discuss your needs will explain to you the information that they need to collect and process in order for us to assess your needs and commission your care and gain your explicit consent.

Safeguarding

We will collect and process identifiable information where we need to assess and evaluate any safeguarding concerns.

Data Type
Personal Confidential Data – may include Primary and Secondary Care Data.

Legal Basis
Because of public Interest issues, e.g. to protect the safety and welfare of vulnerable children and adults, we will rely on a statutory basis rather than consent to process information for this use.

Summary Care Records

The NHS uses an electronic record called the Summary Care Record (SCR) to support patient care. The SCR is a copy of important information from your GP record. It provides authorised care professionals with faster, secure access to essential information about you when you need care.

Whenever a care professional accesses your SCR a log is kept.

Data Type
Personal Confidential Data – Primary Care Data

Legal Basis
Healthcare staff will ask your permission before they look at your record, except in certain circumstances (for example, if you are unconscious). We will rely on your consent for this purpose.

Read more about the Summary Care Record and opting out.

Risk Stratification

Risk stratification is a process for identifying and managing patients who are at high risk of emergency hospital admission.

Data Type
Personal Confidential Data and Pseudonymised – may include Primary and Secondary Care Data

Legal Basis
We are committed to conducting risk stratification effectively, in ways that are consistent with the laws that protect your confidentiality.

The use of identifiable data by CCGs and GPs for risk stratification has been approved by the Secretary of State, through the Confidentiality Advisory Group of the Health Research Authority and this approval has been extended to April 2017.

Commissioning Benefits
Typically this is because patients have a long term condition such as Chronic Obstructive Pulmonary Disease.

NHS England encourages CCGs and GPs to use risk stratification tools as part of their local strategies for supporting patients with long-term conditions and to help and prevent avoidable admissions.

Knowledge of the risk profile of our population will help the CCG to commission appropriate preventative services and to support quality improvement in partnership with our GP practices.

Data Processing activities for Risk Stratification
Risk stratification tools use various combinations of historic information about patients, for example, age, gender, diagnoses and patterns of hospital attendance and admission.

The CCG will use pseudonymised information to understand the local population needs, whereas GPs will be able to identify which of their patients are at risk in order to offer a preventative service to them.

The CCG has commissioned South, Central & West Commissioning Support Unit (SCWCSU) to conduct risk stratification on behalf of itself and its GP practices.

The service provider that are our data processors for Risk Stratification purposes is SCWCSU.

This processing for risk stratification takes place under contract with SCWCSU has following these steps below:

  • The CCG has asked NHS Digital to provide data identifiable by your NHS Number about your Acute Hospital attendances for risk stratification purposes and has signed an NHS Digital data sharing contract for the SUS (secondary care/hospital) data. 
  • SCWCSU uses a nationally validated formula to analyse the data in pseudonymised form to produce a risk score for each patient. This information is available to SCWCSU. 
  • The risk scores are only made available to authorised users within the GP Practice where you are registered via a secure portal.
  • This portal allows only the GPs to view the risk scores for the individual patients registered in their practice in identifiable form.

If you do not wish information about you to be included in our risk stratification programme, please contact your GP Practice.

They can add a code to your records that will stop your information from being used for this purpose.

Read more about risk stratification

Invoice processing

A small amount of information that could identify you is used within a secure area, known as a Controlled Environment for Finance (CEfF), so that the organisations that have provided you with care/treatment are reimbursed correctly, this is known as Invoice Validation.

This controlled area is currently within the SCWCSU but is in the process of transferring to the CCG.

Data Type
Personal Confidential Data – may include Primary and Secondary Care Data

Legal Basis
A Section 251 exemption enables us to process patient identifiable information without patient consent for the purposes of invoice validation.

Section 251 applications are approved by the Secretary of State for Health, who imposes tight conditions on what information can be processed and by whom.

On behalf of CCGs, NHS England made a Section 251 application, which was approved by the Secretary of Health for invoice validation, and extended until 31 March 2017 to allow time for systems to be established to ensure that personal confidential data is processed lawfully.

Read more about Section 251

Commissioning Benefits
Where we pay for care we may ask for evidence before paying. In such instances, we may use your personal confidential data to ensure that we are paying the right organisation the right amount for the right service(s) to the right people.

Processing Activities
We take relevant organisational and technical measures to ensure the information we hold is secure, restricting access to information to authorised personnel and protecting personal/confidential information held on equipment such as computers with passwords/encryption.

The minimum amount of information about you is used and we will only use personal identifiable information when absolutely necessary.

NHS Shared Business Services (SBS), based in Wakefield, are involved in the processing of the majority of our invoices on a daily basis. 

You can find out more about them at Shared Busines Services.  

SBS provide this service via a contract with NHS England, which requires them to meet information governance standards.

SBS receive invoices from suppliers of goods and services to process on behalf of the CCG. They do not need and should not receive any patient confidential data to do this.

For other invoices, the invoice validation process may currently involve us occasionally using your name or initials.

Where possible, we use GP Practice codes (each GP Practice has one and use of this confirms services are being provided to our patients) and/or another agreed identifier which does not include personal confidential data.

Commissioners, like Bristol CCG, have a duty to detect, report and investigate any incidents where there has been a breach of confidentiality.

If we receive any invoices with personal confidential data on we have a responsibility to work with suppliers to ensure that invoices from them do not breach patient confidentiality.

NHS England has published guidance on how invoices must be processed.

Patient and Public Involvement

If you have asked us to keep you informed and up to date about the work of the CCG or if you are actively involved in our engagement and consultation activities or patient participation groups, we will collect and process personal confidential data which you share with us.

Data Type
Personal Confidential Data – may minimal include Primary and Secondary Care Data that you have provided to us.

Legal Basis
We will rely on your consent for this purpose.

Benefits
Where you submit your details to us for involvement purposes, we will only use your information for this purpose. You can opt out at any time by contacting us using our contact details at the end of this notice.

Bristol Referral Service

The Bristol Referral Service is a team of local clinicians and administrators who support your GP in finding the best care available for you.

The Service will process information about patients in order to advise GPs, makes referrals and suggest treatments.

Bristol Referral Service

Data Type
Personal Confidential Data – may include Primary and Secondary Care Data.

Legal Basis
Our legal basis for processing information for this purpose is implicit consent as it is directly linked to the provision of care, wherever possible the clinical professional who first sees you to discuss your needs will explain to you the information that they need to collect and process in order for us to provide this service.

Connecting Care

Connecting Care is a local, electronic record allowing health and social care professionals who are directly involved in your care, to share a summary of information about you. It enables them to coordinate your care more efficiently.

Connecting Care contains Personal Confidential Data which is identifiable, it is only available in health settings across Bristol, North Somerset and South Gloucestershire and can only be accessed by authorised staff with a legitimate legal basis.

Connecting Care only shares:

  • who is involved in your care
  • any allergies you have
  • your medications
  • recent appointments you have attended 
  • diagnoses

The CCG will only access information on Connecting Care for direct care or safeguarding purposes.

Connecting Care

Data Type
Personal Confidential Data – may include Primary and Secondary Care Data.

Legal Basis
We will rely on a statutory basis rather or consent to process information for this use. Each time a record is accessed the user must state their legal basis for accessing the record.

Commissioning

To collect NHS data about service users that we are responsible for.

Data Type
Personal Confidential Data, Pseudonymised Data, Anonymous Data – may include Primary and Secondary Care Data.

Legal Basis
Our legal basis for collecting and processing information for this purpose is statutory.

Processing Activities
Hospitals and community organisations that provide NHS-funded care must submit certain information to NHS Digital about services provided to our service users.

This information is generally known as commissioning datasets. The CCG obtains these datasets from NHS Digital and they relate to service users registered with GP Practices that are members of the CCG.

These datasets are then used in a format that does not directly identify you, for wider NHS purposes such as managing and funding the NHS, monitoring activity to understand and plan the health needs of the population, and to gain evidence that will improve health and care through research.

The datasets include information about the service users who have received care and treatment from those services that we are responsible for funding. The CCG is unable to identify you from these datasets.

They do not include your name, home address, NHS number, post code or date of birth. Information such as your age, ethnicity and gender, as well as coded information about any clinic or accident and emergency attendances, hospital admissions and treatment will be included.

The specific terms and conditions and security controls that we are obliged to follow when using these commissioning datasets can also be found at NHS Digital.

Read more about how this data is collected and used by NHS Digital

We also receive similar information from GP Practices within our CCG membership that does not identify you. We use these datasets for a number of purposes such as:

  • Performance managing contracts; 
  • Reviewing the care delivered by providers to ensure quality and cost effective care; 
  • To prepare statistics on NHS performance to understand health needs and support service re-design, modernisation and improvement; 
  • To help us plan future services to ensure they meet our local population needs;
  • To reconcile claims for payments for services received in your GP Practice; 
  • To audit NHS accounts and services.

If you do not wish your information to be included in these datasets, even though it does not directly identify you to us, please contact your GP Practice and they can apply a code to your records that will stop your information from being included.

For other Organisations to provide support services for us

The CCG will use the services of the additional data processors, who will provide further expertise to support the work of the CCG:

Data Type
Personal Confidential Data, Pseudonymised Data, Anonymous Data – may include Primary and Secondary Care Data.

Legal Basis
We have entered into contracts with other NHS organisations to provide some services for us or on our behalf. These organisations are known as “data processors”. Below are details of our data processors and the function that they carry out on our behalf:

  • NHS South, Central and West Commissioning Support Unit: Risk Stratification, Invoice Validation, Commissioning Intelligence analysis (add value to the analyses of data that does not directly identify individuals)
  • NHS South Gloucestershire CCG / NHS North Somerset CCG / NHS Somerset CCG (shared services)
  • Audit South West: Audit our accounts and services (add value to the analyses of data that does not directly identify individuals)
  • NHS Litigation Authority – Claims Management (we rely on your consent)
  • ShredIt - Confidential Waste Disposal Company used by the CCG to shred information in a secure environment 
  • NHS Shared Business Service –Invoice Validation (see page 10)
  • Bristol City Council – Jointly commission services, safeguarding (individuals not identified)

Benefits
These organisations are subject to the same legal rules and conditions for keeping personal confidential data and secure and are underpinned by a contract with us. 

Before awarding any contract, we ensure that organisations will look after your information to the same high standards that we do.

Those organisations can only use your information for the service we have contracted them for and cannot use it for any other purpose.

National registries

Data Type
Personal Confidential Data – may include Primary and Secondary Care Data.

National Registries (such as the Learning Disabilities Register) have statutory permission under Section 251 of the NHS Act 2006, to collect and hold service user identifiable information without the need to seek informed consent from each individual service user.

Research

To support research oriented proposals and activities in our commissioning system

Data Type
Personal Confidential Data, Pseudonymised Data, Anonymous Data – may include Primary and Secondary Care Data.

Legal Basis
Your consent will be obtained by the organisation holding your records before identifiable information about you is disclosed for any research.

Sometimes research can be undertaken using information that does not identify you. The law does not require us to seek your consent in this case, but the organisation holding your information will make notices available on the premises and on the website about any research projects that are undertaken.

Benefits
Researchers can provide direct benefit to individuals who take part in medical trials and indirect benefit to the population as a whole.

Service user records can also be used to identify people to invite them to take part in clinical trials, other interventional studies or studies purely using information from medical records.

Processing Activities
Where identifiable data is needed for research, service users will be approached by the organisation where treatment was received, to see if they wish to participate in research studies.

If you do not wish your information to be used for research, whether identifiable or non-identifiable, please let your GP Practice know. They will add a code to your records that will stop your information from being used for research.