Following a 14-week public consultation, a revised proposal to change the way some more complex medical, urgent and emergency care services are delivered at our hospitals in Scunthorpe and Grimsby has been approved by NHS Humber and North Yorkshire Integrated Care Board (ICB). Click here to find out more.
How your personal information is used by NHS Humber and North Yorkshire Integrated Care Board.
Please click on the highlighted text within the notice for links to further information.
Who we are and what we do
Data Controller: NHS Humber & North Yorkshire Integrated Care Board
Health House
Grange Park Lane
Willerby
HU10 6DT
Data Protection Officer (DPO): Name: Michael Napier
DPO Contact Details: hnyicb-ery.ig@nhs.net
NHS Humber and North Yorkshire Integrated Care Board (HNY ICB) is responsible for planning and designing local health services across the local area. We do this by ‘commissioning’ or buying health and care services including:
We monitor the performance of services that we commission to make sure that they are safe, provide high-quality care, meet the needs of local people and provide value for money. Part of this performance monitoring role includes responding to any concerns from our patients about these services.
How we use your personal information
The purpose of this notice is to inform you of the type of information (including personal information) that the ICB holds as a Data Controller, how that information is used and the legal basis for doing so, who we may share that information with and how we keep it secure and confidential.
It covers information we collect directly from you or collect indirectly from other individuals or organisations for the ICB’s registered population.
This notice applies to all information held by the ICB relating to individuals, whether you are a patient, service user or a member of staff. This notice was last reviewed in March 2023.
Types of information we hold
We may use information about you as part of our statutory responsibility to commission health services for the people in the region. To do so we use data in various forms but we will only use the minimum amount of information necessary for that purpose, including the utilisation of data that does not identify you wherever possible.
The ICB uses and processes several different types of information, click on the links below for more information:
Throughout this Notice you will see reference to an organisation called NHS Digital. They are the national provider of information, data and IT systems for commissioners, analysts and clinicians in health and social care. NHS Digital provides information based on identifiable data passed securely to them by primary and secondary care providers who are legally obliged to provide this information.
Our records may be held on paper or in a computer system.
Use of Anonymised Data
We use anonymised data to plan health care services including:
Use of Pseudonymised (De-identified) Information
We use de-identified information in our role as commissioner including:
Use of Personal and Sensitive (Identifiable) Information
As an ICB we do not routinely hold medical records or confidential patient data with some limited exceptions.
There are some categories of personal data for which special safeguards are required by law, known as special category or sensitive data. This includes records relating to health, sex life, race, ethnicity, political opinions, trade union membership, religion, genetics and biometrics.
The following list includes examples of where we collect and use personal information. Please click on each of the following examples for information on the purpose, the type of information used, the legal basis identified for the collection and use of the information, how we collect and use the information required, any third parties we may share the information with and your rights regarding the use of the information including, where relevant, your right to opt out.
Please be aware that meetings may be recorded as an administrative tool for the purpose of supporting the provision of clear and accurate minutes. Where recordings are to be made attendees will be notified that a recording is taking place. Recording for administrative purposes are only retained for the period of drafting minutes and then subsequently deleted from all ICB systems.
ICB public meetings are live streamed with the details for each published at https://humberandnorthyorkshire.icb.nhs.uk/meetings-and-papers/. These are held and made available as part of our statutory requirements relating to transparency.
If you have any queries regarding the processing of information in this way, please contact the ICB’s Data Protection Officer at: michael.napier@nhs.net
Patient Information
Staff Information
The ICB as an NHS employer needs to process information in relation to staff. This information is used in a variety of ways to ensure staff are paid, that the organisation complies with employments law or to provide other services related to their employment. For more details about how staff information is used please click on the following:
Sharing Information with Health and Care organisations
Information Sharing Agreements and contracts will be in place ensuring that where we share information, this meets both the requirements of the Health and Social Care Act 2012 and the current data protection legislation ensuring that your confidentiality and rights are not breached.
The ICB is actively working with health and social care partners to ensure that where you receive a referral, for example for community services, all the relevant information that organisation requires is available in order to offer you the right service. We are also working with the hospitals that provide services to our population to ensure that should you find yourself in an emergency situation the hospital clinicians would have access to relevant and potentially lifesaving information from your GP record, such as test results tests and any allergies you may suffer from.
Whenever a new arrangement is made to share information externally, both with health and social care organisations and with third party suppliers, we will ensure that a legal basis has been identified, using a tool called a Data Protection Impact Assessment, which will highlight any risks to your information and ensure they are resolved before any sharing takes place.
Our Commitment to Data Privacy and Confidentiality
We are committed to protecting your privacy and will only process personal confidential data in accordance with the General Data Protection Regulation, the Data Protection Act 2018, the Common Law Duty of Confidentiality, Professional Codes of Practice and the Human Rights Act 1998.
In the circumstances where we are required to use personal identifiable information we will only do this if:
Everyone working for the NHS has a legal and contractual duty to keep information about you confidential.
All identifiable information that we hold about you will be held securely and confidentially. We use administrative and technical controls to do this. All health and social care organisations are required to provide annual evidence of compliance with applicable laws, regulations and standards through the Data Security and Protection Toolkit.
Our staff, contractors and others involved with the work of the ICB receive, appropriate and ongoing training to ensure that they are aware of their personal responsibilities and have contractual obligations to uphold confidentiality, which are enforceable through disciplinary procedures. Staff are trained to ensure how to recognise and report any incident and the organisation has procedures for investigating, managing and learning lessons from any incidents that occur.
Your information will not be sent outside of the United Kingdom where the laws do not protect your privacy to the same extent as the law in the UK. We will never sell any information about you.
The ICB maintains a set of regularly updated policies and procedures covering all aspects of information governance. These can be found here:
Data Protection Impact Assessments
DPIAs are required under the UK General Data Protection Regulation, where data is being used in a manner that it either is identifiable or there is a risk of an individuals’ identity being revealed. DPIAs are an integral part of taking a privacy by design approach.
A DPIA can reduce the risks of harm to individuals through the misuse of their personal information. It can also help us to design more efficient and effective processes for handling personal data.
DPIAs aid us in determining how a particular project, process or system may affect the privacy of the individual, which are designed to enable an assessment prior to new services or new data processing/sharing systems being introduced.
A summary log is available on request from the Information Governance Team by contacting: hnyicb-ery.ig@nhs.net
Your Rights
Under the General Data Protection Regulation all individuals have certain rights in relation to the information which the ICB holds about them. Not all rights apply equally to all our processing activity as certain rights are not available depending on the lawful basis for the processing.
When you view an entry in our ‘Use of Personal and Sensitive Information’, we have highlighted which rights apply and which may not. To help understand why some may not apply the following should help.
Examples of where rights may not apply – where our lawful basis is:
These rights are:
Under the NHS Constitution you have the right to privacy and to expect the NHS to keep your information confidential and secure.
You have the right to be informed about how your information is used.
You have the right to request that your confidential information is not used beyond your own care and treatment, and to have your objections considered and where your wishes cannot be followed, to be told the reasons including the legal basis.
A system is being developed which will allow people to opt out of their confidential patient information being used for reasons other than their individual care and treatment. The system will offer patients and the public the opportunity to make an informed choice about whether they wish their personally identifiable data to be used just for their individual care and treatment or also used for research and planning purposes. Details of the national patient opt out can be found here: https://www.nhs.uk/your-nhs-data-matters/
Queries, Complaints & Access
If we do hold identifiable information about you, you can ask us to correct any mistakes by contacting us at the address below.
If you have any questions or complaints regarding the information we hold about you, the use of your information, or you would like to access the information please contact:
Contact Role: Subject Access Requests
Address: Health House
Grange Park Lane
Willerby
HU10 6DT
Email: hnyicb-ery.accesstorecords@nhs.net
Our Data Protection Officer is:
Name: Michael Napier
Contact: Email: hnyicb-ery.ig@nhs.net
For independent advice about data protection, privacy and data-sharing issues, or to make a complaint about our handling of your information you can contact:
The Information Commissioner
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF
Phone: 0303 1231113 or 01625 54 57 45
Website: https://ico.org.uk/
Glossary
Identifiable – information which contains personal details that identify individuals such as name, address, email address, NHS Number, full postcode, date of birth.
Pseudonymised – individual level information where individuals can be distinguished by using a coded reference, which does not reveal their ‘real world’ identity
Anonymised – data which is about you but from which you cannot be personally identified.
Aggregated – grouped information about individuals that has been combined to show general trends or values without identifying individuals
General Data Protection Regulation (GDPR) – The General Data Protection Regulation is a Regulation in EU law on data protection and privacy in the EU and the European Economic Area.
Data Protection Act – UK legislation introduced in 2018 in line with GDPR to expand on the EU Regulation and to provide for areas specifically excluded from GDPR (eg Law Enforcement).
Data Controller – natural or legal person, public body, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.
Data Processor – natural or legal person, public authority, agency or other body which processes personal data on behalf of the data controller.
Personal data – any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
Special Category (Sensitive) data – categories of personal data for which special safeguards are required by law. This includes records relating to health, sex life, race, ethnicity, political opinions, trade union membership, religion, genetics and biometrics.
Processing – any operation or set of operations which is performed on personal data or on sets of personal data whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
Data Protection Officer – Under GDPR all Public Authorities must appoint a Data Protection Officer. The role of this person, who must be an expert in Data Protection Law is to monitor ICB compliance with data protection:
Provide advice and assistance with regards to the completion of Data Protection Impact Assessments
Act as a contact point for the Information Commissioners Office (ICO), members of the public and ICB staff on matters relating to GDPR and the protection of personal information
Assist in implementing essential elements of the GDPR such as the principles of data processing, data subjects’ rights, privacy impact assessments, records of processing activities, security of processing and notification and communication of data breaches
Primary Care – Primary care settings include GP Practices, pharmacists, dentists and some specialised services such as military health services.
Secondary Care – Secondary care settings include local hospitals, rehabilitative care, urgent and emergency care (including out of hours and NHS 111), community and mental health services.
Caldicott Guardian – a senior person responsible for protecting the confidentiality of patient and service-user information and enabling appropriate information sharing. Each NHS and Social Care organisation is required to have a Caldicott Guardian.
Senior Information Risk Owner (SIRO) – an executive or member of the Senior Management Board of an organisation with overall responsibility for information risk across the organisation.
Right of Access Requests – The right a data subject has from the controller for confirmation as to whether or not personal data concerning him or her are being processed and, where that is the case, access to the personal data and further information about the processing.
Humber and North Yorkshire Health and Care Partnership,
Health House,
Grange Park Lane,
Willerby,
HU10 6DT
VAT registration number:
654 4685 09