What happens with your information?

NHS West Yorkshire Integrated Care Board privacy notice easy read (pdf)

Purpose of this Privacy Notice

The purpose of this notice is to tell you what personal information the NHS West Yorkshire Integrated Care Board (ICB) collect and hold about you, what we do with it, how we will look after it and who we may share it with. We also explain your rights in respect of your personal information and the choices you can make about the way your information is used.

The notice covers personal information we collect directly from you, or collect indirectly from other people or organisations; how that information is used, the legal basis for using the information, who we may share that information with, and how we keep it secure and confidential.

There are a number of laws which tell organisations how to collect and use personal information, these are:

  • UK General Data Protection Regulation
  • Data Protection Act 2018
  • Human Rights Act 1998
  • Common Law Duty of Confidentiality

You have a number of data protection rights which allow you to control your personal information. These rights are described in the ‘Your Rights’ section. For more information about your data protection rights, please visit the ‘Your Data Matters’ page on the Information Commissioner Office’s website.

This privacy notice applies to all information held by the ICB relating to individuals, whether you are a patient, service user, member of the public or a member of staff.

The information set out in this notice is not exhaustive. We are happy to provide any additional information or explanation needed.

This privacy notice uses a number of terms which are defined in the Glossary Section.

This privacy notice was updated on 1st July 2022.

Who we are

The ICB is an organisation, governed by partners and focused on collaboration as a means of driving improved outcomes for people in West Yorkshire (spanning Bradford District and Craven, Calderdale, Kirklees, Leeds and Wakefield District.  The ICB is responsible for planning and designing local health services across West Yorkshire, arranging unplanned care services for our registered patients and for commissioning services for any unregistered patients who live in West Yorkshire.

We do this by ‘commissioning’ or buying health and care services including:

  • Planned hospital care
  • Unplanned care (urgent care)
  • Rehabilitation  care
  • Community Health Services
  • Mental Health and learning disability services
  • Primary Care Services such as GP, Dentist, Optician or Pharmacist

We manage the performance of services that we commission to make sure that they are safe, provide high quality care and meet the needs of local people. Part of this performance management role includes responding to any concerns from our patients about these services.

The ICB has a legal duty to ensure that it makes arrangements for the provision of high quality, safe, effective and efficient healthcare for people who are registered with one of its member practices where this is not purchased centrally by NHS England. The ICB also has a duty to ensure that patients have equal access to services and are able to achieve the same outcomes, regardless of differences in their personal situation. The ICB has a duty to involve patients, their relatives and carers in any decisions about the prevention and diagnosis of illness and their care and treatment and, wherever possible, enable patients to make choices about the healthcare provided to them.

Contacts

Data Controller: West Yorkshire Integrated Care Board
White Rose House
West Parade
Wakefield
WF1 1LT

Telephone: 01924 213050
Email:  wyicb.informationgovernance@nhs.net

Data Protection Officer (DPO)

The DPO acts independently and is responsible for informing and advising the ICB and our staff of their obligations under data protection related legislation. The DPO is also responsible for the provision of advice and monitoring of the ICB’s compliance with UK data protection law, the ICB’s data protection related policies and data protection impact assessments.

The DPO is also the first point of contact for individuals who have questions about how their personal information is used by the ICB (including exercising their data protection rights).  The DPO also acts as the main contact point for the Information Commissioners Office (ICO).

Contact details: 

Helen Holt, Data Protection Officer
West Yorkshire Integrated Care Board
White Rose House
West Parade
Wakefield
WF1 1LT

Telephone: 01924 213050
Email: wyicb.informationgovernance@nhs.net

If you have any questions regarding the personal information we hold about you or you have a complaint about how we use your personal information, the first step you should take is to contact our Data Protection Officer using the contact details above.

If you feel that we have not dealt with your complaint properly, you have the right to lodge a complaint with the ICO at any time. Their contact details are:

Information Commissioner’s Office
Wycliffe House, Water Lane, Wilmslow, SK9 5AF

Tel: 0303 123 1113
Website

The ICO maintains a public register of organisations that process personal information. As a data controller the ICB is registered with the ICO.

Type of information we hold and how we use it

Where possible we will use information that does not identify you to carry out our work but sometimes, we may need to use your personal information to do our work, promote our services and to support/manage our staff. We will only use the minimum amount of information necessary for that purpose.

The ICB uses and processes several different types of information:

  • Personal confidential data /identifiable – information which contains personal details that identifies you such as name, address, email address, NHS Number, full postcode, date of birth.
  • Anonymised data – all data or information which could identify who you are will have been removed.
  • Pseudonymised data /information – data which is about you, but does not tell us who you are because any identifiers will have been replaced with something which would not identify you e.g. a coded reference.
  • Aggregated data / information – data or information is grouped together to show general trends or values without identifying individuals.

We may also process ‘Special category data’, which is personal information of a more sensitive nature and requires additional protection. Special category data includes:

  • Racial or ethnic origin
  • Political opinions
  • Trade union membership
  • Religious or philosophical beliefs
  • Genetic data
  • Biometric data (where used for identification purposes)
  • Physical and mental health
  • Sex life and sexual orientation.

Use of Anonymised Data

We use anonymised data to plan health care services including:

  • Checking the quality and efficiency of the health services we commission;
  • Preparing performance reports on the services we commission;
  • Working out what illnesses people will have in the future, so we can plan and prioritise services and ensure these meet the needs of patients;
  • Reviewing the care being provided to make sure it is of the highest standard.
  • Use of Pseudonymised (De-identified) Information

We use de-identified information in our role as commissioner to:

  • plan, design, purchase and pay for the best possible care available for you;
  • look at the care provided by different providers across our area to make sure that together they support the needs of the local population; performance manage contracts;
  • prepare statistics on NHS performance to understand health needs and support service redesign, modernisation and improvement;
  • help us plan future services to ensure they continue to meet our local population needs
  • identify groups of patients who would benefit from some additional help from their GP or care team. The aim is to prevent ill health and possible future hospital stays, rather than wait for you to become sick. Only de-identified information is accessible to the ICB in order to help us plan the most appropriate health services for our population, this is called Population Health Management.
  • to meet certain Research and Development obligations as an ICB as well as commissioning.

Use of Personal confidential data /identifiable (Identifiable) Information

As an ICB we do not routinely hold medical records or confidential patient data, however there are some limited exceptions.

Below is a list of where we collect and use personal information.

Please select the relevant link for information on the purpose, the type of information used, the legal basis identified for the collection and use of the information, how we collect and use the information required, any third parties we may share the information with and your rights regarding the use of the information including, where relevant, your right to opt out.

Staff information

The ICB, as an NHS Employer, need to process information in relation to staff. This information is used in a variety of ways to ensure staff are paid, that the ICB complies with employment law and to provide other services related to staff employment.

Sharing information

There are certain circumstances where we may be legally required to share your information, this includes information requested under a court order, information requested for safeguarding purposes, information requested for the prevention or detection of crime and for the notification of infectious diseases.

If we are asked to share information with a non-NHS organisation and the purpose does not directly relate to your care, we will always ask for your agreement prior to any information being shared. If you choose not to agree to this when asked, we will record your decision to ensure that we do not share your information with that organisation.

If information is shared, we will only share the minimum amount of information necessary for them to provide the service or comply with their legal duty and only where pseudonymised / anonymised data cannot be used.

We will also, in the course of our business, work with third party suppliers who process information on our behalf. The ICB will work with partner organisations to ensure that appropriate data processing agreements and contracts are in place, setting out the security standards and legal obligations required to protect your information.

Data Privacy and confidentiality

We are committed to protecting your privacy and will only process personal confidential data in accordance with the UK General Data Protection Regulation, the Common Law Duty of Confidentiality, Professional Codes of Practice and the Human Rights Act 1998.

In the circumstances where we are required to use personal identifiable information we will only do this if:

  • The information is necessary for your direct healthcare, or
  • We have received explicit consent from you to use your information for a specific purpose, or
  • There is an overriding public interest in using the information:
  • In order to safeguard an individual,
  • To prevent a serious crime or in the case of Public Health or other emergencies, to protect the health and safety of others, or
  • There is a legal requirement that allows or compels us to use or provide information (e.g. a formal court order or legislation), or
  • We have permission from the Secretary of State for Health and Social Care to use certain confidential patient identifiable information when it is necessary for our work.

Everyone working for the NHS has a legal and contractual duty to keep information about you confidential.

All identifiable information that we hold about you will be held securely and confidentially. We use administrative and technical controls to do this.

Our staff, contractors and committee members receive appropriate and ongoing training to ensure that they are aware of their personal responsibilities and have contractual obligations to uphold confidentiality, enforceable through disciplinary procedures.

Your information will not be sent outside of the United Kingdom where the laws do not protect your privacy to the same extent as the law in the UK. We will never sell any information about you.

The ICB maintains a set of regularly updated policies and procedures covering all aspects of information governance.

How we keep your personal information safe

We have a legal duty to protect any personal information we collect from you. We use cyber security technology and encryption software to protect your information and keep strict security standards to prevent any unauthorised access to it.

We take steps to make sure that the information we hold about you is secure – such as storing information in secure locations, only allowing information to be accessed by authorised personnel, using encryption on laptops and mobile phones and making sure information is sent safely and securely.

Your rights

Under the UK General Data Protection Regulation all individuals have certain rights in relation to the information which the ICB holds about them. Not all rights apply equally to all our processing activities as certain rights are not available depending on the lawful basis for the processing.

Examples of where some rights may not apply – where our lawful basis is:

  • Processing is necessary for the performance of a task carried out in the exercise of official authority vested in the controller – then rights of erasure, portability do not apply.
  • Legal Obligation – then rights of erasure, portability, objection, automated decision making, and profiling do not apply.

If you require further detail each link below will take you to the Information Commissioner’s Office website where further detail is provided in section ‘When does the right apply’.

These rights are:

Under the NHS Constitution you have the right to privacy and to expect the NHS to keep your information confidential and secure.

National Data Opt-Out

The national opt-out allows people to opt out of their confidential patient information being used for reasons other than their individual care and treatment. The system offers patients and the public the opportunity to make an informed choice about whether they wish their personally identifiable data to be used just for their individual care and treatment or also used for research and planning purposes. Details of the national patient opt out.

To find out more about the wider use of confidential personal information and to register your choice to opt out if you do not want your information to be used in this way, visit NHS - My data choice. If you do choose to opt out you can still consent to your information being used for specific purposes.

If you are happy with this use of information you do not need to do anything. You can change your choice at any time. The ICB is currently compliant with the national data opt-out requirements.

How long will we keep your information

All records are retained in line with the ICB Retention and Disposal Schedules and the Records Management Code of Practice 2021 – see Code of Practice.

Glossary

Anonymised Information which is about you but from which you cannot be personally identified.
Aggregated Grouped information about individuals that has been combined to show general trends or values without identifying individuals
Caldicott Guardian A senior person responsible for protecting the confidentiality of patient and service-user information and enabling appropriate information sharing. Each NHS and Social Care organisation is required to have a Caldicott Guardian.
Consent The consent of the ‘data subject' means any freely given, specific, informed and unambiguous indication of his or her wishes by which the data subject, either by a statement or by a clear affirmative action, signifies agreement to personal data relating to them being processed.
Data Controller Data Controller means the natural or legal person, public authority, agency or any other body which alone or jointly with others determines the purposes and means of the processing of personal data.
Data Processor Processor means a natural or legal person, public authority, agency or any other body which processes personal data on behalf of the controller.
Data Protection Officer The Data Protection Officer (DPO) is responsible for the provision of advice on data protection compliance obligations, data protection impact assessment and monitoring of data protection compliance which includes conducting assurance audits.
Data Subject An identified or identifiable ‘living individual’ whose personal data is processed by a controller or processor. Otherwise known within data protection legislation as a ‘natural person’.
Encryption The process of transforming information (referred to as plain text) using an algorithm (called ‘cipher’) to make it unreadable to anyone except those possessing the encryption ‘key’.
Health Record Information relating to the physical or mental health or condition of an individual and has been made by or on behalf of a health professional in connection with the care of that individual.
Identifiable Information which contains personal details that identify individuals such as name, address, email address, NHS Number, full postcode, date of birth.
Personal Data

Personal data means any information relating to an identified or identifiable natural person ("data subject"); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identifier, including (but not limited to);

  • Name
  • Date of Birth
  • Post Code
  • Address
  • National Insurance Number
  • Photographs, digital images etc.
  • NHS or Hospital/Practice Number
  • Location data

Personal data that has been pseudonymised e.g. key coded, can fall within the scope of data protection legislation depending on how difficult it is to attribute the pseudonym to a particular individual.
Processing Processing means any operation or set of operations performed upon personal data or sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
Pseudonymised Information relating to individuals which is distinguished by using a coded reference, which does not reveal their ‘real world’ identity.
Record Information created, received and maintained as evidence and information by an organisation or person, in pursuance of legal obligations or in the transaction of business (the ISO standard, ISO 15489-1:2016 Information and documentation - records management).
Records Management The process by which an organisation manages all the aspects of records whether internally or externally generated and in any format or media type, from their creation, all the way through their lifecycle to their eventual disposal.
Senior Information Risk Owner (SIRO) The SIRO is a senior officer of the ICB. The SIRO acts as an advocate for information risk across the ICB and leads and implements the information risk assessment programme.
Special Category Data Special Category Data (or sensitive personal data) are personal data, revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership; data concerning health or sex life and sexual orientation; genetic data or biometric data.
Subject Access Right Entitles the data subject to have access to and information about the personal data that a controller has concerning them.  Also known as the Right of Access.