The new General Data Protection Regulation (GDPR) came into place on the 25^th May 2018. This legislation replaces the previous data privacy law, giving more rights to you as an individual and more obligations to organisations holding your personal data.

This privacy notice has been updated and tells you what to expect when the Clinical Commissioning Group collects personal information, the legal basis on which we are using it and the rights that you have in relation to the way that we use it.

The CCG is made up of the 25 GP practices that are based in Calderdale. Led by GPs and nurses, we work together with patients and GP practices in your area to ensure the right NHS services are in place to support your health and wellbeing. We call this commissioning.

NHS Calderdale Clinical Commissioning Group plans and pays for health and care services for local people.

The CCG also manages the performance of services that it commissions to make sure that they are safe, provide high quality care and meet the needs of local people. Part of this performance management role includes responding to any concerns from our patients about those services.

The CCG is registered as a Data Controller with the Information Commissioner’s Office (the regulator for data protection). Our notification entry sets out further information about why we process personal information. Our notification reference number is: Z3581562.

The Data Protection Officer (DPO) for Calderdale CCG can be contacted at:

Data Protection Officer NHS Calderdale CCG

NHS Calderdale Clinical Commissioning Group (CCG):
2nd Floor, Westgate House, Westgate Halifax HX1 1PW

calccg.committee@nhs.net

01422 307400

The role of the Data Protection Officer is to inform and advise the organisation and its employees about their obligations to comply with the current data protection legislation, monitor compliance with the legislation, manage internal data protection activities, advise on data protection impact assessments, ensure staff training is in place and that the CCG audits its data processing activity. The Data Protection Officer is also the first point of contact for the supervisory authority and for individuals whose data is processed.

For most of its work, the CCG does not need to process information that might identify you; instead, wherever possible, it uses anonymised information. When information about you is made completely unidentifiable it falls out of the scope of the General Data Protection Regulation.

However, sometimes the CCG may need to use your personal information. You can read details of how and when this may take place below:

Visitors to our website

When someone visits our website (www.calderdaleccg.nhs.uk) we use a third party service, Google Analytics, to collect standard internet log information and details of visitor behaviour patterns. We do this to find out things such as the number of visitors to the various parts of the site. This information is processed in a way which does not identify anyone. We do not make, and do not allow Google to make, any attempt to find out the identities of those visiting our website. If we do want to collect personally identifiable information through our website, we will be up front about this. We will make it clear when we collect personal information and will explain what we intend to do with it.

From time to time, you may be asked to submit personal information about yourself (e.g. name and email address) in order to receive or use services on our website. Such services include bulletins, email updates, website feedback, requesting investigation of complaints and any other enquiries.

By entering your details or sending us an email, you enable the CCG to provide you with the services you select. Any information you provide will only be used by the CCG, and will not be shared with any external agencies unless we either gain your consent or have a legal obligation to provide the information.

Updated on 3rd August 2020

This notice describes how we may use your information to protect you and others during the Coronavirus outbreak. It supplements our main Privacy Notice which is available [here].

The health and social care system is facing significant pressures due to the Coronavirus outbreak. Health and care information is essential to deliver care to individuals, to support health and social care services and to protect public health. Information will also be vital in researching, monitoring, tracking and managing the outbreak. In the current emergency it has become even more important to share health and care information across relevant organisations.

Existing law which allows confidential patient information to be used and shared appropriately and lawfully in a public health emergency is being used during this outbreak. Using this law the Secretary of State has required NHS Digital; NHS England and Improvement; Arm’s Length Bodies (such as Public Health England); local authorities; health organisations (such as CCGs), and GPs to share confidential patient information to respond to the Coronavirus outbreak.   Any information used or shared during the Coronavirus outbreak will be limited to the period of the outbreak unless there is another legal basis to use the data. 

During this period of emergency, opt-outs will not generally apply to the data used to support the Coronavirus outbreak, due to the public interest in sharing information.  This includes National Data Opt-outs.  However in relation to the Summary Care Record, existing choices will be respected. Where data is used and shared under these laws your right to have personal data erased will also not apply.  It may also take us longer to respond to Subject Access requests, Freedom of Information requests and new opt-out requests whilst we focus our efforts on responding to the outbreak.

In order to look after your health and care needs we may share your confidential information with other health and care organisations and other bodies engaged in disease surveillance for the purposes of protecting public health, providing healthcare services to the public and monitoring and managing the outbreak.

We will hold your personal information securely and it is subject to strict controls that meet the requirements of data protection legislation.   

Where we need to do so, we will not collect more information than we require and we will ensure that any information collected is treated with the appropriate safeguards. 

You can find out more about how your information is supporting the Coronavirus response here.

We may amend this privacy notice at any time so please review it frequently. The date at the top of this page will be amended each time this notice is updated.

You can read more about how we use cookies on our Cookies page.

The CCG uses a third party service (Urban Soul Design) based in Rochdale, Greater Manchester, to help maintain the security and performance of the CCG website. To deliver this service it processes the IP addresses of visitors to the CCG website.

Whenever you use a health or care service, such as attending Accident & Emergency or using Community Care services, important information about you is collected to help ensure you get the best possible care and treatment.

The information collected about you when you use these services can also be provided to other approved organisations, where there is a legal basis, to help with planning services, improving care provided, research into developing new treatments and preventing illness. All of these help to provide better health and care for you, your family and future generations. Confidential personal information about your health and care is only used in this way where allowed by law and would never be used for insurance or marketing purposes without your explicit consent.

You have a choice about whether you want your confidential patient information to be used in this way.

To find out more about the wider use of confidential personal information and to register your choice to opt out if you do not want your data to be used in this way, visit www.nhs.uk/my-data-choice. If you do choose to opt out you can still consent to your data being used for specific purposes.

If you are happy with this use of information you do not need to do anything. You can change your choice at any time. The CCG is currently compliant with the national data opt-out policy.

We use a third party content management system, WordPress, to publish the website. WordPress is run by Automattic Inc. We use a standard WordPress feature to collect anonymous information about visitor activity on the website, for example the number of people viewing pages, in order to monitor and report on the effectiveness of the website and to help us to improve it. No information is stored with Automattic Inc. All our data, including the WordPress Content Management System, is stored on Urban Soul Design’s secure server (see Security and performance)

If you send us a private or direct message via social media the message will be stored by the CCG for the appropriate amount of time that is required to fulfil your query. It will not be shared with any other organisations.

The CCG’s Communications Team does not routinely process personal information about you, however, when events are held, photographs or videos of the event are sometimes taken. We will always ask your permission when we either take a photo or video of you to ensure that you are happy with us using your photo. You will always have the right to refuse permission or withdraw your permission at a later date.

Occasionally as part of our response to media enquiries, it may be necessary to use and share some personal information as part of the response or press release. On these occasions we will always ask your permission first and will only ever use and share the minimum personal information necessary. The information will not be shared with others unless you have explicitly consented to this.

When the communications team first get in contact with you, we will ask you to sign a consent form, this ensures that we are processing your information correctly is described in article 6 (consent) and article 9 (explicit consent) of the GDPR.

The CCG will only keep your information for as long as absolutely necessary. The CCG has a Records Management and Information Lifecycle Policy which sets out the length of time that we should keep the different types of information that we process. The information will be retained in a secure environment and access to it will be restricted according to the ‘need to know’ principle.

As with all the information that we process about you, you have a number of rights that apply to your personal information. These can be found in the “What rights you have in relation to the above processing of your personal information” section.

If you choose to take part in one of the CCG’s engagement activities, we may process personal information about you.

At the start of your involvement with us, we will ask you to sign a consent form, this ensures that we are processing your information correctly is described in article 6 (consent) and article 9 (explicit consent) of the GDPR.

You can withdraw your consent at any point. The only information that the CCG will process about you is information that you have given us yourself, this is likely to include; your name, address and email address. The CCG will not routinely share this information with any external organisations, unless the CCG is under a legal obligation to do so.

The CCG will only keep your information for as long as absolutely necessary. The CCG has a Records Management and Information Lifecycle Policy sets out the length of time that we should keep the different types of information that we process. The information will be retained in a secure environment and access to it will be restricted according to the ‘need to know’ principle.

You have a number of rights that apply to your personal information. These can be found in the “What rights you have in relation to the above processing of your personal information” section.

If you choose to take part in one of the CCG’s engagement activities, we may process personal information about you.

Lawful basis

If you chose to sign up to the ‘Get a Grip’ pledge, we will ask you for your first name, and the first half of your postcode. We ask you for these details in order to maintain a record of the number of pledges we receive. The lawful basis for collecting this information is article 6(1)a (consent) of the GDPR.

You have the right to withdraw your consent at any point, and if you chose to do so we will remove your information from our list of pledges, and you can do this by emailing calccg.calderdaleccgcomms@nhs.net. The only information that the CCG will use about you is information that you have given us yourself, this is only; your first name, and first half of your postcode, and will be only be used for the purpose of counting the number of individual pledges received. The CCG will not share this information with any external organisations.

Once we have received your pledge, we will count this towards our total number of pledges and then delete your information; this will always be within one year. The information will be retained in a secure environment and access to it will be restricted according to the ‘need to know’ principle.

You have a number of rights that apply to your personal information. These can be found in the “What rights you have in relation to the above processing of your personal information” section.

When the Continuing Health Care Team receives an application for continuing healthcare funding, we make up a file containing the details of your application and any information relating to your application. This can include information about your health and care and relevant details from other organisations that are involved in your health and care treatment. The reason that we keep this is so that we can process your application.

We will only use the information within this file for the purposes of processing your application for funding, and will not share your information with anyone who is not involved in the application and decision process. The individuals involved in this process will be the Continuing Healthcare’s administration team who manage this process, the nurses who undertake an eligibility checklist and decision support tool, and the individuals involved in the decision making process in relation to your eligibility for continuing healthcare funding.

When the Continuing Health Care Team receives an application for continuing healthcare funding, we make up a file containing the details of your application and any information relating to your application. This can include information about your health and care and relevant details from other organisations that are involved in your health and care treatment. The reason that we keep this is so that we can process your application.

We will only use the information within this file for the purposes of processing your application for funding, and will not share your information with anyone who is not involved in the application and decision process. The individuals involved in this process will be the Continuing Healthcare’s administration team who manage this process, the nurses who undertake an eligibility checklist and decision support tool, and the individuals involved in the decision making process in relation to your eligibility for continuing healthcare funding.

Normally, the type of information that we process about you is information you have provided yourself, but generally this will include; your name, date of birth, address, postcode, your NHS number and other information you feel relevant to your application. In addition, during the course of the application, we will seek out further information in relation to your health and care needs to ensure that a decision can be made on eligibility and that the assessor can appropriately undertake the tools required to support this eligibility process.

Lawful basis

The lawful basis which ensures that we are processing your information correctly is described in article 6 (function of a public authority) and article 9 (provision of health care treatment) of the GDPR. However, the CCG will also seek your consent, which ensures that the common law duty of confidentiality is satisfied when we are processing your personal information.

The CCG will only share your information with partners as needed, in order to process your Continuing Healthcare application. We will have to disclose your information to providers who have been and will be involved in your care to ensure that we can gain access to accurate records regarding your needs. This will aid the assessment and review process of continuing healthcare. We may also share your information with the local authority, Doncaster CCG (which processed previously unassessed periods of care on behalf of the CCG), the CCG’s solicitors and others in line with the “need to know” principle.

The CCG will only keep your information for as long as absolutely necessary. The CCG has a Records Management and Information Lifecycle Policy which sets out the length of time that we should keep the different types of information that we process. The information will be retained in a secure environment and access to it will be restricted according to the ‘need to know’ principle.

As with all the information that we process about you, you have a number of rights that apply to your personal information. These can be found in the “What rights you have in relation to the above processing of your personal information” section.

All IFRs are processed by the IFR team at NHS Greater Huddersfield CCG. The CCG has a shared arrangement with Calderdale, Greater Huddersfield, North Kirklees and Wakefield CCGs for the processing of Individual Funding Requests.

The CCGs have a robust procedure framework for considering IFRs and this involves the application for funding being considered at the relevant Panel / Committee which is made up of CCG staff members. The Panel / Committee will discuss the application and come to a decision in relation to the funding request.

Upon receipt of an IFR, the IFR team uploads all of the information detailed within the request on to a secure management system called Blueteq. The logging of IFRs will involve processing special categories of your personal data, which could include; your name, date of birth, address, NHS number and information about your health and care needs.

Lawful basis

The CCG’s lawful basis to process your personal information as part of an Individual Funding Request is set out in Article 6 (processing such requests is one of the functions of the CCG as a public body) and Article 9 (provision of health care treatment) of the General Data Protection Regulation.

The CCG will only retain your information for as long as absolutely necessary to conduct the individual funding request. The CCG has a Records Management and Information Lifecycle Policy which sets out the length of time that we should keep the different types of information that we process. The information will be retained in a secure environment and access to it will be restricted according to the ‘need to know’ principle.

As with all the information that we process about you, you have a number of rights that apply to your personal information. These can be found in the “What rights you have in relation to the above processing of your personal information” section.

When we receive a complaint from a person we make up a file containing the details of the complaint, this is so that we can investigate and respond to your complaint appropriately. The file normally contains the identity of the complainant and any other individuals involved in the complaint.

We will only use the personal information we collect to process the complaint and to check on the level of service we provide. We do compile and publish statistics showing information such as the number of complaints we receive, but not in a form which identifies anyone.

Normally, the types of information we will process about you is information that you have provided yourself, but generally this will include; your name, date of birth, address, postcode, your health and care needs and other information you feel relevant to your complaint.

We usually have to disclose the complainant’s identity to whichever care provider the complaint is about in order to move forward with the investigation. If a complainant doesn’t want information identifying him or her to be disclosed, we will try to respect that. However, it may not be possible to handle a complaint on an anonymous basis.

Similarly, where enquiries are submitted to us we will only use the information supplied to us to deal with the enquiry and any subsequent issues and to check on the level of service we provide.

When we take enforcement action against someone, we may publish the identity of the defendant in our Annual Report or elsewhere. Usually we do not, identify any complainants unless the details have already been made public.

At the start of the complaints process you will be asked to complete a form which ensures that you are fully aware of how your information will be processed and shared.

Lawful basis

The lawful basis which ensures that we are processing your information correctly is described in article 6 (function of a public authority) and article 9 (provision of health care treatment) of the GDPR. However, the CCG will also seek your consent, which ensures that the common law duty of confidentiality is satisfied when we are processing your personal information.

The CCG will only keep your information for as long as absolutely necessary. The CCG has a Records Management and Information Lifecycle Policy which sets out the length of time that we should keep the different types of information that we process. The information will be retained in a secure environment and access to it will be restricted according to the ‘need to know’ principle.

As with all the information that we process about you, you have a number of rights that apply to your personal information. These can be found in the “What rights you have in relation to the above processing of your personal information” section.

The CCG’s Workforce and Development Team processes special categories of personal staff information to ensure that the CCG can manage workforce processes. This information includes; recruitment, payment of salaries and pensions, workforce and staff performance management, administering maternity leave and associated pay related schemes, learning and development. The types of information that the CCG processes includes personal information contained within your HR record including; name, date of birth, address, postcode, racial or ethnic origin, political beliefs and information concerning health.

The CCG uses a third-party provider to undertake its Human Resources, Learning and Development administrative support (North of England Commissioning Support Unit), and the CCG’s Human Resources advisory support is provided by Wakefield CCG. Therefore, your personal human resources information will be shared with North of England Commissioning Support Unit (the CCG’s Data Processor) and Wakefield CCG. Information which is required to be disclosed by law will be disclosed to the relevant organisation, for example HMRC for tax purposes in line with their statutory obligations.

Lawful Basis

The lawful basis which ensures that we are processing your information correctly is described in article 6(1)b (contractual relationship) and article 9 (2)h (assessment of working capacity of the employee), article 9 (2)b (as per relevant Human Resources employment laws) of the UK GDPR.

The CCG will only keep your information for as long as absolutely necessary. The CCG has a Records Management and Information Lifecycle Policy which sets out the length of time that we should keep the different types of information that we process. The information will be retained in a secure environment and access to it will be restricted according to the ‘need to know’ principle. The Health Informatics Service (THIS), our IT supplier who store all our information securely on their servers.

As with all the information that we process about you, you have a number of rights

that apply to your personal information. These can be found in the “What rights you have in relation to the above processing of your personal information” section.

The CCG processes special categories of personal staff occupational health information to ensure that the CCG can manage occupational health processes which include; administering sick leave and pay, managing absence, managing a safe working environment and ensuring fitness for work. The information processed will include; details within your HR record and information concerning your personal health.

The CCG used a third party provider to undertake its Occupational Health function. Therefore, your personal information relating to occupational health will be shared with South West Yorkshire Partnership NHS Foundation Trust (the CCG’s Data Processor for this purpose)). The CCG will also need to share your occupational health information with Calderdale and Huddersfield NHS Foundation Trust (the CCG’s Human Resources provider). In addition to the above sharing, information which is required to be disclosed by law will be disclosed to the relevant organisation, for example the Department for Work and Pensions in line with their statutory obligations relating to the working capacity of an employee.

Lawful Basis

The lawful basis which ensures that we are processing your information correctly is Article 6(1)b (contractual relationship) and Article 9(2)h (assessment of the working capacity of the employee).

The CCG will only keep your information for as long as absolutely necessary. The CCG has a Records Management and Information Lifecycle Policy which sets out the length of time that we should keep the different types of information that we process. The information will be retained in a secure environment and access to it will be restricted according to the ‘need to know’ principle.

As with all the information that we process about you, you have a number of rights

that apply to your personal information. These can be found in the “What rights you have in relation to the above processing of your personal information” section.

The CCG uses a third party provider to process staff information relating to payroll. Leeds Teaching Hospitals NHS Trust, is the CCG’s data processor for this purpose. The CCG will not share your personal information with any other organisation, unless there is a legal obligation placed upon the CCG to share with another organisation, for example HMRC for the purposes of tax.

The information that payroll will process about you is limited to what is necessary in order to complete the function adequately, but the information could include; your name, date of birth, address and bank details.

Lawful basis

The lawful basis which ensures that your information is being processed correctly is described in article 6(1) b (contractual relationship) of the GDPR.

The CCG will only keep your information for as long as absolutely necessary. The CCG has a Records Management and Information Lifecycle Policy which sets out the length of time that we should keep the different types of information that we process. The information will be retained in a secure environment and access to it will be restricted according to the ‘need to know’ principle.

As with all the information that we process about you, you have a number of rights that apply to your personal information. These can be found in the “What rights you have in relation to the above processing of your personal information” section.

The CCG has a legal duty to have arrangements in place for safeguarding both adults and children. In order to carry out this role, the CCG’s Safeguarding Team processes information in relation to safeguarding. The information processed for relevant people only, can include; their name, date of birth, address, NHS number, information concerning their health and care and their racial or ethnic origin.

The CCG will only share this personal information where expressly permitted by law, and will not share with any partners who do not have a lawful basis to process the personal information.

The CCG will only keep your information for as long as absolutely necessary. The CCG has a Records Management and Information Lifecycle Policy which the CCG adheres to. This sets out the length of time that we should keep the different types of information that we process. The information will be retained in a secure environment and access to it will be restricted according to the ‘need to know’ principle.

As with all the information that we process about you, you have a number of rights that apply to your personal information. These can be found in the “What rights you have in relation to the above processing of your personal information” section.

Risk stratification is a process which GPs use to help them reduce the risk of individuals developing diseases, such as type 2 Diabetes and help prevent un- planned hospital admissions.

The type of information the CCG’s Business Intelligence Team will process about you includes your date of birth and anonymised details about your stay in hospital or your GP visit for the purposes of risk stratification. The CCG will not share personal information with other organisations.

The CCG receives some of this information from NHS Digital, which provides your secondary care information, and your GP Practice which provides your primary care information to support this process.

Lawful basis

The lawful basis for processing this information is provided by Section 251 of the NHS Act 2006. This section allows the Secretary of State for Health to give limited permission for the CCG to use certain categories of personal information when it is necessary for our work other than purposes which relate to your direct care. The approval is given under regulations made under Section 251 and is based on the approval of the Health Research Authority’s Confidentiality Advisory Group.

The CCG will only keep your information for as long as absolutely necessary. The CCG has a Records Management and Information Lifecycle Policy which sets out the length of time that we should keep the different types of information that we process. The information will be retained in a secure environment and access to it will be restricted according to the ‘need to know’ principle.

As with all the information that we process about you, you have a number of rights

that apply to your personal information. These can be found in the “What rights you have in relation to the above processing of your personal information” section.

The CCG processes individuals’ personal information for the purposes of invoice validation. This ensures that care providers can be paid the correct amount for any treatment that they have provided for you. This occurs in those circumstances where the CCG does not have an existing contract with the provider that has treated you.

The type of information that the CCG will process includes your name, date of birth, address, NHS number and the treatment you have received. The CCG will not share your information with other organisations except when it has a legal obligation to do so.

The CCG receives some of this information from the hospital that you were treated at, and the rest from NHS Digital.

Lawful basis

The lawful basis for processing your information is provided by Section 251 of the NHS Act 2006. This section allows the Secretary of State for Health to give limited permission for the CCG to use certain categories of personal information when it is necessary for our work other than purposes which relate to your direct care. The approval is given under regulations made under Section 251 and is based on the approval of the Health Research Authority’s Confidentiality Advisory Group.

The CCG will only keep your information for as long as absolutely necessary. The CCG has a Records Management and Information Lifecycle Policy which sets out the length of time that we should keep the different types of information that we process. The information will be retained in a secure environment and access to it will be restricted according to the ‘need to know’ principle.

As with all the information that we process about you, you have a number of rights

that apply to your personal information. These can be found in the “What rights you have in relation to the above processing of your personal information” section.

The Annual NHS England (NHSE) 360 stakeholder survey forms an important part of the CCG’s annual assurance process, enabling NHSE and the CCG to monitor its relationships with its partners and help inform the CCG’s future development.

In order to support the survey process, the CCG is required to provide contact information in the form of a stakeholder list to NHSE (data controller) and the surveying company that carries out the survey on their behalf (data processer). The information supplied in the list includes stakeholder: names, organisations, role, email address and contact phone number. The NHSE Stakeholder Framework sets out the core organisations which must feature in the list; although, the CCG is asked to nominate the specific individuals it would like to take part. There is also opportunity for the CCG to nominate a limited number of additional organisations and survey participants under the framework. Prior to the data being provided to NHS England and the surveying company, stakeholders are informed in writing of their proposed participation and given the opportunity to opt-out.

During the survey stakeholders are invited by email to complete a series of questions about their working relationships with the CCG either online or by phone interview.

The results of the survey are reported to CCGs on an anonymous basis, and aggregated for national reporting purposes; however, due to the small numbers in some stakeholder groups it is possible that individual stakeholders might be identified.

Lawful basis

The legal basis is Article 6(1)e “exercise of official authority” of the General Data Protection Regulation. Individuals have the right to object to the processing of their data in this way under article 21. If you do not wish the CCG to forward your details to NHS England and the surveying company for the purposes of the 360 stakeholder survey, please contact the CCG’s Data Protection Officer at: calccg.committee@nhs.net

All CCG staff, Governing Body and committee members, Associates/Subject Specialists and CCG Members must declare any actual or potential conflicts of interest. They must also declare gifts, hospitality or commercial sponsorship – this is whether they were accepted or declined.

We publish our registers of interest, Gifts, Hospitality and Commercial Sponsorship on our website. These registers list the names of relevant individuals, their position or relationship with the CCG and details of the type of interest, gift, hospitality or commercial sponsorship.

The CCG also holds a register of interest for all staff which is available on request from the Corporate Governance Senior Officer.

The information is used to assist the CCG in the management of any real or potential conflicts of interest as set out in the CCG’s Management of Conflicts of Interest Policy https://www.calderdaleccg.nhs.uk/key-documents/.

Third party individuals are sometimes named in the register(s) because they have a business or personal relationship to the person making the declaration. These individuals are notified in advance of publication, in line with the CCG’s Conflict of Interest Policy.

Lawful basis

The Lawful basis for processing this information is provided by Article (1)(c) (Necessary for compliance with a legal obligation) and S.14(0) of the National Health Service Act 2006 (as amended by the Health and Social Care Act 2012) which sets out the minimum requirements of what both NHS England and CCGs must do in terms of managing conflicts of interest.

In exceptional circumstances, where the public disclosure of information might give rise to a real risk of harm or is prohibited by law, an individual’s name and/or other information may be redacted from the publicly available register(s). If you feel that substantial damage or distress may be caused to you or somebody else by the publication of information in the registers, you are entitled to request that the information is not published. Such requests must be made in writing to the CCG’s Conflicts of Interest Guardian.

The contacts details are provided below:

Conflict of Interest Guardian

NHS Calderdale Clinical Commissioning Group 5^th Floor, F Mill

Dean Clough Halifax

HX3 5AX

Email: calccg.committee@nhs.net

The CCG will only keep your information for as long as absolutely necessary. The CCG has a Records Management and Information Lifecycle Policy which sets out the length of time that we should keep the different types of information that we process. The CCG is required to keep a record of the interests of named individuals on the public register for a minimum of six months after the date the interest expired. In addition, the CCG is required to keep a record of historic interests and offers/receipt of gifts, hospitality or commercial sponsorship for a minimum of six years after the date on which it expired.

The information will be retained in a secure environment and access to it will be restricted according to the ‘need to know’ principle.

As with all the information that we process about you, you have a number of rights

that apply to your personal information. These can be found in the “What rights you have in relation to the above processing of your personal information” section.

Under the Health and Social Care Act 2012, the CCG provides individual level staff information to NHS Digital for the workforce Minimum Data Set for primary and secondary care. This data is collected to enable a detailed understanding of the current workforce, its shape, size, skills, competencies and experience. Having this information supports the NHS to identify future workforce requirements to ensure that we can meet patients’ needs now and in the future.

In order to ensure accuracy and reduce duplication, some identifying information is required at the start of this process. However, this information is removed from the dataset following the initial automated process so that no one processing the database can identify an individual. The information collected will be analysed and used for workforce planning, accountability, Parliamentary Questions, Freedom of Information requests and supplied in aggregated reports to GP Practices, Health

Education England, Local Education Training Boards, Clinical Commissioning Groups and NHS England.

More information about the workforce Minimum Data Set and its uses is available from the Department of Health and Health Education England https://digital.nhs.uk/data-and-information/areas-of-interest/workforce/workforce- minimum-data-set-wmds.

We participate in the Cabinet Office’s National Fraud Initiative which is a data matching exercise to assist in the prevention and detection of fraud. We are required to provide particular sets of staff and supplier data to the Minister for the Cabinet Office for matching for each exercise. For further information regarding National

Fraud Initiative’s data matching at NHS Calderdale CCG, please contact Olivia Townsend (Local Counter Fraud Specialist) at: Olivia.townsend@nhs.net.

Lawful basis

Please see the Cabinet Office’s privacy statement for further information on the lawful basis for collecting and processing this information.

Assuring Transformation (AT) data collects information about individuals with learning disabilities and/or autism, who may have a mental health condition or behaviour that challenges, in in-patient settings, and provides it to the CCG. It gives the CCG broad oversight of their care.

The information collected and shared includes personal data such as name, address, date of birth and special category data such as health details. The AT data is sent to the CCG from healthcare providers and is then shared with NHS Digital on NHS England’s behalf. It covers all people with learning disabilities and/or autism that are being cared for in inpatient settings. The information collected is published in reports by NHS Digital. The reports don’t include any personal information, like names, birthdays or NHS numbers in them. Greater Huddersfield CCG is our data processor dealing with AT.

Lawful basis

The Lawful basis for processing this information is provided by GDPR Article 6(1)(e)

– processing is necessary for the performance of a task carried out in the exercise of official authority vested in the controller. For Special Category Data the lawful basis for processing is GDPR Article 9(2)(h) processing is necessary for the purposes of the provision of health or social care treatment or the management of health or social care systems and services.

The lawful basis for processing your information is provided by Section 251 of the NHS Act 2006. This section allows the Secretary of State for Health to give limited permission for the CCG to use certain categories of personal information when it is necessary for our work other than purposes which relate to your direct care. The approval is given under regulations made under Section 251 and is based on the approval of the Health Research Authority’s Confidentiality Advisory Group.

The CCG will only keep your information for as long as absolutely necessary. The CCG has a Records Management and Information Lifecycle Policy which sets out the length of time that we should keep the different types of information that we process. The information will be retained in a secure environment and access to it will be restricted according to the ‘need to know’ principle.

As with all the information that we process about you, you have a number of rights

that apply to your personal information. These can be found in the “What rights you have in relation to the above processing of your personal information” section.

Under the NHS constitution you have the right to be informed about how your information is used. You also have the right to request that your confidential information is not used beyond your own care and treatment, and to have your objections considered, and where your wishes cannot be followed, to be told the reasons including the legal basis. If you do not wish for your information to be included in the information sent to NHS Digital then please let us know at calccg.committee@nhs.net

Each NHS organisation has a senior person responsible for protecting the confidentiality of patient information and enabling appropriate information sharing.

This person is called the Caldicott Guardian. Dr Steven Cleasby, the Governing Body’s Chair is the Caldicott Guardian for Calderdale CCG. You can contact Dr Cleasby by writing to:

Dr Steven Cleasby, Caldicott Guardian

NHS Calderdale Clinical Commissioning Group 5^th Floor, F Mill

Dean Clough Halifax, HX3 5AX

email: calccg.committee@nhs.net

The CCG has a legal duty to protect any information we collect from you. We use leading technologies and encryption software to safeguard your data and keep strict security standards to prevent any unauthorised access to it.

All staff have contractual obligations of confidentiality, enforceable through disciplinary procedures. All staff receive appropriate training on confidentiality of information and staff who have regular access to personal confidential data will have received additional specialist training.

We take relevant organisational and technical measures to make sure that the information we hold is secure – such as holding information in secure locations, restricting access to information to authorised personnel, protecting personal and confidential information held on equipment such as laptops with encryption and information is transferred safely and securely. The CCG does not transfer personal confidential information overseas.

The CCG is registered with the Information Commissioner’s Office as a Data Controller which details all the purposes for which personal data is collected, held and processed.

The CCG will not pass on your details to any third party or other government department unless we ask your permission to do this or when it necessary to comply with a legal obligation.

The Information Commissioner’s Office maintains a public register of organisations that process personal information. NHS Calderdale Clinical Commissioning Group registration number is Z3581562.

Right of Access to your personal information

This is also known as a Subject Access Request.

When we are processing your personal information, you have the right to obtain confirmation from the CCG that we are:

1. Processing your personal information,

• That we should be processing your personal information; also you have the right to access that information.

As well as providing access to your information, we will also explain:

• Why we are processing your personal information;
• The categories of your personal information that we process;
• Who we might share the information with and why;
• How long we will retain your personal information after processing;
• What other rights you have in relation to the information we are processing about you;
• If we haven’t collected the information directly from yourself, who has provided your information to us.

The CCG will provide a copy of the personal information that we are processing in relation to you, this can either be posted to you or emailed, depending on your preferred method of communication and sharing of information.

Should you wish to make request to access your personal information, please follow the subject access request procedure and contact the Data Protection Officer on the details provided in the “who we are” section.

Right to Rectification of your personal information

If you believe that the personal information we are processing about your is either incorrect or incomplete, you can request that this personal information be rectified by either correcting information you believe to be inaccurate or by producing a supplementary statement if you believe that the personal information we hold is incomplete.

To make a request to have your personal information rectified, please contact the Data Protection Officer (See “who we are”).

Right to Erasure of your personal information (Right to be forgotten)

If the CCG is processing your personal information, you have the right to request that your information is erased completely, this is also known as the “right to be forgotten”. If you exercise this right, it will mean that the CCG will not keep any personal information relating to you.

This right can be used:

• Where you believe that the personal information we hold is no longer necessary for the purpose that we originally had for processing your information;
• Where you withdraw consent to the processing of your personal information and there is no other legal basis for the CCG to retain this information;
• Where you object to the processing of your personal information ( please see below the “Right to Object”), and there is no overriding legitimate grounds for the continued processing of your personal information;
• Where you believe your personal information has been processed unlawfully;
• Where you believe that the CCG has a legal obligation to erase your personal information;

• Where your personal information has been collected in relation to information society services.

This right to be forgotten does not apply in circumstances where processing is necessary:

• For exercising the right of freedom of expression and information;
• Where the CCG has a legal obligation which requires it to process your personal information, for a task carried out in the public interest or in the exercise of official authority vested in the CCG;
• For reasons of public interest in the area of public health;
• For archiving purposes in the public interest, scientific or historical research purposes or statistical purposes;
• For the establishment, exercise or defence of legal claims.

To make a request to have your personal information erased, please contact the Data Protection Officer (see “who we are”).

Right to Restriction of Processing of your personal information

You have the right to restrict the processing of your personal information by the CCG, should it meet the criteria below. If you exercise this right, it will mean that the CCG stops processing your information, with the exception of storing your information.

The circumstances in which you can exercise your right to restrict the processing of your personal information are as follows:

• If you contest the accuracy of personal information processed by the CCG. This will, for a period of time, halt the processing enabling the CCG to verify the accuracy of your personal information;
• If you believe the processing of your personal information is unlawful and oppose its erasure but would rather restrict the its processing;
• If you believe the CCG no longer requires your personal information for the original purpose, but your personal information may be required for the establishment, exercise of defence of legal claims;
• Where you have objected to the processing of your personal information pending verification regarding whether the legitimate grounds of yourself override those of the CCG.

Following this restriction, the only grounds on which the CCG will begin to process your personal information are:

• if you consent to the processing or;
• for the establishment, exercise or defence of legal claims or ;
• for the protection of the rights of another natural or legal person or;
• reasons of important public interest.

You will be informed by the CCG if the restriction on processing your personal information is to be lifted.

To make a request to have the processing of your personal information restricted, please contact the Data Protection Officer (see “who we are”).

Right to Data Portability for your personal information

When you have provided your personal information to the CCG and it is processed automatically, and the legal basis for processing your information is based on either consent or a contractual relation, you have the right to something called “data portability”. This means that you have the right to receive your own personal information in a structured, commonly-used and machine-readable format and have the right to ask the CCG to transmit that data to another organisation.

To make a request to have your personal information provided or transferred under this right, please contact the Data Protection Officer (see “who we are”).

Right to object to the processing of your personal information

When the CCG is processing your personal information in relation to the exercise of its official authority, or where it is processing your personal information in the CCG’s legitimate interests, you have the right to object.

Once you have exercised this right, the CCG will no longer process your personal information unless the CCG can demonstrate compelling grounds for the processing which override your interests, rights and freedoms as the data subject or for the establishment, exercise of defence of legal claims.

Should you wish to object to the processing of your personal information, please contact the Data Protection Officer (see “who we are”).

At any point, you have the right to lodge a complaint with Supervisory Authority for Data Protection in the United Kingdom. The Supervisory Authority is the Information Commissioner. If you have a complaint about the way in which the CCG is processing your personal information, please contact the Information Commissioner’s Office (ICO). The ICO can be contacted on the below details:

Information Commissioner’s Office Wycliffe House, Water Lane, Wilmslow Cheshire, SK9 5AF

Tel: 0303 123 1113 or 01625 545 745 or www.ico.org.uk

If our privacy notice changes in any way, we will place an updated version on this page. Regularly reviewing the page ensures that you are always aware of what information we collect, how we use it and under what circumstances, if any, we share it with other organisations.

If you have any questions regarding the information we hold about you or you believe the CCG has not complied with the General Data Protection Regulation in the way we have processed your personal information, you can make a complaint to:

Data Protection Officer

NHS Calderdale Clinical Commissioning Group 5^th Floor, F Mill

Dean Clough Halifax

HX3 5AX

email: calccg.committee@nhs.net