Although this is not an exhaustive detailed listing, the following lists key examples of the purposes and rationale for why we collect and process information:
- Funding Treatments
- Continuing Healthcare
- Risk Stratification
- Invoice Validation
- Primary and Secondary Care Data
- Patient and Public Involvement
- Sharing information provided to us with other bodies
- For other Organisations to Provide Support Services for us
- National Registries
To process your personal information if it relates to a complaint where you have asked for our help or involvement.
We will need to rely on your explicit consent to undertake such activities.
Complaint Processing Activities
When we receive a complaint from a person we make up a file containing the details of the complaint. This normally contains the identity of the complainant and any other individuals involved in the complaint.
We will only use the personal information we collect to process the complaint and to check on the level of service being provided.
We usually have to disclose the complainant’s identity to whoever the complaint is about. This is inevitable where, for example, the accuracy of a person’s record may be in dispute.
If a complainant doesn’t want information identifying him or her to be disclosed, we will try to respect that. However, it may not be possible to handle a complaint on an anonymous basis.
We will keep personal information contained in complaint files in line with NHS retention policy. It will be retained in a secure environment and access to it will be restricted according to the ‘need to know’ principle.
We may use service user stories, following upheld complaints, but always anonymously, via our Quality Committee. The service user stories will provide a summary of the concern, service improvements identified and how well the complaints procedure has been applied. Consent will always be sought from the service user and carer or both before we use the service user story.
For further information, click on this link – Patient Services TeamTop of page
We will collect and process your personal information where we are required to fund specific treatment for you for a particular condition that is not already covered in our contracts.
This may be called an “Individual Funding Request” (IFR).
The clinical professional who first identifies that you may need the treatment will explain to you the information that we need to collect and process in order for us to assess your needs and commission your care, and gain your explicit consent.
To know more on funding treatments, see – Will the NHS pay for my treatment?.Top of page
Oxfordshire CCG has commissioned Oxford Health Continuing Health Care Team (OHCHT) to process your Continuing Health care Requests. They will collect and process your identifiable information where you have asked us to undertake assessments for Continuing Healthcare (a package of care for those with complex clinical needs) and commission resulting care packages.
The clinical professional who first sees you to discuss your needs will explain to you the information that they need to collect and process in order for us to assess your needs and commission your care and gain your explicit consent.
Click here to know more – Continuing HealthcareTop of page
We will collect and process identifiable information where we need to assess and evaluate any safeguarding concerns.
Because of public Interest issues, e.g. to protect the safety and welfare of vulnerable children and adults, we will rely on a statutory basis rather than consent to process information for this use.Top of page
Risk stratification is a process for identifying and managing patients who are at high risk of emergency hospital admission.
We are committed to conducting risk stratification effectively, in ways that are consistent with the laws that protect your confidentiality.
The use of identifiable data by CCGs and GPs for risk stratification has been approved by the Secretary of State, through the Confidentiality Advisory Group of the Health Research Authority and this approval has been extended to April 2017. This gives us a statutory legal basis under section 251 of the NHS Act 2006 to process data for risk stratification.
Typically this is because patients have a long term condition such as Chronic Obstructive Pulmonary Disease. NHS England encourages CCGs and GPs to use risk stratification tools as part of their local strategies for supporting patients with long-term conditions and to help and prevent avoidable admissions.
Knowledge of the risk profile of our population will help the CCG to commission appropriate preventative services and to promote quality improvement in collaboration with our GP practices.
Data Processing activities for Risk Stratification
Risk stratification tools use various combinations of historic information about patients, for example, age, gender, diagnoses and patterns of hospital attendance and admission and primary care data collected in GP practice systems.
The CCG will use pseudonymised information to understand the local population needs, whereas GPs will be able to identify which of their patients are at risk in order to offer a preventative service to them.
The CCG has commissioned NHS South Central and West Commissioning Support Unit (SCW CSU) to conduct risk stratification on behalf of itself and its GP practices.
This processing for risk stratification takes place under contract with SCW CSU, following these steps below:
- The CCG has asked NHS Digital to provide data identifiable by your NHS Number about your hospital attendances for risk stratification purposes and has signed an NHS Digital data sharing contract for the SUS (secondary care/hospital) data.
- Your GP practice instructs its GP IT system supplier (EMIS) to provide primary care data identifiable by your NHS Number for those patients that have not objected to Risk Stratification or there is no Type 1 objection made by the Patient. The data, containing the same verified NHS numbers, is extracted by an external provider called Sollis and the data is sent via secure transfer, directly into the landing stage of SCW CSU’s Data Services for Commissioners Regional Office (DSCRO).
- Within the landing stage, the risk stratification process at DSCRO links and pseudonymises the identifiable data from GPs and NHS Digital. No identifiable data of any patient is seen by NHS Oxfordshire CCG staff.
SCW CSU has set up a formula to analyse the data in pseudonymised form to produce a risk score for each patient. This information is available to authorised SCW CSU staff.
The risk scores are only made available to authorised users within the GP Practice where you are registered via a secure portal managed by SCW CSU.
This portal allows only the GPs to view the risk scores for the individual patients registered in their practice in identifiable form.
If you do not wish information about you to be included in our risk stratification programme, please contact your GP Practice. They can add a code to your records that will stop your information from being used for this purpose.
Further information about risk stratification is available from: https://www.england.nhs.uk/ourwork/tsd/ig/risk-stratification/Top of page
The process ensures that those who provide you with care and treatment can be paid.
NHS Shared Business Services & NHS South Central and West CSU process invoices on behalf of NHS Oxfordshire CCG. They do not require and should not receive any patient confidential data to provide their services.
There are situations where patient identifiable data is required to ensure that the correct service provider is paid.
In such cases; service providers are required to send patient identifiable information to a Controlled Environment for Finance (CEfF), which is a secure restricted area within SCWCSU wherein this data is processed on our behalf and we are advised which invoices we can validate (authorise) for payment.
NHS England has published guidance on how invoices must be processed.
Commissioners have a duty to detect report and investigate any incidents of where a breach of confidentiality has been made.
Click here for further information – https://www.england.nhs.uk/ourwork/tsd/ig/in-val/invoice-validation-faqs/
The legal basis for SCWCSU to receive personal identifiable data for the purposes of invoice validation is provided by section 251 oh the NHS Act 2006.
The invoice validation process supports the delivery of patient care by ensuring that:
- service providers are paid for patients’ treatments,
- enables services to be planned, commissioned, managed, and subjected to financial control,
- enables commissioners to confirm that they are paying appropriately for the treatment of patients for whom they are responsible,
- commissioners fulfill their duties of fiscal probity and scrutiny,
- enables invoices to be challenged and disputed, or discrepancies resolved.
We commission a number of organisations to provide primary and secondary healthcare services to you. These organisations may be within the NHS or outside the NHS.
Primary Care services cover GP Practices, Dental Practices, Community Pharmacies and high street Optometrists.
Secondary Care services are usually (but not always) delivered in a hospital or clinic with the initial referral being received from Primary Care.
These organisations may share identifiable, pseudonymised, anonymized, aggregated, personal confidential and sensitive personal data information with us for the following purposes:
- To look after the health of the general public such as notifying central NHS groups of outbreaks of infectious diseases
- To undertake clinical audit of the quality of services provided
- To carry out risk profiling to identify patients who would benefit from proactive intervention
- To perform case management where the NHS offers intervention and integrated care programmes involving multiple health and social care providers
- To report and investigate, complaints, claims and untoward incidents
- To prepare statistics on our performance for the Department of Health
- To review out care to make sure that it is of the highest standard
Through sharing information ethically and lawfully the NHS is able to improve its understanding of the most important health needs and the quality of the treatment and care provided.
Your information is only accessed by authorized persons and not disclosed unless necessary. We will never share your personal information unless a legal basis has been identified for the different purposes of sharing or we have obtained your explicit consent.Top of page
If you have asked us to keep you regularly informed and up to date about the work of the CCG or if you are actively involved in our engagement and consultation activities or patient participation groups, we will collect and process personal confidential data which you share with us.
We will rely on your consent for this purpose.
Where you submit your details to us for involvement purposes, we will only use your information for this purpose. You can opt out at any time by contacting us using our contact details at the end of this document.Top of page
To collect NHS data about service users that we are responsible for.
Our legal basis for collecting and processing information for this purpose is statutory.
Hospitals and community organisations that provide NHS-funded care must submit certain information to NHS Digital about services provided to our service users.
This information is generally known as commissioning datasets. The CCG obtains these datasets from NHS Digital and they relate to service users registered with GP Practices that are members of the CCG.
These datasets are then used in a format that does not directly identify you, for wider NHS purposes such as managing and funding the NHS, monitoring activity to understand and plan the health needs of the population, and to gain evidence that will improve health and care through research.
The datasets include information about the service users who have received care and treatment from those services that we are responsible for funding. The CCG is unable to identify you from these datasets. They do not include your name, home address, NHS number, post code or date of birth. Information such as your age, ethnicity and gender, as well as coded information about any clinic or accident and emergency attendances, hospital admissions and treatment will be included.
The specific terms and conditions and security controls that we are obliged to follow when using these commissioning datasets can also be found on the NHS Digital website.
More information about how this data is collected and used by NHS Digital is available on their website http://digital.nhs.uk/patientconf
We also receive similar information from GP Practices within our CCG membership that does not identify you. We use this datasets for a number of purposes such as:
- Performance managing contracts;
- Reviewing the care delivered by providers to ensure service users are receiving quality and cost effective care;
- To prepare statistics on NHS performance to understand health needs and support service re-design, modernisation and improvement;
- To help us plan future services to ensure they continue to meet our local population needs;
- To reconcile claims for payments for services received in your GP Practice;
- To audit NHS accounts and services.
If you do not wish your information to be included in these datasets, even though it does not directly identify you to us, please contact your GP Practice and they can apply a code to your records that will stop your information from being included.Top of page
The CCG is required by law to protect the public funds it administers. It may share information provided to it with other bodies responsible for; auditing, or administering public funds, or where undertaking a public function, in order to prevent and detect fraud.
The Cabinet Office is responsible for carrying out data matching exercises.
Data matching involves comparing computer records held by one body against other computer records held by the same or another body to see how far they match. This is usually personal information. Computerised data matching allows potentially fraudulent claims and payments to be identified. Where a match is found it may indicate that there is an inconsistency which requires further investigation. No assumption can be made as to whether there is fraud, error or other explanation until an investigation is carried out.
We participate in the Cabinet Office’s National Fraud Initiative: a data matching exercise to assist in the prevention and detection of fraud. We are required to provide particular sets of data to the Minister for the Cabinet Office for matching for each exercise, as detailed here.
The use of data by the Cabinet Office in a data matching exercise is carried out with statutory authority under Part 6 of the Local Audit and Accountability Act 2014. It does not require the consent of the individuals concerned under the Data Protection Act 1998.
Data matching by the Cabinet Office is subject to a Code of Practice.
View further information on the Cabinet Office’s legal powers and the reasons why it matches particular information.
For further information on data matching at this authority contact e-mail firstname.lastname@example.org or by post to:
Oxfordshire Clinical Commissioning Group
Jubilee House, John Smith Drive
Oxford Business Park South
By Telephone: 01865 336800Top of page
The CCG will use the services of the additional data processors, who will provide additional expertise to support the work of the CCG:
We have entered into contracts with other NHS organisations to provide some services for us or on our behalf.
These organisations are known as “data processors”.
Below are details of our data processors and the function that they carry out on our behalf:
- NHS South, Central and West Commissioning Support Unit: Risk Stratification, Commissioning Intelligence analysis, Complaints processing, and Communications and Engagement.
- Oxford Health NHS Foundation Trust.
- Oxford University Hospital NHS Foundation Trust.
- Oxford Health Continuous Healthcare Team: Process Continual Healthcare request for OCCG.
- Oxford Academic Health Sciences Network (OHSN)(hosted by Oxford University Hospital NHS Foundation Trust): Commissioning Intelligence analysis (add value to the analyses of data that does not directly identify individuals)
- Internal Audit: TIAA is the provider company who undertakes internal audits for our accounts and services (add value to the analyses of data that does not directly identify individuals)
- External Audit: Our external auditing is undertaken by Ernst & Young on our accounts and services (add value to the analyses of data that does not directly identify individuals)
- NHS Litigation Authority – Claims Management (we rely on your consent)
- Shred- it is the Confidential Waste Disposal Company used by the CCG as part of its contract with NHS Property Services to shred information in a secure environment.
- NHS Shared Business Service and NHS South Central and West CSU –Invoice Validation (see page 10))
- Oxfordshire County Council – Jointly commission services using a pooled budget arrangement with Oxfordshire CCG (individuals not identified)
- NHS England (NHSE) – we share data with NHSE as part of commissioning activities but in a fully non-identifiable form.
The CCG maps the each individual data flow in and out of the organisation, to understand what data it holds and processes. These data flow maps are currently being reviewed as part of an annual process, and will be published in December 2016. 2015-16 Data Flow maps are available on request to the CCG, contact details are:
Oxfordshire Clinical Commissioning Group
Jubilee House, John Smith Drive
Oxford Business Park South
Oxford OX4 2LH
Tel: 01865 336800
These organisations are subject to the same legal rules and conditions for keeping personal confidential data and secure and are underpinned by a contract with us.
Before awarding any contract, we ensure that organisations will look after your information to the same high standards that we do. Those organisations can only use your information for the service we have contracted them for and cannot use it for any other purposes.Top of page
National Registries (such as the Learning Disabilities Register) have statutory permission under Section 251 of the NHS Act 2006, to collect and hold service user identifiable information without the need to seek informed consent from each individual service user.Top of page
To support research oriented proposals and activities in our commissioning system
Your consent will be obtained by the organisation holding your records before identifiable information about you is disclosed for any research.
Sometimes research can be undertaken using information that does not identify you. The law does not require us to seek your consent in this case, but the organisation holding your information will make notices available on the premises and on the website about any research projects that are undertaken.
Researchers can provide direct benefit to individuals who take part in medical trials and indirect benefit to the population as a whole.
Service user records can also be used to identify people to invite them to take part in clinical trials, other interventional studies or studies purely using information from medical records.
Where identifiable data is needed for research, service users will be approached by the organisation where treatment was received, to see if they wish to participate in research studies.
If you do not wish your information to be used for research, whether identifiable or non-identifiable, please let your GP Practice know. They will add a code to your records that will stop your information from being used for research.Top of page
Data may be de-identified and linked by organisations so that it can be used to improve healthcare and development and monitor NHS performance. Where data is used for these statistical purposes, stringent measures are taken to ensure individual patients cannot be identified. When analysing current health services and proposals for developing future services it is sometimes necessary to link separate individual data sets to be able to produce a comprehensive evaluation. This may involve linking primary care GP data with other data such as secondary uses service (SUS) data (inpatient, outpatient, and A&E). In some cases there may also be a need to link local data sets which could include a range of acute-based services such as radiology, physiotherapy, audiology &c. When carrying out this analysis; the linkage of these data sets is always done using a unique identifier that does note reveal a person’s identity as the CCG does not have any access to patient identifiable data.