What is a privacy notice?
The EU General Data Protection Regulation (GDPR) requires that data controllers provide certain information to people whose information (personal data) they hold and use. A privacy notice is one way of providing this information. This is sometimes referred to as a fair processing notice.
A privacy notice should identify who the data controller is, with contact details for its Data Protection Officer. It should also explain the purposes for which personal data are collected and used, how the data are used and disclosed, how long it is kept, and the controller’s legal basis for processing.
What we use your information for – Please select the information that is relevant to you from the list below for full details on how your information is used.
- Direct Care
- Complaints, Subject Acces requests and Freedom of Information requests
- Compliance Statement
- Incident Management
- Litigations and Claims
- Medicines Management
- National Screening and Reporting Programs
- Patient Communications
- Patient participation or Engagement
- Public Health
- Quality Alerts
- Risk Stratification
Policies and procedures
- Clear Desk Procedure
- Confidentiality Policy
- GDPR IG Framework
- ICT Acceptable Use Policy
- Information Governance Policy
- Information Management Policy
- Information Security Policy
- National Data Opt Out Policy
- Non-Clinical Incident Near Miss Reporting Policy and Procedure
- Public Information Access Policy
- Subject Access Request and Access to Records Act Protocol
- Subject Access Requests Procedure
How we use information about you
Barnet Clinical Commissioning Group (CCG) is responsible for planning and buying (also known as ‘commissioning’) health services from healthcare providers such as hospitals, as well as directly providing some health services such as continuing healthcare, Personal Health Budgets and Individual Funding Requests.
We are a membership body made up of all GP practices in Barnet. We do not provide healthcare services like a GP practice or hospital. Our role is to make sure the appropriate NHS care is in place for the people of Barnet within our available budget.
As an NHS organisation, Barnet CCG operates at a number of different levels in regards to the processing of personal data. We act as a Data Controller primarily for the management of data relating to our employees and those working on behalf of or with our organisation and also covering some NHS patient provider functions.
Barnet CCG may collect information about you which helps us to respond to your queries and help us to design services to improve the health needs and outcomes of local people.
Why we collect information about you
In carrying out our role and responsibilities as a commissioner of services for people living in Barnet, it is essential that the CCG has an understanding of the health and social care needs of our community. The only way that we can achieve this is by using information that your GP, your clinician or your social worker has entered into your care record, as well as some information that is provided via external public sources such, as hospitals and the London Borough of Barnet. This information may exist on paper or in electronic format and Barnet CCG ensures that these are kept safe and secure in an appropriate way.
We do not however, need to have and use all the information that is provided. Where this is identified, information is de-identified by the Data Services for Commissioners Regional Offices (DSCRO) prior to being shared with the rest of the CCG for its use. (For further explanation, see section below on mechanisms for processing your data).
We may keep your information in written form and / or in digital form. The records may include basic details about you, such as your name and address or may also contain more sensitive information about your health and social care usage and also information such as outcomes of needs assessments.
CCG oversight and responsibility
The Barnet CCG Governing Body is supported by a number of key roles within the CCG led by the Senior Information Risk Owner, who is accountable to the Governing Body for information risk management within the CCG; The Caldicott Guardian who advises the Governing Body on specific issues relating to the use of patient confidential data and the Data Protection Officer who provide advice and support to the CCG on Data Protection compliance and monitoring obligation These roles have oversight of the handling of information within the CCG or by any support organisations we may buy services from.
The Senior Information Risk Officer for the CCG is Ian Porter, Director of Corporate Services, NCL CCGs. Email address: email@example.com
The Caldicott Guardian for the CCG is Jenny Goodridge, Director of Quality and Clinical Services, Barnet CCG. Email address: Jenny.firstname.lastname@example.org
The Data Protection Officer for the CCG is Dayo Adebari, Information Governance & FOI Manager, NCL CCGs. Email address: email@example.com
NEL provides administrative support for a number of CCG functions. You can visit their website for further information here.
To help you in reading this information, the following definitions have been used in this notification and across the CCG.
Personal confidential data is a term used in the Caldicott Information Governance Review and describes personal information about identified or identifiable individuals, which should be kept private or confidential and includes dead as well as living people.
The review interpreted 'personal' as including the Data Protection Act definition of personal data, but included data relating to deceased as well as living people, and 'confidential' includes both information 'given in confidence' and 'that which is owed a duty of confidence' and is adapted to include 'sensitive' as defined in the Data Protection Act.
Examples of identifiable data are:
- date of birth
- NHS number
As per the EU General Data Protection Regulation (GDPR) and the Data Protection Act 2018, and defined by the Information Commissioner's Office. Personal data means data which relate to a living individual who can be identified:
(a) From those data, or
(b) from those data and other information which is in the possession of, or is likely to come into the possession of, the data controller, and includes any expression of opinion about the individual and any indication of the intentions of the data controller or any other person in respect of the individual.
Sensitive personal data is different from personal data. Sensitive personal data means personal data consisting of information as to:
(a) the racial or ethnic origin of the data subject,
(b) their political opinions,
(c) their religious beliefs or other beliefs of a similar nature,
(d) whether a member of a trade union (within the meaning of the Trade Union and Labour Relations (Consolidation) Act 1992),
(e) their physical or mental health or condition,
(f) their sexual life,
(g) the commission or alleged commission of any offence, or
(h) any proceedings for any offence committed or alleged to have been committed, the disposal of such proceedings or the sentence of any court in such proceedings
Secondary care data is information we have obtained from local hospitals, other care providers and other external public sources.
Primary care data is information that is provided by your GP surgery and other community service providers.
The Caldicott Review defined direct patient care as a clinical, social or public health activity concerned with the prevention, investigation and treatment of illness and the alleviation of suffering of individuals.
It includes supporting individuals' ability to function and improve their participation in life and society.
It includes the assurance of safe and high quality care and treatment through local audit, the management of untoward or adverse incidents, person satisfaction including measurement of outcomes undertaken by one or more registered and regulated health or social care professionals and their team with whom the individual has a legitimate relationship for their care.
Indirect patient care is defined by the Caldicott Review as activities that contribute to the overall provision of services to a population as a whole or a group of patients with a particular condition, but which fall outside the scope of direct care. It covers health services management, preventative medicine, and medical research. Examples of activities would be risk prediction and stratification, service evaluation, needs assessment, financial audit.
A Data Controller is a person who (either alone or jointly or in common with other persons) determines the purposes for which and the manner in which any personal data are, or are to be, processed.
A person who has expert knowledge of data protection law and practice. This person report to the highest management level of the organisation. The DPO, advice the organisation on Data Protection compliance and monitoring.
Data Services for Commissioners Regional Offices is a regional secure service provided by the Health and Social Care Information Centre (NHS Digital) to process information for NHS organisations. For more information please visit the Health and Social Care Information Centre (NHS Digital).
Your information may be used to help assess the needs of the general population and make informed decisions about the provision of future services. Information can also be used to conduct health research and development and monitor NHS performance.
Where information is used for statistical purposes, stringent measures are taken to ensure individual patients cannot be identified. Anonymous statistical information may also be passed to organisations with a legitimate interest, including universities, community safety units and research institutions.
Barnet CCG processes personal data for a number of reasons and in various ways. These are outlined below:
- For the purpose of internal operations, Barnet CCG will use both electronic and manual mechanisms to process personal confidential information relating to its employees and visitors to our sites and services. This is based on explicit consent provided by each employee at the time of joining and updated when any changes are made through internal communications.
- For the purpose of direct patient care, Barnet CCG will ensure that any information collected about you is initially provided by you and where any additional information is collected or used this will be with your explicit consent.
- For the provision of indirect care and to maintain rules for use of information,BarnetCCG uses a number of approved and secure services / systems to process information about you such as:
- Data Services for Commissioners Regional Offices – this is a regional secure service provided by the Health and Social Care Information Centre via NEL. Further information can be found on the Health and Social Care Information Centre (NHS Digital) website.
- Controlled Environment for Finance (CEfF) – this is another established group provided by NEL on behalf of NHS England to support invoice validation. This service was established under a Section 251 exemption of the Health and Social Care Act 2012 to allow commissioning organisations to validate invoices it received ensuring correct payments are identified and made on behalf of Barnet CCG.