NHS South West London Integrated Care Board (ICB) commissions services on your behalf and provides clinical data about you relating to Population Health Management in order to support health and social care organisations in assessing the provision and use of services that you may require to support your healthcare needs.
This data is used to assess and identify preventative interventions and to enable provision of services thereafter.
People who have access to your information will only have access to that which they need to fulfil their roles.
You have the right to object to our sharing your data in these circumstances, but we have an overriding responsibility to comply with our legal obligations. Please see below.
We are required by Articles in the General Data Protection Regulations to provide you with the information in the following subsections.
Controller contact details
NHS South West London ICB
120 the Broadway
Wimbledon
London SW19 1RH
Purpose of the processing
Population health management
Your healthcare provider uses your data to provide the best care they can for you. As part of this process, your healthcare provider will use your personal and health data to undertake population health management, also known as case finding.
Population health management involves applying computer-based algorithms, or calculations, to identify those patients registered with the healthcare organisation who are most at risk from certain medical conditions and who will benefit from clinical care to help prevent or better treat their condition.
To identify those patients individually from the patient community registered with your healthcare provider would be a lengthy and time-consuming process, which would by its nature potentially not identify individuals quickly and increase the time to improve care.
Your healthcare organisation uses the services of a health partner, NHS NEL Integrated Care Board (ICB), to identify those most in need of preventative or improved care. This contract is arranged by us.
Neither we nor NHS NEL ICB will at any time have access to your personal or confidential data. They act on behalf of your healthcare provider to organise this service with appropriate contractual and security measures only.
NHS NEL ICB will process your personal and confidential data without any staff being able to view the data, the data is in a pseudonymised format, this means that the data can be re-identified by your healthcare provider but it cannot be re-identified by organisations processing your data. Typically, they will process your data using indicators such as your age, gender, NHS number and codes for your medical health to identify those who will benefit from clinical intervention.
Data is extracted from your healthcare providers computer system, automatically processed, and only your healthcare provider is able to view the outcome, matching results against patients on their system, this is completed through a dashboard held on the Health Insights system.
The Health Insights system is a system where NHS NEL ICB provide all information to your healthcare provider in dashboard format with the ability for your healthcare provider to reidentify your information. We have implemented strict security controls to protect your confidentiality and recommend this as a secure and beneficial service to you.
At all times, your healthcare provider remains accountable for how your data is processed. However, if you wish, you can ask your healthcare provider for your data not to be processed for this purpose and your healthcare provider will mark your record as not to be extracted so it is not sent to NHS NEL ICB for Population Health Management purposes.
Lawful basis for processing
The processing of personal data in the delivery of Risk stratification and for providers’ administrative purposes in this surgery and in support of direct care elsewhere is supported under the following Article 6 and 9 conditions of the GDPR:
- Article 6(1)(e) ‘…necessary for the performance of a task carried out in the public interest or in the exercise of official authority…’.
- Article 9(2)(h) ‘necessary for the purposes of preventative or occupational medicine for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services…”
Common law duty of confidentiality
Under the new guidance from the ICO, the data held within Health Insights can be treated as anonymous due to the fact that Health Insights (SWL ICB) do not hold the key to re-identify the pseudonymised data sets.
For re-identification by clinical professionals, under the common law duty of confidentiality information can be shared for the purposes of direct care with the reasonable expectation that the data subject understands their data will be shared.
Recipient or categories of recipients of the processed data
The data will be shared with Health and social care professionals and support staff in the healthcare providers within the below listed organisations who contribute to your personal care:
- GP practices
- London Ambulance Service
- Practice Plus Group (PPG) 111 service provider
- SWL acute trusts
- Local authority for adult social care data
- Mental health trusts
- Community trusts
Rights to object and national data opt out
You have the right to object to some or all the information being processed under Article 21. Please contact the controller.
You should be aware that this is a right to raise an objection, which is not the same as having an absolute right to have your wishes granted in every circumstance. The national data opt out does not apply to this data.
Right to access and correct
You have the right to access the data that is being shared and have any inaccuracies corrected. There is no right to have accurate medical records deleted except when ordered by a Court of Law.
Retention period
The data will be retained in line with the law and national guidance.
Right to complain
You have the right to complain to the Information Commissioner’s Office (ICO).
Contact the ICO online or call their helpline on 0303 123 1113 (local rate) or 01625 545 745 (national rate).
There are National Offices for Scotland, Northern Ireland and Wales.
References
* “Common Law Duty of Confidentiality”, common law is not written out in one document like an Act of Parliament. It is a form of law based on previous court cases decided by judges; hence, it is also referred to as ‘judge-made’ or case law. The law is applied by reference to those previous cases, so common law is also said to be based on precedent.
The general position is that if information is given in circumstances where it is expected that a duty of confidence applies, that information cannot normally be disclosed without the information provider’s consent.
In practice, this means that all patient information, whether held on paper, computer, visually or audio recorded, or held in the memory of the professional, must not normally be disclosed without the consent of the patient. It is irrelevant how old the patient is or what the state of their mental health is; the duty still applies.
Three circumstances making disclosure of confidential information lawful are:
- There is a reasonable expectation from the data subject that the data will be shared with organisations for the specific purpose of their direct care.
- where the individual to whom the information relates has consented;
- where disclosure is in the public interest; and
- where there is a legal duty to do so, for example a court order.