Privacy notice – risk stratification - NHS South West London Integrated Care Board

NHS South West London Integrated Care Board (ICB) commissions services on your behalf and provides clinical data about you relating to risk stratification in order to support your GP in assessing the provision and use of services where you have applied for these services.

This data is used to assess whether you meet the criteria for funding for these services and to enable provision of services thereafter.

People who have access to your information will only have access to that which they need to fulfil their roles.

You have the right to object to our sharing your data in these circumstances but we have an overriding responsibility to comply with our legal obligations. Please see below.

We are required by Articles in the General Data Protection Regulations to provide you with the information in the following 9 subsections.

Controller contact details

NHS South West London ICB, 120 the Broadway, Wimbledon, London SW19 1RH

Data protection officer contact details

Strategic information governance lead: [email protected]

Purpose of the processing

Risk stratification

Your GP uses your data to provide the best care they can for you. As part of this process, your GP will use your personal and health data to undertake risk stratification, also known as case finding.

Risk stratification involves applying computer based algorithms, or calculations, to identify those patients registered with the GP surgery who are most at risk from certain medical conditions and who will benefit from clinical care to help prevent or better treat their condition.

To identify those patients individually from the patient community registered with your GP would be a lengthy and time-consuming process, which would by its nature potentially not identify individuals quickly and increase the time to improve care.

Your GP surgery uses the services of a health partner, NHS NEL Integrated Care Board (ICB) to identify those most in need of preventative or improved care. This contract is arranged by us.

Neither we nor NHS NEL ICB will at any time have access to your personal or confidential data. They act on behalf of your GP to organise this service with appropriate contractual and security measures only.

NHS NEL ICB will automatically process your personal and confidential data without any staff being able to view the data. Typically they will process your data using indicators such as your age, gender, NHS number and codes for your medical health to identify those who will benefit from clinical intervention.

Processing takes place automatically and without human or manual handling. Data is extracted from your GP computer system, automatically processed, and only your GP is able to view the outcome, matching results against patients on their system.

We have implemented strict security controls to protect your confidentiality and recommend this as a secure and beneficial service to you. At all times, your GP remains accountable for how your data is processed. However, if you wish, you can ask your GP for your data not to be processed for this purpose and your GP will mark your record as not to be extracted so it is not sent to NHS NEL ICB for risk stratification purposes.

Lawful basis for processing

The processing of personal data in the delivery of risk stratification and for providers’ administrative purposes in this surgery and in support of direct care elsewhere is supported under the following Article 6 and 9 conditions of the GDPR:

Article 6(1)(e) ‘…necessary for the performance of a task carried out in the public interest or in the exercise of official authority…’.

Article 9(2)(h) ‘necessary for the purposes of preventative or occupational medicine for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services…”

We will also recognise your rights established under UK case law collectively known as the “Common Law Duty of Confidentiality”^*

Recipient or categories of recipients of the processed data

The data will be shared with health and care professionals and support staff in this surgery and at hospitals, diagnostic and treatment centres who contribute to your personal care.

Visit nhs.uk

Rights to object

You have the right to object to some or all the information being processed under Article 21. Please contact the Controller. You should be aware that this is a right to raise an objection, which is not the same as having an absolute right to have your wishes granted in every circumstance.

Right to access and correct

You have the right to access the data that is being shared and have any inaccuracies corrected. There is no right to have accurate medical records deleted except when ordered by a Court of Law.

Retention period

The data will be retained in line with the law and national guidance.

Right to complain

You have the right to complain to the Information Commissioner’s Office (ICO).

Contact the ICO online or call their helpline on 0303 123 1113 (local rate) or 01625 545 745 (national rate).

There are National Offices for Scotland, Northern Ireland and Wales.

Visit the ICO

References

* “Common Law Duty of Confidentiality”, common law is not written out in one document like an Act of Parliament. It is a form of law based on previous court cases decided by judges; hence, it is also referred to as ‘judge-made’ or case law. The law is applied by reference to those previous cases, so common law is also said to be based on precedent.

The general position is that if information is given in circumstances where it is expected that a duty of confidence applies, that information cannot normally be disclosed without the information provider’s consent.

In practice, this means that all patient information, whether held on paper, computer, visually or audio recorded, or held in the memory of the professional, must not normally be disclosed without the consent of the patient. It is irrelevant how old the patient is or what the state of their mental health is; the duty still applies.

Three circumstances making disclosure of confidential information lawful are: