Privacy notice: NHS Surrey Heartlands ICB

Introduction

The purpose of this notice is to inform you of the way in which we, NHS Surrey Heartlands Integrated Care Board (the ICB), use information (including personal data) about you.  In this notice we will explain:

• Who we are and what we do
• The types of information we hold about people
• How we use this information and why we need to do this
• Who we may share your information with
• How you can object to or complain about the way we use your information
• How you can access a copy of the information we hold about you
• What other rights you may have in relation to this information
• How we keep your information secure and confidential
• Where to go if you require further information

This guidance applies to all individuals whose information is used by the ICB, including local NHS service users, our staff and suppliers, and visitors to our offices.    

This information is sometimes known as a ‘Privacy Notice’ or ‘Fair Processing Notice’ which we have a legal obligation to provide you with under data protection law.

We will review this information regularly and update it as required - we would therefore recommend that you check this webpage regularly to ensure that you remain informed about how we use your information. 

Who we are

This notice applies to NHS Surrey Heartlands Integrated Care Board (the ICB) only.  The ICB is a statutory organisation established under the Health and Care Act 2022 which brings the NHS together locally to improve population health and establish shared strategic priorities.     

The ICB is also part of the Surrey Heartlands Integrated Care System.  Integrated care systems (ICSs) are partnerships of organisations that come together to plan and deliver joined up health and care services, and to improve the lives of people who live and work in their area.  The purpose of ICSs is to bring partner organisations together to:

• improve outcomes in population health and healthcare
• tackle inequalities in outcomes, experience and access
• enhance productivity and value for money
• help the NHS support broader social and economic development.

Please see NHS England » What are integrated care systems? for further information regarding ICBs and ICSs.

The ICB is registered with the Information Commissioner’s Office (ICO) as a Data Controller.  Please see the ICO’s public register for further information - the ICB’s ICO registration number is ZB336405.   

The ICB is usually the Data Controller for your information that we hold, and this means that we are the legal entity that is responsible for determining how this will be used and ensuring that this use complies with applicable data protection legislation. 

Where we are working collaboratively with other ICS partner organisations or another ICB, we may be joint data controllers for your information.  Integrated Commissioning and delivery teams have been established for health and social care services within Surrey Heartlands.  The ICB and Surrey County Council (SCC) are joint controllers of the data we use for these purposes, with the ICB acting as lead controller.  The ICB and other ICS partner organisations are joint controllers of data that is processed via the Surrey Care Record – see Surrey Care Record.            

What we do

The Health and Care Act 2022 gives the ICB a range of duties and powers and in accordance with these the ICB undertakes the following activities:   

• Commissioning of Primary Care Services provided by GP Practices and Pharmacy, Optometry, and Dentistry (POD) Services (under delegated authority from NHS England) 
• Commissioning of Secondary Care Services provided by Hospitals (Acute Trusts), Community Health Services, and also Mental Health Services 
• Working with Surrey County Council to jointly commission Health and Social Care Services
• Monitoring the quality of commissioned services and dealing with concerns from service users
• Medicines Management, including authorisation for controlled drugs
• Governance and administration duties to ensure that we are a well-managed organisation
• Providing services to other health care organisations (including support with Medicines Management reviews, Business Intelligence, Data Analysis, and Emergency Planning Resilience & Response related activities etc.)   
• Operating a Primary Care Referral Support Service for GP Practices
• Assessing Individual Funding Requests (IFRs)
• Managing Continuing Healthcare for Adults (Surrey-wide service provided by the ICB)
• Managing Continuing Healthcare for Children (Surrey-wide service provided by the ICB)
• Safeguarding vulnerable Adults and Children (Surrey-wide service provided by the ICB)
• Operating a Patient Emergency Transport and Out of Hours Care (Surrey-wide service provided by the ICB) 

Whose information we hold

To allow us to undertake the activities above we will use information relating to the following types of people: 

• who live within the Surrey Heartlands area and Surrey County
• who are registered with GP Practices within Surrey
• who use the services we commission
• undertaking work for commissioned provider organisations, other health and social care organisations with which we work, and suppliers of goods and services
• who undertake work for us or have applied to do so.

What types of information we use

To allow us to undertake the activities above we will use different types of information, this includes: 

• Identifiable Personal Data – you can easily be identified from this information, which relates to you.  We will only use this where there is no other viable alternative.  Identifiable personal data includes: 
  • Personal Data (for example your name, contact details, or date of birth).
  • Special Categories of Personal Data (which includes data relating to ethnicity, sexual orientation, and also data relating to physical or mental health).
• Non-Identifiable Personal Data – this includes ‘Pseudonymised Personal Data’ where personal data which could be used to identify you has been replaced with a pseudonym.  It also includes personal data which is classed by the NHS as ‘Anonymised in Context’ as it includes a local identifier, such as your hospital number.  This information could potentially be used to identify you, if it was processed outside of the ICB and/or added to other information, so we ensure that we have robust controls in place to manage how this is used.
• Anonymised Data – you cannot be identified from this, even if it is added to other information. 

How the ICB gets this information

We generally receive information about people in one of the following ways: 

• The person it relates (e.g., a service user or staff member) or their authorised representative provides it to us directly.
• We receive it from another health and social care organisation with which we work.
• It is provided to us by NHS England / the Department of Health.

Why we use this information

We use different types of information for different purposes as detailed below 

• To undertake commissioning and planning activity we will use Anonymised Data wherever appropriate or Non-Identifiable Personal Data where we require this to be able to undertake detailed work and to be able to link data together.  
• To provide or support direct healthcare we will seek to use Non-Identifiable Personal Data wherever this is possible however we may need to use Personal Data and Special Categories of Personal Data, such as information relating to physical or mental health, to ensure that risks to patient safety are minimised.
• For regulatory and public health functions we will seek to use Non-Identifiable Personal Data wherever this is possible however we may need to use Personal Data and Special Categories of Personal Data, such as information relating to physical or mental health, to ensure that risks to public health are minimised.
• For safeguarding activity we will use Personal Data and Special Categories of Personal Data, such as information relating to physical or mental health, to ensure that risks to individuals are minimised.
• To fulfil our statutory duties under various pieces of applicable legislation and to undertake employment related activities we need to process personal data and Special Categories of Personal Data, such as data relating to ethnicity, gender, and sexual orientation etc.  This will also require that we process data relating to criminal convictions relating to individuals who are undertaking work for us or applying to do so.  The ICB has established joint roles and integrated teams with local partners, including Surrey County Council – we may share special category data relating to staff with partners to ensure effective management and supervision of these roles.
• To be a well-managed organisation, and fulfil governance and administration responsibilities, we may need to process personal data and, occasionally, Special Categories of Personal Data.

The lawful basis for this activity 

Data protection legislation requires that we explain the lawful basis for us processing personal data.  The ICB has undertaken detailed reviews and has identified that the activity involving personal data we carry out will be lawful under data protection legislation because either: 

• it is necessary for performance of a task carried out in the public interests or in the exercise of official authority as ICBs have a statutory duty or power to do this under the NHS Act 2006, Health & Care Act 2022 or another applicable piece of legislation
• it is necessary for the performance of a contract to which a person is party or in order to take steps at the request of a person prior to entering into a contract
• we hold the documented, informed consent of the person to use their data in this way
• it is necessary for us to comply with a legal obligation that we are subject to
• it is necessary for the legitimate interests of the ICB (this does not include any personal data processed for the purposes of meeting our statutory duties).  The ICB believes that we have legitimate interests in ensuring strategic alignment and the achieving best possible use of public funds.

Where individuals undertaking work for the ICB are legitimately required to process Special Categories of Personal Data as part of their responsibilities this will also be lawful as this activity will be either: 

• undertaken under the basis of informed consent
• necessary for purposes of medical diagnosis, the provision of health and social care treatment, or the management of health and social care systems and services or necessary for reasons of public health in the case of service user health related data
• necessary for the purposes of employment or social security / protection activities
• necessary to safeguard and protect the vital interests of an individual.   

The non-identifiable personal data the ICB uses for our commissioning and planning activity, including that undertaken jointly with Surrey County Council, is considered to be personal data under the UK General Data Protection Regulation 2016 (GDPR).  The lawful basis for the ICB’s processing of this data under the GDPR is: 

• 6(1)(e) processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller
• 9(2)(h) processing is necessary for the purposes of … medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services.

In the case of disclosure of confidential personal data we will also ensure that we meet the Common Law Duty of Confidentiality by ensuring that either: 

• we have consent from the person, whether explicit or implied (implied consent is where the person could reasonably expect their data to be used in this way and has not objected)
• that this authorised by law or legal proceedings
• that there is an overriding substantial public interest (for example in case of infectious diseases where the public is at risk)
• that this has been aside due to permissions given to us under section 251 of the NHS Act 2016 - this includes the following:
• Commissioning, improving, and planning care services
• Invoice validation
• Risk Stratification.

To ensure that we adequately inform you about the way in which we use personal data, we supplement the information included within this notice with further information (including the lawful basis applicable) within the following service / activity specific notices which are available from the ICB on request: 

• Commissioning
• Integrated Commissioning with Surrey County Council
• Collaborative Commissioning with Frimley ICB
• Planning and delivery of Place Partnership services
• Delegated Primary Care Commissioning
• Contracting and Finance
• Governance and Administration
• Employment
• Business Intelligence
• Carers
• Care Homes
• Communications and Engagement
• Continuing Healthcare – Adults
• Continuing Healthcare – Children
• Emergency Preparedness, Resilience and Response and Business Continuity
• Emergency Preparedness, Resilience and Response - Services provided for other organisations
• Individual Funding Requests
• Quality Monitoring
• Safeguarding – Adults & Children
• Referral Support Service
• Risk Stratification
• Population Health Management
• Surrey Care Record (see Surrey Care Record)
• Medicines Management – Services provided by ICB
• Medicines Management – Services provided for GP Practices
• Information Governance
• Learning Disabilities
• Adult Mental Health

The ICB also maintains detailed records of processing and can make this available on request to the DPO.   

Who we may share data with

We may share your personal data with other organisations and these include: 

• other ICBs operating within Surrey (Frimley ICB) and those in other areas
• Surrey County Council where we are commissioning health and social care services for people within Surrey Heartlands or monitoring these services
• organisations that deliver health and care services to you
• organisations that we have asked to process this information on our behalf and which include:
  • Commissioning Support Units – NECS and NHS South, Central and West CSU
  • providers of employment related services, our Payroll Provider, and our Occupational Health service provider
  • our Auditors (RSM and TIAA); 
  • Information, Communication Technology (ICT) system providers
  • Graphnet Healthcare Limited who undertake risk stratification on behalf of the ICB and provide data analytics systems to support population health management activity undertaken within the ICB area
• organisations that have a legal right to obtain this from us (such as the NHS Counter Fraud Authority, the Police and certain Government Departments). 

Where organisations process your data on behalf of the ICB, we put in place controls to ensure that they use your data only as instructed by us and in accordance with this notice.  Our Data Processors may transfer your data outside of the UK or the Europe Economic Area (EEA) - where this is done, we ensure that there are appropriate controls and protection in place. 

The Surrey Heartlands Health and Social Care Information Sharing Agreement has been established to support the ICB and other ICS partners to share data safely and lawfully. Please see our Information sharing agreement for further information.

Your information related rights

Under data protection legislation everyone has rights regarding how their information can be used and the ICB is committed to ensuring that we and our authorised data processors meet these – please see below for further information: 

Under data protection legislation and the NHS Constitution you have the right to be informed , which will meet via this and related notices, and to opt-out of having your data used for specific purposes.

• You can choose whether your confidential patient information is used for research and planning. To find out more about the NHS National Data Opt-Out programme visit nhs.uk/your-nhs-data-matters.
• You can also tell your GP practice if you do not want your confidential patient information held in your GP medical record to be used for purposes other than your individual care. This is commonly called a Type 1 Opt Out’. This opt-out request can only be recorded by your GP practice.

If you are user of a healthcare related service provided by the ICB you can opt-out by contacting us by email, telephone, or post.  We will explain what impact this may have on our ability to provide you with this service.    

If you are receiving email communications from us (and we do not require that you receive these for contractual or legal reasons) you will be able to opt-out of receiving further emails by clicking on the unsubscribe link in the email or by contacting us by email, telephone, or post.  We will immediately remove your details from our mailing list, and you will no longer receive these emails from us. 

You should also contact us by contacting us by email, telephone, or post if you wish to opt-out and we process your data for other purposes.  We will confirm whether we are able to respect this right and provide an explanation if we are not able to do this.  

You have the right to object to the way we use your information and to ask us to stop using it in this way.  You can do this by contacting us by email, telephone, or post. 

• Service Users - If you no longer want us to use your information and we no longer require this to supply you with services or to meet our regulatory or legal duties, we will stop using your data.
• Individuals undertaking work for the ICB - If we hold your data for employment, governance or administration related purposes, and we no longer require this to meet our contractual, regulatory or legal duties, we will stop using your data if you want us to do this unless we can demonstrate that need to continue process this to meet our legitimate interests. 

You have the right to erasure – i.e., that we delete your information.  We will do this if we no longer require it for the purpose for which it was provided or to meet a contractual, regulatory or legal duty.  Please note this right does not apply to health data.  Please contact us by email, telephone, or post if you want us to delete your data.    

You have the right to access a copy of the information we hold about you by requesting this in writing and we will provide you with a copy of this free or charge and within one calendar month of your valid request – please contact us by email, telephone, or post if you wish to make such a request. 

You have the right to have your information corrected if it is inaccurate.  Please let us know if you think the information we hold about you is not correct by contacting us by email, telephone, or post and we will update this.

If consent is the legal basis for us to process your information you have the right to withdraw consent at any time by contacting us by email, telephone, or post.

If you are receiving marketing related email communications from us you can withdraw consent to receiving the emails by clicking on the unsubscribe link in the email or by contacting us by email, telephone, or post.  We will immediately remove your details from our mailing list and you will no longer receive these emails from us. 

If you are user of a healthcare related service provided by the ICB you can withdraw consent by contacting us by email, telephone, or post.  We will explain what impact this may have on our ability to continue to provide you with this service.   

If consent is the legal basis for us to process your information and this is held in an electronic format you may also have the right to portability and to request that this data be quickly and securely transferred to another similar computer system.  Please contact us by email, telephone, or post if you wish to discuss this right. 

The ICB does not undertake any automated individual decision-making (e.g., a decision made solely by automated means without any human involvement) or profiling.  We do however carry out some automated processing to support our commissioning activity and the relevant lawful basis under this is section 6(1)(e) ‘official authority’ and 9(2)(h) ‘processing is necessary for health purposes’.  You can object to this processing by contacting us by email, telephone, or post.

What happens if you change your mind

You can change your mind about the following at any time and as many times as you like: 

• whether you give consent for us to process your information
• whether you would like to submit an objection or opt-out
• to withdraw consent for your information to be used.

If you wish to change your mind please contact us by email, telephone, or post.  If this will have an impact on the services we can provide or your care, we will explain this to you before asking you to make your decision. 

The ICB’s Data Protection Officer (DPO)

Under data protection legislation the ICB is required to have a Data Protection Officer (DPO) whose role is to:

• inform and advise the organisation and its employees about their obligations to comply with applicable data protection legislation
• support and monitor compliance with applicable data protection legislation
• be the first point of contact for individuals whose data is being processed. 

The ICB’s Data Protection Office is Daniel Lo Russo. You can contact Daniel via email.  Further information regarding the role of the DPO can be found on the Information Commissioner’s Office website.

Other people with related responsibilities

In addition to the DPO, the ICB has in place the following people with related responsibilities: 

• Karen McDowell, Senior Responsible Officer Surrey Heartlands Integrated Care System and Accountable Officer Surrey Heartlands ICB, is accountable for ensuring that the organisation complies with data protection legislation.
• Matthew Knight, ICB Deputy Accountable Officer and ICS Chief Operating Officer, is the ICB’s Senior Information Risk Owner (SIRO).  They have delegated responsibility (from the Senior Responsible Officer Surrey Heartlands Integrated Care System and Interim Accountable Officer Surrey Heartlands ICB) for ensuring the organisation complies with data protection legislation.  The SIRO ensures that everyone is aware of their personal responsibility to exercise good judgement, and to safeguard and share information appropriately.
• The Caldicott Guardian is a senior person with clinical training that responsible for protecting the confidentiality of people’s health and care information and making sure it is used properly.  All NHS organisations must have a Caldicott Guardian.  Details of the ICB’s Caldicott Guardian are available via the public register.
• Members of the Information Governance Team support the above roles in discharging their data related responsibilities.  

How we keep information secure

The ICB ensures that we keep information (including personal data) secure and handles this in accordance with the 10 Data Security Standards arising from the National Data Guardian’s review; which are based around the following areas: 

• People - ensure individuals undertaking work for the organisation are equipped to handle information respectfully and safely, according to the Caldicott Principles.
• Processes - ensure the organisation proactively prevents data security breaches and responds appropriately to any incidents or near misses.
• Technology - ensure technology used is secure and kept up-to-date.

We demonstrate our compliance with the Data Security Standards via our annual NHS Data Security and Protection Toolkit submission. 

We follow a privacy by design and default approach.  Where our processing of personal data may potentially have significant negative impact on people we will undertake a detailed Data Protection Impact Assessment (DPIA) to ensure that data protection and confidentiality related risks are identified and suitably mitigated.  

How long we keep information for

The ICB holds records containing personal data for a limited time and securely destroy them when no longer required.  Partners will ensure that records are held in accordance with the guidance and retention schedules included within the 2021 Records Management Code of Practice for Health and Social Care.  Please see our IG04 Records Management Policy for further information. 

How to complain

If you wish to complain about the way we use your information, we would ask that you initially raise this to us – please visit the Surrey Heartlands website for further information on how to do this.

However you are entitled to also contact the Information Commissioner’s Office (ICO) if you have concerns about the way your information has been used and you can find their contact them by: 

• Visiting their website: www.ico.org.uk
• Telephoning them on 0303 123 1113

Links to associated guidance

For further associated guidance please see: 

• The Information Commissioner’s (ICO) Office website which provides independent advice about data protection, privacy and data sharing
• NHS England’s website which provides guidance for health and social care organisations
• The NHS Constitution which includes pledges regarding how information will be used

Changes

We will review the information contained within this notice regularly and update it as required.  We therefore recommend that you check this webpage regularly to remain informed about how we use your data.  This version was last updated by the ICB’s Data Protection Officer on the 10 July 2023.