Privacy Policy

How your personal information is used by NHS Humber and North Yorkshire Integrated Care Board.

Please click on the highlighted text within the notice for links to further information. Click the link for a Glossary of definitions used throughout this notice.

Who we are and what we do

Data Controller: NHS Humber & North Yorkshire Integrated Care Board

Address: Health House

Grange Park Lane

Willerby

HU10 6DT

Data Protection Officer (DPO): Name: Michael Napier

DPO Contact Details: Email: hnyicb-ery.ig@nhs.net

NHS Humber and North Yorkshire Integrated Care Board (HNY ICB) is responsible for planning and designing local health services across the local area. We do this by ‘commissioning’ or buying health and care services including:

Planned hospital care;
Unplanned care (urgent care);
Rehabilitation care;
Community health services;
Mental health and learning disability services; and
Primary care services.

We are also responsible for arranging health care for any unregistered patients who live in the locality.

We monitor the performance of services that we commission to make sure that they are safe, provide high quality care, meet the needs of local people and provide value for money. Part of this performance monitoring role includes responding to any concerns from our patients about these services.

How we use your personal information

The purpose of this notice is to inform you of the type of information (including personal information) that the ICB holds as a Data Controller, how that information is used and the legal basis for doing so, who we may share that information with and how we keep it secure and confidential.

It covers information we collect directly from you or collect indirectly from other individuals or organisations for the ICB’s registered population.

This notice applies to all information held by the ICB relating to individuals, whether you are a patient, service user or a member of staff. This notice was last reviewed in March 2023.

Types of information we hold

We may use information about you as part of our statutory responsibility to commission health services for the people in the region. To do so we use data in various forms but we will only use the minimum amount of information necessary for that purpose, including the utilisation of data that does not identify you wherever possible.

The ICB uses and processes several different types of information, click on the links below for more information:

Identifiable – information which contains personal details that identify individuals such as name, address, email address, NHS Number, full postcode, date of birth.
Pseudonymised – individual level information where individuals can be distinguished by using a coded reference, which does not reveal their ‘real world’ identity
Anonymised – data which is about you but from which you cannot be personally identified.
Aggregated – grouped information about individuals that has been combined to show general trends or values without identifying individuals

Throughout this Notice you will see reference to an organisation called NHS Digital. They are the national provider of information, data and IT systems for commissioners, analysts and clinicians in health and social care. NHS Digital provides information based on identifiable data passed securely to them by primary and secondary care providers who are legally obliged to provide this information.

Our records may be held on paper or in a computer system.

Details of information used for specific purposes

Use of Anonymised Data

We use anonymised data to plan health care services including:

Checking the quality and efficiency of the health services we commission;
Preparing performance reports on the services we commission;
Working out likely trends in illnesses in the future, so we can plan and prioritise services and ensure these continue to meet the needs of local patients; and,
Reviewing the care being provided to make sure it is of the highest standard.

Use of Pseudonymised (De-identified) Information

We use de-identified information in our role as commissioner including:

Commissioning– to plan, design, purchase and pay for the best possible care available to local patients ; look at the care provided by different providers across our area to make sure that together they support the needs of the local population; performance manage contracts; to prepare statistics on NHS performance to understand health needs and support service redesign, modernisation and improvement; to help us plan future services to ensure they continue to meet our local population’s needs.
Risk Stratification– to identify groups of patients who would benefit from some additional help from their GP or care team. The aim is to prevent ill health and possible future hospital stays, rather than wait for you to become sick. Only de-identified information is accessible to the ICB in order to help us plan the most appropriate health services for our population.

Use of Personal and Sensitive (Identifiable) Information

As an ICB we do not routinely hold medical records or confidential patient data with some limited exceptions.

There are some categories of personal data for which special safeguards are required by law, known as special category or sensitive data. This includes records relating to health, sex life, race, ethnicity, political opinions, trade union membership, religion, genetics and biometrics.

The following list includes examples of where we collect and use personal information. Please click on each of the following examples for information on the purpose, the type of information used, the legal basis identified for the collection and use of the information, how we collect and use the information required, any third parties we may share the information with and your rights regarding the use of the information including, where relevant, your right to opt out.

Recording of Meetings

Please be aware that meetings may be recorded as an administrative tool for the purpose of supporting the provision of clear and accurate minutes. Where recordings are to be made attendees will be notified that a recording is taking place. Recording for administrative purposes are only retained for the period of drafting minutes and then subsequently deleted from all ICB systems.

ICB public meetings are live streamed with the details for each published at https://humberandnorthyorkshire.icb.nhs.uk/meetings-and-papers/. These are held and made available as part of our statutory requirements relating to transparency.

If you have any queries regarding the processing of information in this way, please contact the ICB’s Data Protection Officer at: michael.napier@nhs.net

Patient Information

Invoice Validation;
Public Relations (inc. Complaints);
Individual Funding requests (IFR);
Continuing Healthcare and Children/Young People Continuing Care;
Personal Health Budgets (PHBs) and Personal Wheelchair Budgets;
Safeguarding;
Patient and Public Involvement;
Infection Prevention and Control;
Serious Incident monitoring and reports;
Freedom of Information requests
Subject Access Requests (SARs);
Assuring Transformation (Learning Disability Data);
Care and Treatment Reviews;
Medicines Management;
Cancer Waiting Times;
Electronic Palliative Care Co-ordination System (EPaCCS)
Visitors to our website;
Population Health Management; and
Use of Zoom – Public Events/ Webinars

Staff Information

The ICB as an NHS employer needs to process information in relation to staff. This information is used in a variety of ways to ensure staff are paid, that the organisation complies with employments law or to provide other services related to their employment. For more details about how staff information is used please click on the following:

Information for job applicants;
Human Resources;
Declarations of interests, gifts and hospitality publications; and
National Fraud Initiative.

Sharing Information with Health and Care organisations

Information Sharing Agreements and contracts will be in place ensuring that where we share information, this meets both the requirements of the Health and Social Care Act 2012 and the current data protection legislation ensuring that your confidentiality and rights are not breached.

The ICB is actively working with health and social care partners to ensure that where you receive a referral, for example for community services, all the relevant information that organisation requires is available in order to offer you the right service. We are also working with the hospitals that provide services to our population to ensure that should you find yourself in an emergency situation the hospital clinicians would have access to relevant and potentially lifesaving information from your GP record, such as test results tests and any allergies you may suffer from.

Whenever a new arrangement is made to share information externally, both with health and social care organisations and with third party suppliers, we will ensure that a legal basis has been identified, using a tool called a Data Protection Impact Assessment, which will highlight any risks to your information and ensure they are resolved before any sharing takes place.

Our Commitment to Data Privacy and Confidentiality

We are committed to protecting your privacy and will only process personal confidential data in accordance with the General Data Protection Regulation, the Data Protection Act 2018, the Common Law Duty of Confidentiality, Professional Codes of Practice and the Human Rights Act 1998.

In the circumstances where we are required to use personal identifiable information we will only do this if:

The information is necessary for your direct healthcare; or,
We have received explicit consent from you to use your information for a specific purpose; or,
There is an overriding public interest in using the information:
- In order to safeguard an individual;
- To prevent a serious crime or in the case of Public Health or other emergencies, to protect the health and safety of others; or,
There is a legal requirement that allows or compels us to use or provide information (e.g. a formal court order or legislation); or,
We have permission from the Secretary of State for Health and Social Care to use certain confidential patient identifiable information when it is necessary for our work.

Everyone working for the NHS has a legal and contractual duty to keep information about you confidential.

All identifiable information that we hold about you will be held securely and confidentially. We use administrative and technical controls to do this. All health and social care organisations are required to provide annual evidence of compliance with applicable laws, regulations and standards through the Data Security and Protection Toolkit.

Our staff, contractors and others involved with the work of the ICB receive, appropriate and ongoing training to ensure that they are aware of their personal responsibilities and have contractual obligations to uphold confidentiality, which are enforceable through disciplinary procedures. Staff are trained to ensure how to recognise and report any incident and the organisation has procedures for investigating, managing and learning lessons from any incidents that occur.

Your information will not be sent outside of the United Kingdom where the laws do not protect your privacy to the same extent as the law in the UK. We will never sell any information about you.

The ICB maintains a set of regularly updated policies and procedures covering all aspects of information governance. These can be found here:

Documents and Publications – Humber and North Yorkshire Integrated Care Board (ICB)

Data Protection Impact Assessments

DPIAs are required under the UK General Data Protection Regulation, where data is being used in a manner that it either is identifiable or there is a risk of an individuals’ identity being revealed. DPIAs are an integral part of taking a privacy by design approach.

A DPIA can reduce the risks of harm to individuals through the misuse of their personal information. It can also help us to design more efficient and effective processes for handling personal data.

DPIAs aid us in determining how a particular project, process or system may affect the privacy of the individual, which are designed to enable an assessment prior to new services or new data processing/sharing systems being introduced.

A summary log is available on request from the Information Governance Team by contacting: hnyicb-ery.ig@nhs.net

Your Rights

Under the General Data Protection Regulation all individuals have certain rights in relation to the information which the ICB holds about them. Not all rights apply equally to all our processing activity as certain rights are not available depending on the lawful basis for the processing.

When you view an entry in our ‘Use of Personal and Sensitive Information’, we have highlighted which rights apply and which may not. To help understand why some may not apply the following should help.

Examples of where rights may not apply – where our lawful basis is:

Processing is necessary for the performance of a task carried out in the exercise of official authority vested in the controller – then rights of erasure, portability do not apply.
Legal Obligation – then rights of erasure, portability, objection, automated decision making and profiling do not apply.

If you require further detail each link below will take you to the Information Commissioner’s Office’s website where further detail is provided in section ‘When does the right apply’.

These rights are:

Under the NHS Constitution you have the right to privacy and to expect the NHS to keep your information confidential and secure.

You have the right to be informed about how your information is used.

You have the right to request that your confidential information is not used beyond your own care and treatment, and to have your objections considered and where your wishes cannot be followed, to be told the reasons including the legal basis.

A system is being developed which will allow people to opt out of their confidential patient information being used for reasons other than their individual care and treatment. The system will offer patients and the public the opportunity to make an informed choice about whether they wish their personally identifiable data to be used just for their individual care and treatment or also used for research and planning purposes. Details of the national patient opt out can be found here: https://www.nhs.uk/your-nhs-data-matters/

Queries, Complaints & Access

If we do hold identifiable information about you, you can ask us to correct any mistakes by contacting us at the address below.

If you have any questions or complaints regarding the information we hold about you, the use of your information, or you would like to access the information please contact:

Contact Role: Subject Access Requests

Address: Health House

Grange Park Lane

Willerby

HU10 6DT

Email: hnyicb-ery.accesstorecords@nhs.net

Our Data Protection Officer is:

Name: Michael Napier

Contact: Email: hnyicb-ery.ig@nhs.net

For independent advice about data protection, privacy and data-sharing issues, or to make a complaint about our handling of your information you can contact:

The Information Commissioner

Wycliffe House

Water Lane

Wilmslow

Cheshire

SK9 5AF

Phone: 0303 1231113 or 01625 54 57 45

Website: https://ico.org.uk/

Details of information used for specific purposes

Commissioning

Data Controller(s)	NHS Humber & North Yorkshire Integrated Care Board
Purpose	Hospitals and community setting organisations that provide NHS-funded care must by law submit certain information to NHS Digital about services provided to you and the population we serve. This information is known as commissioning datasets. The ICB obtains these datasets from NHS Digital which relate to patient registered with our GP Practices. This enables us to plan, design, purchase and pay for the best possible care available for you.
Type of Information Used	Different types of commissioning data are legally allowed to be used by different organisations within, or contracted to, the NHS. Identifiable – when disclosed from Primary and Secondary care services to NHS Digital Pseudonymised – the ICB may only receive this information in a pseudonymised format which does not identify individuals.
Legal Basis	Statutory requirement for NHS Digital to collect identifiable information. For use by the ICB: GDPR Article 6(1)(e) – processing is necessary for the performance of a task carried out in the exercise of official authority vested in the controller GDPR Article 9(2)(h) processing is necessary for the purposes of the provision of health or social care or treatment or the management of health or social care systems and services. A section 251 approval from the Secretary of State, through the Confidentiality Advisory Group, enables the pseudonymised information to be sent to the ICB via NHS Digital for our Commissioning purposes.
How we collect (the source) and use the information	The datasets we receive from NHS Digital have been linked and are in a format that does not directly identify you. Information such as your age, ethnicity and gender, as well as coded information about any clinic or Accident and Emergency attendances, hospital admissions and treatment will be included. We also receive information from the GP Practices within our locality that does not identify you. We use these datasets for a number of purposes such as: Performance managing contracts Reviewing the care delivered by providers to ensure service users are receiving quality and cost effective care To prepare statistics on NHS performance to understand health needs and support service redesign, modernisation and improvement To help us plan future services to ensure they continue to meet our local population needs
Data Processors	Yorkshire Data Services for Commissioning Regional Office (DSCRO) hosted by North of England Commissioning Support (NECS) obtains the identifiable information from the Secondary Uses Service (SUS) at NHS Digital. The DSCRO also receives identifiable information directly from providers They pseudonymise the information and pass it to the ICB.
Your Rights	With regards to Commissioning under GDPR you have the right: To be informed about the processing of your information (this notice)Of access to the information held about youTo have the information corrected in the event that it is inaccurateTo restrict or stop processingTo object to it being processed or usedNot to be subject automated decision-taking or profilingTo be notified of data breaches
How long we will keep the information	The organisation has adopted the retention periods for health and non-health records as set out in the NHS Records Management Code of Practice 2021.
Who we will share the information with (recipients)	This information is not shared outside of the ICB.

Risk Stratification

Data Controller(s)	NHS Humber & North Yorkshire Integrated Care Board – SUS Data Local GPs for Primary Care Data
Purpose	Information from health and social care records, using the NHS Number provided via the Secondary Uses Service (SUS) at NHS Digital, is looked at to identify groups of patients who would benefit from some additional help from their GP or care team. This is known as ‘Risk Stratification’. The aim is to prevent ill health and possible future hospital stays, rather than wait for you to become sick. The national data opt-out will not apply to data disclosures for risk stratification for case finding, where carried out by a provider involved in an individual’s care as this should be treated as direct care for the purpose of the opt out. It will not apply where the data for risk stratification is anonymised in line with the ICO code of practice on anonymisation. National data opt-outs will apply to data disclosures for risk stratification which rely on S.251 support for use of confidential patient information.
Type of information Used	Only de-identified information (NHS number removed) is accessible to the ICB. Only GP Practices within the ICB have access to identifiable information (NHS Number) of their own patients in order to see who may benefit from additional help.
Legal basis	GDPR Article 6(1)(e) – processing is necessary for the performance of a task carried out in the exercise of official authority vested in the controller. GDPR Article 9(2)(h) processing is necessary for the purposes of the provision of health or social care or treatment or the management of health or social care systems and services. A section 251 approval (CAG 7-04(a)/2013) from the Secretary of State, through the Confidentiality Advisory Group of the Health Research Authority, enables the pseudonymised information to be sent to the ICB via NHS Digital in order to help us plan the most appropriate health services for our population.
How we collect (the source) and use the information	Primary Care data extracted from individual GP practices and Secondary Care data (collected nationally via the Secondary Uses Service): Inpatient, Outpatient, Accident and Emergency, Out of Hours, Urgent Care, Community Nursing, Community Mental Health is passed to the Data Services for Commissioners Regional Office (DSCRO) so that the information can be linked. This information is processed by NECS and provided to the ICB and Practices in the Risk tool within RAIDR. De-identified information is made available to the ICB to provide a picture of the health and needs of their local population, which enables: priorities to be determined in the management and use of resources; planning services; cover the range of potential questions, and issues they may need to consider, and to support and evidence decisions
Data Processors	Data Services for Commissioners Regional Office (DSCRO) hosted by North of England Commissioning Support (NECS)
Your Rights	To be informed about the processing of your information (this notice)Of access to the information held about youTo have the information corrected in the event that it is inaccurateTo restrict or stop processingTo object to it being processed or usedNot to be subject automated decision-taking or profilingTo be notified of data breaches
How long we will keep the information	The organisation has adopted the retention periods for health and non-health records as set out in the NHS Records Management Code of Practice 2021.The ICB only received de-identified data.
Who we will share the information with (recipients)	This information is not shared outside of the ICB except as appropriate with our local Community Services Provider; this is done at practice level to support their work with the practices to improve services to patients. The ICB will not share this information.

Invoice Validation

Data Controller(s)	NHS Humber & North Yorkshire Integrated Care Board
Purpose	Invoice validation is part of the process by which providers of care or services get paid for the work they do. Invoices, with supporting information, are submitted to the ICB for payment, but before payment can be released, the ICB needs to ensure that the activity claimed for each patient is their responsibility. These invoices are validated within a special secure area known as a Controlled Environment for Finance (CEfF) to ensure that the right amount of money is paid, by the right organisation, for the treatment provided. The process followed ensures that only the minimum amount of information about individuals is used by a very limited number of people and is designed to protect confidentiality.
Type of information Used	Identifiable (NHS number, date of birth or postcode) and Special Category (health information)
Legal basis	GDPR Article 6(1)(e) – processing is necessary for the performance of a task carried out in the exercise of official authority vested in the controller. GDPR Article 9(2)(h) processing is necessary for the purposes of the provision of health or social care or treatment or the management of health or social care systems and services. A section 251 approval (CAG 7-07(a)(b)(c)/2013) from the Secretary of State, through the Confidentiality Advisory Group of the Health Research Authority, enables the CCG to process identifiable information for the purpose of invoice validation within a Controlled Environment for Finance.
How we collect (the source) and use the information	The validation of invoices is undertaken within a controlled environment for finance within the North of England CSU (NECS) which is based at John Snow House, Durham, DH1 3YG. This is carried out via a section 251 agreement and is undertaken to ensure that the ICB is paying for treatments relating to its patients only. The dedicated NECS team receives patient level information (minimal identifiers are used for this purpose, such as NHS number, post code, date of birth) direct from the hospital providers and undertakes a number of checks to ensure that the invoice is valid and that it should be paid for by the ICB. The ICB does not receive or see any patient level information relating to these invoices. Further information about invoice validation can be found on NHS England’s web site here
Data Processors	North of England Commissioning Support (NECS) The Controlled Environment for Finance uses NHS Shared Business Services as a Data Processor
Transfers of Data Overseas	NHS SBS carry out some of their processing activity in India. Where this occurs it is governed by the use of approved Model Contract Clauses.
Your Rights	With regards to Invoice Validation under GDPR you have the right:
How long we will keep the information	The organisation has adopted the retention periods for health and non-health records as set out in the NHS Records Management Code of Practice 2021.
Who we will share the information with (recipients)	This information is not shared outside of the ICB.

Patient Relations (inc. Complaints)

Data Controller(s)	NHS Humber & North Yorkshire Integrated Care Board
Purpose	Under the NHS Complaints Procedure, individuals have a right to complain to both providers and commissioners about services provided by the NHS. A complaint may relate to a service which the ICB is directly responsible for providing, or it may relate to a service which we have commissioned for the patients who we are responsible for, for example hospital services. The ICB requires this information in order to investigate and help to resolve complaints.
Type of information Used	Identifiable: Personal (such as name, address, date of birth) and Special Category (health information)
Legal basis	GDPR Article 6(1)(e) – processing is necessary for the performance of a task carried out in the exercise of official authority vested in the controller GDPR Article 9(2)(h) processing is necessary for the purposes of the provision of health or social care or treatment or the management of health or social care systems and services.
How we collect (the source) and use the information	When the ICB receives a complaint from a person, a complaint file is made up which will normally contain the identity of the complainant, the identity of the patient (where this is a different person) and any other individuals involved, plus details of the complaint, including health information. The ICB will only use the identifiable information we collect to process the complaint and to check the level of service we provide. Where the complainant is not the patient, the ICB will usually need to disclose the complainant’s identity to whoever the complaint is about in order to obtain consent under the Common Law Duty of Confidentiality to proceed with the complaint and for the complainant to correspond with us on behalf of the patient.
Data Processors	N/A
Your Rights	With regards to Complaints under GDPR you have the right: To be informed about the processing of your information (this notice)Of access to the information held about youTo have the information corrected in the event that it is inaccurateTo restrict or stop processingObject to it being processed or usedNot to be subject automated decision-taking or profilingTo be notified of data breaches
How long we will keep the information	10 years starting from closure of complaint. The organisation has adopted the retention periods for health and non-health records as set out in the NHS Records Management Code of Practice 2021.
Who we will share the information with (recipients)	Where complaints relate to a service we commission, such as hospital care, the complaint will be shared with that organisation. The complainant will be informed where this occurs.

Individual Funding requests (IFR)

Data Controller(s)	NHS Humber & North Yorkshire Integrated Care Board
Purpose	To fund specific treatment for you for a particular condition that is not covered in our contracts with providers. Individual Funding Requests provide payments required to receive specialist treatment, not routinely provided on the NHS, on a case by case basis.
Type of information Used	Identifiable: Personal (such as name, address, date of birth) and Special Category (health information) – invoices are created in some circumstances, if the request is for out of the area, otherwise payments for treatment are funded through normal financial processes. Anonymous – to provide reports for analysis of requests received.
Legal basis	GDPR Article 6(1)(e) – processing is necessary for the performance of a task carried out in the exercise of official authority vested in the controller GDPR Article 9(2)(h) processing is necessary for the purposes of the provision of health or social care or treatment or the management of health or social care systems and services.
How we collect (the source) and use the information	The ICB will only use the identifiable information we collect to process the request for funding, for the IFR panel and appeals panel and complaints. This process is carried out with the consent of the patient to satisfy the Common Law Duty of Confidentiality.
Data Processors	North of England Commissioning Support
Your Rights	With regards to Individual Funding Requests under GDPR you have the right: To be informed about the processing of your information (this notice)Of access to the information held about youTo have the information corrected in the event that it is inaccurateTo restrict or stop processingTo object to it being processed or usedNot to be subject automated decision-taking or profilingTo be notified of data breaches
How long we will keep the information	The organisation has adopted the retention periods for health and non-health records as set out in the NHS Records Management Code of Practice 2021.
Who we will share the information with (recipients)	IFR panel members, IFR appeal panel. IFR team (North of England CSU), providers, clinicians, health professionals and independent sector providers. Where complaints relate to a service we commission, such as hospital care, the complaint will be shared with that organisation. The complainant will be informed where this occurs.

Continuing Healthcare and Children/Young People Continuing Care

Data Controller(s)	NHS Humber & North Yorkshire Integrated Care Board
Purpose	Where you have asked us to undertake assessments for Continuing Healthcare/Continuing Care – a package of care for those with complex medical needs. We use your information in order to be able to make the appropriate arrangements for resulting care packages.
Type of information Used	Identifiable: Personal (such as name, address, date of birth) and Special Category (health information)
Legal basis	GDPR Article 6(1)(e) – processing is necessary for the performance of a task carried out in the exercise of official authority vested in the controller GDPR Article 9(2)(h) processing is necessary for the purposes of the provision of health or social care or treatment or the management of health or social care systems and services.
How we collect (the source)and use the information	The Continuing Healthcare/Continuing care teams will collect, use, share and securely store information from/with the Local Authority (Social Services) and other organisations or individuals that are either directly or indirectly involved in the assessment, decision making process, the arranging of care, the funding and payment of care and appropriate monitoring of and audit of the safety and quality of care. This process is carried out with the consent of the patient to satisfy the Common Law Duty of Confidentiality.
Data Processors	N/A
Your Rights	With regards to Continuing Healthcare under GDPR you have the right: To be informed about the processing of your information (this notice)Of access to the information held about youTo have the information corrected in the event that it is inaccurateTo restrict or stop processingTo object to it being processed or usedNot to be subject automated decision-taking or profilingTo be notified of data breaches
How long we will keep the information	The organisation has adopted the retention periods for health and non-health records as set out in the NHS Records Management Code of Practice 2021.
Who we will share the information with (recipients)	The Local Authority (Social Services), Care Homes, educational establishments, health and care organisations involved in delivering or arranging the NHS funded care required.

Personal Health Budgets (PHBs) and Personal Wheelchair Budgets

Data Controller(s)	NHS Humber & North Yorkshire Integrated Care Board
Purpose	A Personal Health Budget is an amount of money allocated to pay for your health and wellbeing needs agreed between you and your local NHS team. Personal Health Budgets help people with long term health conditions manage their care and support in a way that suits them. It helps them to have more choice and flexibility in the way their care and support needs are met. Any adult or child who is eligible for NHS Continuing Healthcare Continuing Care can have a Personal Health Budget if they want one. Personal Wheelchair Budgets are available to those who require long term wheelchair use. There are plans to widen the availability of Personal Health Budgets in the future.
Type of information Used	Identifiable: Personal (such as name, address, date of birth) and Special Category (health information)
Legal basis	GDPR Article 6(1)(e) – processing is necessary for the performance of a task carried out in the exercise of official authority vested in the controller GDPR Article 9(2)(h) processing is necessary for the purposes of the provision of health or social care or treatment or the management of health or social care systems and services. Relevant legislation: National Health Service (Direct Payments) Regulations 2013 In relation to Emergency Planning, Response & Recovery: GDPR Article 6 (1) (C) – processing is necessary for compliance with a legal obligation. Relevant Legislation: Civil Contingencies Act 2004
How we collect (the source)and use the information	Personal Health Budgets are managed in one of three ways or a combination of all three. Notional – We tell you have much money is available for your care; you say how you want us to spend the money. If your local NHS team agree this meets your needs they arrange the care and support for you.Third Party – An organisation looks after the money for you and you say how you want to spend it. If your local NHS team agrees this meets your needs, the organisation pays for the care and support you have chosen.Direct Payments – Once your care plan has been agreed, we give you or your representative the money to buy and manage your own healthcare and support. Your local NHS team must agree that this meets your needs. You can spend your Personal Health Budget on any care or services that are set out in your care plan and agreed with your local NHS team. You will be able to use your Personal Health Budget for a range of things to help you meet your goals, for example therapies, personal care and equipment. You don’t have to change the healthcare and support that is working well for you, but if there is something that isn’t working, you can change that. Things you can’t include in your plan will be explained to you at the beginning of the planning process. You will not need to pay for emergency care and care you normally get from a GP. This process is carried out with the consent of the patient to satisfy the Common Law Duty of Confidentiality. Emergency Planning Response & Recovery: The ICB is required to keep a record of all vulnerable patients living in the community with complex health conditions; this information may be used in conjunction with emergency planning, preparedness and response, for example, to organise a rapid response service following an emergency or major incident.
Data Processors[GH(HANYI01] [*2] [GH(HANYI03] [GH(HANYI04]	Focus Independent Adult Social Work – North East Lincolnshire Place only
Your Rights	With regards to Personal Health Budgets under GDPR you have the right: To be informed about the processing of your information (this notice)Of access to the information held about youTo have the information corrected in the event that it is inaccurateTo restrict or stop processingTo object to it being processed or usedNot to be subject automated decision-taking or profilingTo be notified of data breaches
How long we will keep the information	The organisation has adopted the retention periods for health and non-health records as set out in the NHS Records Management Code of Practice 2021.
Who we will share the information with (recipients)	The Local Authority (Social Services), health and care organisations involved in delivering or arranging the care required. The third party looking after your money where this has been arranged. Emergency Planning Response & Recovery: In the case of an emergency/ major incident the ICB may share information with the emergency services and in extreme case the military.

Safeguarding

Data Controller(s)	NHS Humber & North Yorkshire Integrated Care Board
Purpose	Information for safeguarding purposes is used to assess and evaluate safeguarding concerns to ensure individuals (adults with care and support needs and children) within the ICB boundary are effectively protected.
Type of information Used	Identifiable: Personal (such as name, address, date of birth) and Special Category (health information)
Legal basis	GDPR Article 6(1)(e) ‘processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority…’ GDPR Article 9(2)(b) ‘processing is necessary for the purposes of carrying out the obligations and exercising the specific rights of the controller or of the data subject in the field of …social protection law in so far as it is authorised by Union or Member State law..’ For the purposes of Article 9(2)(b) the provisions of the Children Acts 1989 and 2004, and the Care Act 2014 are relevant.
How we collect (the source)and use the information	The ICB may receive information relating to safeguarding concerns from you directly or relatives or through notification of concerns from other partner organisations. All Health and Social Care professionals have a legal requirement to share information with appropriate agencies where safeguarding concerns about children or adults have been received. Where it is appropriate to do so the organisations will keep you informed of when information is required to be shared, to be provide you with assurance regarding the security of that sharing and the benefit to you or the person you are raising safeguarding concerns about. Access to this information is strictly controlled and where there is a requirement to share information, e.g. with police or social services, all information will be transferred safely and securely ensuring only those with a requirement to know of any concerns are appropriately informed. The Children Act 1989 establishes implied powers for local authorities to share information to safeguard children. Local authorities have a duty to investigate where a child is the subject of an emergency protection order, is in police protection or where there is reasonable cause to suspect that a child is suffering or is likely to suffer significant harm. The Children Act also requires local authorities ‘to safeguard and promote the welfare of children within their area who are in need’ and to request help from specified authorities including NHS Trusts and Foundation Trusts, NHS England and CCGs (superseded by ICBs). These are required by the Children Act to comply with such requests. The Children Act 2004 places statutory obligations on member agencies to co-operate in the safeguarding of children. The Counter Terrorism and Security Act 2015 places the duty on various public bodies to have due regard to the need to prevent people from being drawn into terrorism. Information will be shared with partner agencies to inform the Prevent agenda and strategy on such issues.
Data Processors	N/A
Your Rights	With regards to Safeguarding under GDPR you have the right: To be informed about the processing of your information (this notice)Of access to the information held about youTo have the information corrected in the event that it is inaccurateTo be notified of data breaches
How long we will keep the information	The organisation has adopted the retention periods for health and non-health records as set out in the NHS Records Management Code of Practice 2021.
Who we will share the information with (recipients)	Information may be shared with the Safeguarding Children Board, Safeguarding Adults Board, Multi-Agency Safeguarding Hubs (MASH), Early Help and Support Hub (EHASH), Multi-Agency Risk Assessment Conference (MARAC), Multi Agency Public Protection Arrangements (MAPPA), Counter Terrorism agencies, Local Authority, other Health and Social Care organisations or the Police.

Patient and Public Involvement

Data Controller(s)	NHS Humber & North Yorkshire Integrated Care Board
Purpose	If you have asked the ICB to keep you regularly informed and up to date about the work of the ICB or if you are actively involved in our engagement and consultation activities or patient participation groups, we will collect and use information you share with us. We may also contact you to take part in public involvement opportunities in partnership with our provider organisations. Where you submit your details to us for involvement purposes, we will only use your information for this purpose.
Type of information Used	Identifiable: Personal (such as name, address, date of birth) Sensitive: Sexual Orientation, disability, race/ ethnic origin (any sensitive information is provided voluntarily
Legal basis	Where you have asked us to keep you informed via newsletters etc. the legal basis is: GDPR Article 6 1(a) – the data subject has given consent to the processing of his or her personal data for one or more specific purposes GDPR Article 9 (2) (a) – the data subject has given explicit consent to the processing of those personal data for one or more specified purposes For Public Involvement – NHS Commissioners and Trusts must ensure that patients and / or the public are involved in certain decisions that affect the planning and delivery of NHS services. Legal basis: Article 6 (1) (c) processing is necessary for compliance with a legal obligation… Health and Social Care Act 2012
How we collect (the source) and use the information	We will be collecting and using your information to enable us to keep you informed of any news, consultation activities or patient participation groups. Your information will be held securely and accessible only to those who need it for the purposes it was collected.
Data Processors	Tractivity – Providers of our stakeholder engagement system
Your Rights	With regards to Patient and Public Involvement under GDPR you have the right:
How long we will keep the information	The organisation has adopted the retention periods for health and non-health records as set out in the NHS Records Management Code of Practice 2021.
Who we will share the information with (recipients)	This information will not be shared. When the ICB is undertaking engagement or consultation work in partnership, it will be made clear to those involved who the partners are and who will have access to the personal information on collection.

Infection Prevention and Control

Data Controller(s)	NHS Humber & North Yorkshire Integrated Care Board
Purpose	ICBs collaborate with Public Health services and work closely with the organisations involved in providing patient care, to jointly identify and agree the possible causes of, or factors that contributed to a patient’s infection.
Type of information Used	Identifiable: Personal (such as name, address, date of birth) and Special Category (health information)
Legal basis	GDPR Article 6(1)(e) ‘processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority…’ GDPR Article 9(2)(j) ‘ …necessary for reasons of public interest in the area of public health…or ensuring high standards of quality and safety of health care and of medicinal products or medical devices…’ Related legislation: The Health and Social Care Act 2008: Code of Practice for the NHS for the Prevention and Control of Healthcare Associated Infections (revised January 2015) and Regulation 3 of The Health Service (Control of Patient Information) Regulations 2002
How we collect (the source) and use the information	ICBs participate in Post Infection Review in the circumstances set out in the Post Infection Review Guidance, issued by NHS England. The ICB receives this information from Healthcare providers. The ICB uses the results of the Post Infection Review to inform the mandatory healthcare associated infections reporting system.
Data Processors	Primary and Secondary healthcare providers
Your Rights	With regards to Infection Prevention and Control under GDPR you have the right: To be informed about the processing of your information (this notice)Of access to the information held about youTo have the information corrected in the event that it is inaccurateNot to be subject automated decision-taking or profilingTo be notified of data breaches
How long we will keep the information	The organisation has adopted the retention periods for health and non-health records as set out in the NHS Records Management Code of Practice 2021.
Who we will share the information with (recipients)	Information may be shared with Primary and Secondary healthcare providers and with the Local Authority who are responsible for Public Health with the ICB boundary.

Serious Incident reports

Data Controller(s)	NHS Humber & North Yorkshire Integrated Care Board
Purpose	The ICB collects and uses information from Serious Incident reports from Primary and Secondary Care Providers to ensure incidents are dealt with appropriately and lessons learnt.
Type of information Used	Identifiable: Personal (such as name, address, date of birth) and Special Category (health information)
Legal basis	GDPR Article 6(1)(e) ‘processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority…’ Related legislation: NHS Act 2006/Health and Social Care Act 2012. GDPR Article 9(2)(h) processing is necessary for the purposes of the provision of health or social care or treatment or the management of health or social care systems and services.
How we collect (the source) and use the information	We are statutorily required to fully investigate and review incidents and will receive information from Primary and Secondary Care Providers. Where there is a requirement to provide incident reports externally, the information will be anonymised unless there is a legal requirement to provide your details. You will be kept informed of the requirements we are required to meet where information is to be shared externally.
Data Processors	Primary and Secondary healthcare providers
Your Rights	With regards to Serious Incident Reports under GDPR you have the right: To be informed about the processing of your information (this notice)Of access to the information held about youTo have the information corrected in the event that it is inaccurateNot to be subject automated decision-taking or profilingTo be notified of data breaches
How long we will keep the information	The organisation has adopted the retention periods for health and non-health records as set out in the NHS Records Management Code of Practice 2021. 20 years from the date of the incident.
Who we will share the information with (recipients)	Your information may be shared with Primary and Secondary healthcare providers involved in the incident.

Freedom of Information requests

Data Controller(s)	NHS Humber & North Yorkshire Integrated Care Board
Purpose	As a public authority, the ICB has a duty to respond to requests made under the Freedom of Information Act 2000.
Type of information Used	Identifiable: Personal (such as name, address, date of birth)
Legal basis	GDPR Article 6(1)(e) ‘processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority…’
How we collect (the source) and use the information	We will only collect identifiable information such as name and contact details provided by individuals making requests under the Freedom of Information Act 2000. This information will only be used to respond to such requests and in correspondence with individuals following appeals.
Data Processors	N/A
Your Rights	With regards to Freedom of Information Requests under GDPR you have the right: To be informed about the processing of your information (this notice)Of access to the information held about youTo have the information corrected in the event that it is inaccurateTo restrict or stop processingTo object to it being processed or usedNot to be subject automated decision-taking or profilingTo be notified of data breaches
How long we will keep the information	The organisation has adopted the retention periods for health and non-health records as set out in the NHS Records Management Code of Practice 2021. 3 years from closure of request. 6 years from closure where there has been an appeal.
Who we will share the information with (recipients)	This information is not shared outside of the ICB.

Subject Access Requests

Data Controller(s)	NHS Humber & North Yorkshire Integrated Care Board
Purpose	Individuals have the right under current Data Protection legislation and the General Data Protection Regulation (UK) subject to certain exemptions, to have access to their personal records that are held by Humber and North Yorkshire Integrated Care Board. This is known as a ‘subject access request’ (SAR). Requests may be received from members of staff, service users or any other individuals who the organisation has had dealings with and holds data about that individual. This will include information held both electronically and manually and will therefore include personal information recorded within electronic systems, email systems, spreadsheets, databases or word documents and may also be in the form of photographs, x-rays, audio recordings and CCTV images etc. For further information please read our Subject Access Request Policy at: Subject-Access-Request-Policy.pdf (icb.nhs.uk)
Type of information Used	Identifiable (NHS number, date of birth or postcode) and Special Category (health information)
Legal basis	In relation to responding to SARs, the lawful basis for processing your personal data is: 6 (1) (c) processing is necessary for compliance with a legal obligation Special Category Data (Health): 9(2)(h)processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems… If you are making a request on behalf of another individual the data subjects consent is required. We will require proof of the identity of the applicant and/or the applicant’s representative, and proof of right of access to the data subject’s personal information. Please see our Policy for further information.
How we collect (the source) and use the information	We could have originally collected your personal information to provide any number of the services as described throughout this privacy notice in order to perform a task in the public interest or as a result of a legal obligation. In a small number of circumstances we would have relied upon your consent.
Data Processors	N/A
Transfers of Data Overseas	No data is transferred overseas.
Your Rights	With regards to Invoice Subject Access Requests under GDPR you have the right:
How long we will keep the information	The organisation has adopted the retention periods for health and non-health records as set out in the NHS Records Management Code of Practice 2021. 3 years following closure of SAR.
Who we will share the information with (recipients)	This information will only be shared with the individual requesting their data unless the information is requested by a third party. A third party, e.g., solicitor or relative may make a valid SAR on behalf of an individual. However, where a request is made by a third party on behalf of another living individual, appropriate and adequate proof of that individual’s consent or evidence of a legal right to act on behalf of that individual e.g., power of attorney must be provided by the third party. Please see our SAR Policy at the link above for more information.

Assuring Transformation (Learning Disability Data)

Data Controller(s)	NHS Humber & North Yorkshire Integrated Care Board
Purpose	Assuring Transformation (AT) data collects information about individuals with learning disabilities and/or autism, who may have a mental health condition or behaviour that challenges, in in-patient settings, and provides it to the ICB. It gives the ICB broad oversight of their care.
Type of information Used	Identifiable: Personal (such as name, address, date of birth) and Special Category (health information)
Legal basis	GDPR Article 6(1)(e) – processing is necessary for the performance of a task carried out in the exercise of official authority vested in the controller. It is a statutory duty for the ICB to participate in this data collection. There are formal directions from the Secretary of State mandating the collection: (Health & Social Care Act 2012) – in the General Guidance. The Information Standard Notice for this data collection is (DCB2007 Amd 35/2020) The latest release of this standard was published on 23 December 2020. GDPR Article 9(2)(h) processing is necessary for the purposes of the provision of health or social care or treatment or the management of health or social care systems and services. A section 251 approval (CAG 8-02(a-c)/2014) from the Secretary of State, through the Confidentiality Advisory Group, enables the flow of personal confidential data from organisations to commissioners, about the services that they provide for: people in in-patient beds with learning disabilities and/or autism of,any ageany level of security (general / low / medium / high)any status under the Mental Health Act (informal or detained) However, the information cannot be shared if: the individual has objected to the use of their information as part of the AT datathe individual lacks capacity to make their own decision
How we collect (the source) and use the information	The AT data is sent to the ICB from healthcare providers and collected by NHS Digital on NHS England’s behalf. It covers all people with learning disabilities and/or autism that are being cared for in in-patient settings and includes: the number of people in in-patient settings; discharges and admissions; whether individuals have a care plan, a care co-ordinator, regular care reviews and access to independent advocacy; the age and gender of individuals; and the type of in-patient setting that is providing their care. The information collected is published in reports by NHS Digital. The reports don’t include any personal information, like names, birthdays or NHS numbers in them.
Data Processors	N/A
Your Rights	Under the NHS constitution you have the right to be informed about how your information is used. With regards to Assuring Transformation under GDPR you have the right: To be informed about the processing of your information (this notice)Of access to the information held about youTo have the information corrected in the event that it is inaccurateTo restrict or stop processingTo object to it being processed or usedNot to be subject automated decision-taking or profilingTo be notified of data breaches
How long we will keep the information	The organisation has adopted the retention periods for health and non-health records as set out in the NHS Records Management Code of Practice 2021.
Who we will share the information with (recipients)	Information will be received from healthcare providers and shared with NHS Digital and NHS England.

Care and Treatment Reviews

Data Controller(s)	NHS Humber & North Yorkshire Integrated Care Board
Purpose	Care and Treatment Reviews (CTRs) are part of NHS England’s commitment to transforming services for people with learning disabilities, autism or both. CTRs are for people whose behaviour is seen as challenging and/or for people with a mental health condition. They are used by commissioners for people living in the community and in learning disability and mental health hospitals.
Type of information Used	Identifiable: Personal (such as name, address, date of birth) and Special Category (health information)
Legal basis	GDPR Article 6(1)(e) – processing is necessary for the performance of a task carried out in the exercise of official authority vested in the controller. GDPR Article 9(2)(h) processing is necessary for the purposes of the provision of health or social care or treatment or the management of health or social care systems and services.
How we collect (the source) and use the information	Care and Treatment Reviews are independent panel meetings about your care arranged by the ICB. The CTR panel is made up or professionals who are not involved in your everyday care. The panel members listen to you and to everyone involved in your care. They look at your notes and check that your care and plans are working well. They use this information and their own experience to decide what will improve your care and plans for the future. They speak up when they think your care could be different or better. ICBs have to understand people’s needs, to plan for different levels of support at different times. They work with other health and social care services to find out who needs extra support or contact to make sure things are okay. If someone suddenly becomes very unwell and urgently needs to go into hospital, there might not be enough time for a community CTR. If this happens, an adult should have a hospital CTR within four weeks of going into hospital, or two weeks if you are a child or young person. This process is carried out with consent from the patient in order to satisfy the Common Law Duty of Confidentiality.
Data Processors	Local Authorities within the boundary served by Humber & North Yorkshire Integrated Care Board
Your Rights	With regards to Care and Treatment reviews under GDPR you have the right: To be informed about the processing of your information (this notice)Of access to the information held about youTo have the information corrected in the event that it is inaccurateThe right to be not involved. Before every CTR consent is obtained from the patient and recorded. If the patient lacks capacity a best interests meeting is held to determine their ability to engage with the process and understand it. An advocate is allocated if needed.
How long we will keep the information	The organisation has adopted the retention periods for health and non-health records as set out in the NHS Records Management Code of Practice 2021.
Who we will share the information with (recipients)	NHS England, Patients Care Team, Patients Advocate. If relevant the patients Family/Carer and patient.

Medicines Management

Data Controller(S)	NHS Humber & North Yorkshire Integrated Care Board
Purpose	Controlled Drugs Monitoring – The ICB has a duty to assist the relevant Controlled Drug Accountable Officer (CDAO) of NHS England in the carrying out of the CDAO’s functions under The Controlled Drugs (Supervision of Management and Use) Regulations 2013. These regulations aim to strengthen the governance arrangements for the use and management of controlled drugs. Minor Ailments – The Minor Ailments Scheme enables you to receive prescription medications, to treat a range of common conditions, direct from the pharmacist without a GP prescription.
Type of information Used	Identifiable: Personal (such as name, address, date of birth) and Special Category (health information
Legal basis	GDPR Article 6(1)(e)processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority GDPR Article 9(2)(h) processing is necessary for the purposes of the provision of health or social care or treatment or the management of health or social care systems and services.
How we collect (the source) and use the information	We collect and store information that has been received directly from the patient or from the following organisations: GP Practices, NHS Trusts, Providers and Care Homes. We use this information to investigate, manage and answer prescribing queries/ provide support to GP Practices.
Data Processors	North of England Commissioning Support
Your Rights	With regards to Medicines Management Reviews under GDPR you have the right: To be notified of data breaches
How long we will keep the information	The organisation has adopted the retention periods for health and non-health records as set out in the NHS Records Management Code of Practice 2021.
Who we will share the information with (recipients)	North of England Commissioning Support

Cancer Waiting Times

Data Controller(S)	NHS Humber & North Yorkshire Integrated Care Board
Purpose	The Cancer Waiting Times data has been collected as part of the National Cancer Registry (now NCRAS) since 2001, and many different policies and legislation have historically been used to keep this data flowing in order to monitor times taken to diagnose and treat patients with cancer and ensure these are in line with the expectations and rights of patients in the NHS Constitution. The Cancer Wait Times (CWT) system collects and validates the National Cancer Waiting Times Monitoring Data Set, allowing performance to be measured against operational Cancer standards. Data is checked and records merged to the same care pathway to cover the period from referral to first definitive treatment for cancer and any additional subsequent treatments. The CWT system then determines whether the operational standard(s) that apply were met or not for the patient and the accountable provider(s).
Type of information Used	Different types of data are legally allowed to be used by different organisations within, or contracted to, the NHS. Pseudonymised – the ICB may only receive this information in a pseudonymised format which does not identify individuals.
Legal basis	GDPR Article 6(1)(e) – processing is necessary for the performance of a task carried out in the exercise of official authority vested in the controller. GDPR Article 9(2)(h) processing is necessary for the purposes of the provision of health or social care or treatment or the management of health or social care systems and services. NHS Digital has been directed by NHS England under section 254 of the Health and Social Care Act 2012; to establish and operate a system for the collection and analysis of the information specified for this service. NHS Digital has received a direction from the Secretary of State concerning the handling of patient objections. The Direction references the collections for the National Cancer Registry (now NCRAS) which Cancer Waiting Times is part of. A copy of the Directions is published here: https://assets.publishing.service.gov.uk/government/uploads/system/uploads /attachment_data/file/517522/type2objections.pdf This information is required by NHS Digital under section 259(1) of the Health and Social Care Act 2012. In line with section 259(5) of the Act, all organisations in scope, in England, must comply with the requirement and provide information to NHS Digital in the form, manner and period specified in this Data Provision Notice.
How we collect (the source) and use the information	The CWT system enables NHS Trusts to upload a locally generated report to a central system, which then generates key data reports against specific performance measures. The CWT system holds National Cancer Waiting Times Monitoring Data Set in a series of pre-aggregated static reports. These reports are available monthly and quarterly data (aligned with the National Statistics for Cancer Waiting Times published by NHS England). Users can query the CWT system to generate reports to feedback on the progress towards meeting these targets. We use these datasets for a number of purposes such as: · Performance monitoring against standards · Reviewing the care delivered by providers to ensure service users are receiving quality and cost effective care · To prepare statistics on NHS performance to understand health needs and support service redesign, modernisation and improvement To help us plan for the future.
Data Processors	N/A
Your Rights	With regards to your data being processed under GDPR you have the right: · To be informed about the processing of your information (this notice) · Of access to the information held about you · To have the information corrected in the event that it is inaccurate, this would need to be via your care provider · To be notified of data breaches
How long we will keep the information	The organisation has adopted the retention periods for health and non-health records as set out in the NHS Records Management Code of Practice 2021.
Who we will share the information with (recipients)	Humber and North Yorkshire Cancer Alliance

Electronic Palliative Care Co-ordination System (EPaCCS) in Humber, Coast and Vale

Data Controllers		The direct health and social care providers who are involved in delivering end-of-life care to patients are Data Controllers in Common using the shared EPaCCS system. This includes GP practices, community care providers, hospices, hospitals, social care providers, care homes, NHS 111, ambulance services and NHS Out-of-Hours services. Please note NHS H&NY ICB does not have routine access to the EPaCCS system and will only access the system in the case of investigating complaints, security breaches or essential administrative tasks To find out more about EPaCCS and how it supports end-of-life care in Humber, Coast and Vale go to: https://humbercoastandvale.org.uk/how/digital-futures/#EPaCCS If you have any queries please contact: hnf-tr.yhcrhcv.carerecord@nhs.net
Why we need to process your personal data?	Patients who are at the end of life come into contact with many health and care professionals. The challenge has been in enabling different care providers to share information about an individual patient’s care and end-of-life preferences in a safe, up-to-date and efficient way. Treatment choices, how and where care is delivered, and the preferred place of death are at the heart of end-of-life care. Patient choices are not static and often change during the last weeks and months of life. Typically, preferences for end-of-life care are collected by GPs and inputted into their GP system. However, this may not always reflect the latest wishes of the patient and may not be available to all of a patient’s health and care providers. EPaCCS enables the recording and sharing of a patient’s care preferences and key details about their care at the end-of-life. As it is electronic it can easily be shared 24/7 between all the clinicians and carers involved in the patient’s care across organisational and geographical boundaries. An EPaCCS record can be created, updated and shared by any member of a patient’s health and care team, subject to locally determined pathway and user administration settings. The EPaCCS record is a summary record, intended to provide an easily accessible view of the information that carers need in an end-of-life setting. We process personal information because it is necessary to comply with our legal obligations and perform our public duty.
How do we collect information about you?	Personal information relating to you will be received from a number of areas. Some of the information about your medical history, such as medications and conditions, will come from your GP record. Information about your preferences for how and where you receive care at the end-of-life will be provided by you when you share this information with the different health and care professionals who care for you. Only the personal information necessary about you in order to help us deliver the right service or meet legal obligations will be collected.
What information will be shared about you?	Only information about you that will help the health and care professionals who provide your care make the best decisions about your treatment and ensure that your preferences and wishes are respected will be shared. This includes: your demographic details (name, contact details, NHS number, gender), your medications, diagnoses and problems, CPR decision, preferred placed of care and preferred place of death.
How your information is used?	Your information will be used to ensure that the health and care providers that care for you have the information they need to provide the best care for you and to ensure that your wishes and preferences at the end-of-life are known, shared and respected.
Who will your personal information be sharded with?	The information within EPaCCS will only be shared with health and care professionals that are directly involved in delivering your care. These organisations include GP practices, hospitals, hospices, care homes, Out-of-Hours services, NHS 111, community service providers and social care providers.
What is the reason for processing your personal information?	Health and social care providers have determined that the appropriate legal justification upon which this information can be shared for the purposes of the EPaCCS end-of-life shared care record is the delivery of direct care. This is in line with the recommendations of Caldicott Reviews of 1997, 2013, the provisions of the Data Protection Act (DPA) 2018 and the General Data Protection Regulation (EU) 2016/679 (GDPR). The applicable articles in GDPR are: Article 6 (1)(e) – “processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;” Article 9 (2)(H) – “processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services on the basis of Union or Member State law or pursuant to contract with a health professional and subject to the conditions and safeguards referred to in paragraph 3”
How long will we keep your personal information for?	We will only keep your personal information for as long as we need to, so we can give you the service you need, unless we must keep it for legal reasons. You have the right to remove your approval for us processing your end-of-life preferences at any time. It will only be held for the periods stated in our records management policy and retention schedule, after which it will be securely destroyed.
What are my rights in relation to my personal information?	You have the right to: · ask to see the personal information we hold about you; · ask us to change it if it is wrong; · ask us to delete the information we hold about you; · ask us to limit the way we use your personal information; · have your information transferred to another Authority; · complain to the Information Commissioner’s Office. You can withdraw your approval for the processing of your personal information and sharing of your end-of-life preferences at any time.

Visitors to our Website

Data Controller(s)	NHS Humber & North Yorkshire Integrated Care Board
Purpose	Monitoring how the ICB’s website is used. This is done to find out things such as the number of visitors to the various parts of the site.
Type of information Used	Identifiable: Personal (IP address)
Legal basis	GDPR Article 6(1)(e) – processing is necessary for the performance of a task carried out in the exercise of official authority vested in the controller.
How we collect (the source) and use the information	When someone visits the ICB’s website information is collected in a standard internet log to enable the ICB to monitor how the website is used. This is done to find out things such as the number of visitors to the various parts of the site. From time to time, you may be asked to submit personal information about yourself (e.g. name and email address) in order to receive or use services on our website. Such services include bulletins, email updates, website feedback, requesting investigation of complaints and any other enquiries. By entering your details in the fields requested or sending us an email, you enable the ICB and its service providers to provide you with the services you select. Any information you provide will only be used by the ICB, or our agents or service providers, and will not be disclosed to other parties unless we are obliged or permitted to do so. We will hold your personal information on our systems for as long as you use the service you have requested, and remove it in the event the purpose has been met or when you no longer wish to continue your subscription.
Data Processors	TH3 Design – website provider
Your Rights	With regards to the website service under GDPR you have the right: To be informed about the processing of your information (this notice)Of access to the information held about youTo have the information corrected in the event that it is inaccurateTo restrict or stop processingTo object to it being processed or usedNot to be subject automated decision-taking or profiling To be notified of data breaches
How long we will keep the information	The organisation has adopted the retention periods for health and non-health records as set out in the NHS Records Management Code of Practice 2021.
Who we will share the information with (recipients)	This information is not shared outside of the ICB.

Population Health Management (PHM)

Data Controller(s)	Humber & North Yorkshire Integrated Care Board
Purpose	Population Health Management (or PHM for short) is aimed at improving the health of an entire population. It is being implemented across the NHS and the ICB is taking part in a project extending across the Humber Coast and Vale Health and Care Partnership. PHM is about improving the physical and mental health outcomes and wellbeing of people and making sure that access to services is fair, timely and equal. It helps to reduce the occurrence of ill-health and looks at all the wider factors that affect health and care. The PHM approach requires health care organisations to work together with communities and partner agencies, for example, GP practices, community service providers, hospitals and other health and social care providers. These organisations will share and combine information with each other in order to get a view of health and services for the population in a particular area. This information sharing is subject to robust security arrangements. If it is determined that an individual might benefit from some additional care or support, the information will be sent back to your GP or hospital provider and they will use the code to identify you and offer you relevant services. Examples of how the information could be used for a number of healthcare related activities include; improving the quality and standards of care provided research into the development of new treatments preventing illness and diseases monitoring safety planning services
Type of information Used	The information will include personal data about your health care. This information will be combined and anything that can identify you (like your name or NHS Number) will be removed and replaced with a unique code. This means that the people working with the data will only see the code and cannot see which patient the information relates to.
Legal basis	GDPR Article 6(1)(e) – processing is necessary for the performance of a task carried out in the exercise of official authority vested in the controller GDPR Article 9(2)(h) processing is necessary for the purposes of the provision of health or social care or treatment or the management of health or social care systems and services. Confidential patient information about your health and care is only used like this were allowed by law and, in the majority of cases, anonymised data is used so that you cannot be identified.
How we collect (the source) and use the information	Your GP and other care providers will send the information they hold on their systems to the North of England Commissioning Support Unit (NECS). NECS are part of NHS England. More information can be found here http://www.necsu.nhs.uk/ NECS will link all the information together. Your GP and other care providers will then review this information and make decisions about the whole population or particular patients that might need additional support.
Data Processors	North of England Commissioning Support Unit (NECS) http://www.necsu.nhs.uk/
Transfers of Data Overseas	Data is not transferred overseas.
Your Rights	With regards to your data being processed under GDPR you have the right: To be informed about the processing of your information (this notice) Of access to the information held about you To have the information corrected in the event that it is inaccurate. Right not to be subject to solely automated decision making or profiling. To be notified of data breaches You have a right to object to your personal information being used in this way. If you do choose to ‘opt out’ please contact your GP in the first instance. If you are happy for your personal information to be used as part of this project then you do not need to do anything further, although you do have the right to change your mind at any time
How long we will keep the information	The organisation has adopted the retention periods for health and non-health records as set out in the NHS Records Management Code of Practice 2021.
Who we will share the information with (recipients)	North of England Commissioning Support Unit (NECS) Your GP or Hospital Provider

Use of Zoom for Public Events / Webinars

Data Controller(s)	NHS Humber & North Yorkshire Integrated Care Board
Purpose	To allow you to attend online webinars which provide the public and stakeholders with information regarding health and care developments for patients in North East Lincolnshire. These webinars are delivered in conjunction with our health and care partners including Northern Lincolnshire & Goole NHS Foundation Trust. These sessions will be recorded and it will not be possible to opt out of this functionality.
Type of information Used	Identifiable: Personal (such as name, email address and telephone number) Non-identifiable: We will also collect your join and leave time, which we use to inform us how long people stayed to watch our webinar for, so that we can identify which events are more successful and how well we are reaching our audiences.
Legal basis	GDPR Article 6(1)(e) – processing is necessary for the performance of a task carried out in the exercise of official authority vested in the controller.
How we collect (the source) and use the information	When you sign up to an event we will collect your name, email address or telephone number to allow you to attend the event. Following an event, we will retain your personal information to allow us to send you a feedback report/update on the topics discussed. We will also upload a recording of the event onto the HNY ICB (NEL Place), Accord & NLaG websites – however no personal information will be included in these recordings. All personal information you provide in order to access our events will be deleted once we have sent you a feedback report/update.
Data Processors	We use Your Vision Events Ltd & Zoom as our data processor in order to provide you with this event.
Your Rights	With regards to the website service under GDPR you have the right: To be informed about the processing of your information (this notice) Of access to the information held about you To have the information corrected in the event that it is inaccurate To restrict or stop processing To object to it being processed or used Not to be subject automated decision-taking or profiling To be notified of data breaches
How long we will keep the information	The organisation has adopted the retention periods for health and non-health records as set out in the NHS Records Management Code of Practice 2021. All personal information you provide in order to access our events will be deleted once we have sent you a feedback report/update.
Who we will share the information with (recipients)	This information is not shared outside of the HNY ICB.

Information for Job Applicants

Data Controller(s)	NHS Humber & North Yorkshire Integrated Care Board
Purpose	The ICB will process information provided by applicants for the management of their application and the subsequent selection process.
Type of information Used	Anonymous – for shortlisting and selection purposes Identifiable: Personal such as name, address, date of birth etc.) – following the short-listing process
Legal basis	Article 6 – 6(1)(c) ‘…necessary for compliance with a legal obligation…’ For criminal conviction information (obtained via the Disclosure and Barring Service (DBS)) processing meets the requirements of Article 10 of the GDPR under Schedule 1, Part 1 of the Data Protection Act 2018 – processing in connection with employment, health and research – Processing necessary for the purposes of performing or exercising obligations or rights of the controller or the data subject under employment law, social security law or the law relating to social protection. Relevant legislation: the provisions of the Safeguarding Vulnerable Groups Act 2006 as a basis for carrying our DBS checks.
How we collect (the source) and use the information	The recruitment process involves passing details provided by you on your application regarding your qualifications, skills and work experience, (but excluding your name, address and other personal data) to the short-listing and selection panels. After shortlisting full details provided by you on your application form will be provided to the interview panel. Details provided by you are also used to help fulfil our obligations to monitor equality and diversity within the organisation and process your application.
Data Processors	Methods Consulting Ltd – management of NHS Jobs (recruitment website)
Your Rights	To be informed about the processing of your information (this notice)Of access to the information held about youTo have the information corrected in the event that it is inaccurateTo restrict or stop processingTo be notified of data breaches
How long we will keep the information	The organisation has adopted the retention periods for health and non-health records as set out in the NHS Records Management Code of Practice 2021.
Who we will share the information with (recipients)	Your information may be shared with Dept Works and Pension, NHS Trust, Occupational Health Disclosure and barring services

Human Resources

Data Controller(s)	NHS Humber and North Yorkshire Integrated Care Board NHS Business Services Authority (for the Electronic Staff Record aspect)
Purpose	The ICB holds personal and confidential information on its staff for employment-related purposes, such as recruitment, payment of salary, sickness and absence monitoring, professional development purposes, and to reimburse expense claims.
Type of information Used	Identifiable: Personal (such as name, address, date of birth) and Special Category (health, racial or ethnic origin information) Information relating to expenses: Personal (such as, name, address, payroll number, driving licence & registration, insurance, MOT, car details) Information relating to criminal convictions (DBS checks).
Legal basis	GDPR Article 6(1)(e) – processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority AND 6 (1) (c) – Processing is necessary for compliance with a legal obligation… GDPR Article 9(2)(b) – processing is necessary for the purposes of carrying out the obligations and exercising the specific rights of the controller or of the data subject in the field of employment…social protection law in so far as it is authorised by Union or Member State law. For reimbursement of expenses – GDPR Article 6(1)(b) – processing is necessary for the performance of a contract… For criminal conviction information (obtained via the Disclosure and Barring Service (DBS)) processing meets the requirements of Article 10 of the GDPR under Schedule 1, Part 1 of the Data Protection Act 2018 – processing in connection with employment, health and research – Processing necessary for the purposes of performing or exercising obligations or rights of the controller or the data subject under employment law, social security law or the law relating to social protection. Relevant legislation: the provisions of the Safeguarding Vulnerable Groups Act 2006 as a basis for carrying our DBS checks.
How we collect (the source) and use the information	The ICB uses information for the purposes of employment in a variety of ways including: Recruitment – application forms, collecting references, carrying out DBS checks, payroll and pension information. Managing and monitoring annual leave and sickness. Carrying our personal development reviews. Referrals to Occupational Health Disciplinary procedures. Processing staff leavers, retirements and providing references. Recruitment of temporary staff/student placements Reimbursement of expenses
Data Processors	Victoria Pay Services IBM (system supplier of the Electronic Staff Record – ESR & Easy- Expenses) Methods Consulting Ltd – management of NHS Jobs (recruitment website) NHS SBS (finance system) for payroll purposes
Transfer of information overseas	NHS SBS carry out some of their processing activity in India. Where this occurs it is governed by the use of approved Model Contract Clauses.
Your Rights	Under GDPR you have the right: To be informed about the processing of your information (this notice)Of access to the information held about youTo have the information corrected in the event that it is inaccurateTo be notified of data breaches
How long we will keep the information	The organisation has adopted the retention periods for health and non-health records as set out in the NHS Records Management Code of Practice 2021.
Who we will share the information with (recipients)	In addition to the sharing with our named Data Processors above – the ICB shares information with a variety of organisation and individuals for a number of lawful purposes including: Public disclosure under Freedom of Information – e.g. requested names or contact details of senior managers or those in public-facing roles; Disclosure of job applicant details – e.g. to named referees for reference checks, to the Disclosure & Barring Service for criminal record checks Disclosure to employment agencies – e.g. in respect of agency staff; Disclosure to banks & insurance companies – e.g. to confirm employment details in respect of loan/mortgage applications/guarantees; Disclosure to professional registration organisations – e.g. in respect of fitness to practice hearings; Disclosure to Occupational Health professionals (subject to explicit consent); Disclosure to police or fraud investigators – e.g. in respect of investigations into incidents, allegations or enquiries.

Declarations of Interests, Gifts and Hospitality Publication

Data Controller(s)	NHS Humber & North Yorkshire Integrated Care Board
Purpose	The ICB is required to maintain and publish on its website registers of interests, gifts and hospitality for, for staff with the exception of staff grade 7 and below as well as its Board Members and members of the ICB’s committees, sub- committees/sub-groups.
Type of information Used	Identifiable: Personal (name and job role)
Legal basis	GDPR Article 6(1)(e) – processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority
How we collect (the source) and use the information	The ICB maintains and publishes Registers of Interest and Gifts and Hospitality containing names, job roles, details of the interest and/or receipt of gifts/hospitality including the details of those supplying the gift/hospitality as per the guidance on Managing Conflicts of Interest.
Data Processors	N/A
Your Rights	In exceptional circumstances, where the public disclosure of information could lead to a real risk of harm or is prohibited by law, a person’s name or other information may be withheld from the published registers. If you feel that substantial damage or distress may be caused to you or somebody else by the publication of information in the registers, you are entitled to request that the information is not published. Such requests must be made in writing to the ICB. Under GDPR you have the right: To be informed about the processing of your information (this notice)Of access to the information held about youTo have the information corrected in the event that it is inaccurateTo restrict or stop processingTo object to it being processed or usedNot to be subject automated decision-taking or profilingTo be notified of data breaches
How long we will keep the information	The organisation has adopted the retention periods for health and non-health records as set out in the NHS Records Management Code of Practice 2021.
Who we will share the information with (recipients)	The registers are published on the ICB’s website. https://humberandnorthyorkshire.icb.nhs.uk/wp-content/uploads/2023/02/ICB-Declaration-of-Interest-Register-Published-Feb-2023.xlsx Audit Yorkshire for auditing purposes. Information may be shared with NHS England.

National Fraud Initiative

Data Controller(s)	NHS Humber & North Yorkshire Integrated Care Board
Purpose	The ICB is required by law to protect the public funds it administers. It may share information provided to it with other bodies responsible for; auditing, or administering public funds, or where undertaking a public function, in order to prevent and detect fraud under the National Fraud Initiative. The Cabinet Office is responsible for carrying out data matching exercises.
Type of information Used	Identifiable: Personal
Legal basis	GDPR Article 6 (1)(c) – processing is necessary for compliance with a legal obligation to which the controller is subject. Relevant Legislation: Part 6 of the Local Audit and Accountability Act 2014 (LAAA).
How we collect (the source) and use the information	We participate in the Cabinet Office’s National Fraud Initiative: a data matching exercise to assist in the prevention and detection of fraud. We are required to provide particular sets of data to the Minister for the Cabinet Office for matching for each exercise, as detailed here. Data matching involves comparing computer records held by one body against other computer records held by the same or another body to see how far they match. This is usually personal information. Computerised data matching allows potentially fraudulent claims and payments to be identified. Where a match is found it may indicate that there is an inconsistency which requires further investigation. No assumption can be made as to whether there is fraud, error or other explanation until an investigation is carried out. Data matching by the Cabinet Office is subject to a Code of Practice. For further information on data matching at this authority, contact the ICB’s Counter Fraud Team.
Data Processors	Audit Yorkshire , the ICB’s contracted provider of internal audit and counter-fraud services.
Your Rights	Under GDPR you have the right: To be informed about the processing of your information (this notice)Of access to the information held about youTo have the information corrected in the event that it is inaccurateTo be notified of data breaches
How long we will keep the information	The datasets used in the matching exercise by the Cabinet Office will be kept as per the Code of Data Matching Practice
Who we will share the information with (recipients)	The Cabinet Office and Counter Fraud Authority

Glossary

Identifiable – information which contains personal details that identify individuals such as name, address, email address, NHS Number, full postcode, date of birth.

Pseudonymised – individual level information where individuals can be distinguished by using a coded reference, which does not reveal their ‘real world’ identity

Anonymised – data which is about you but from which you cannot be personally identified.

Aggregated – grouped information about individuals that has been combined to show general trends or values without identifying individuals

General Data Protection Regulation (GDPR) – The General Data Protection Regulation is a Regulation in EU law on data protection and privacy in the EU and the European Economic Area.

Data Protection Act – UK legislation introduced in 2018 in line with GDPR to expand on the EU Regulation and to provide for areas specifically excluded from GDPR (eg Law Enforcement).

Data Controller – natural or legal person, public body, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.

Data Processor – natural or legal person, public authority, agency or other body which processes personal data on behalf of the data controller.

Personal data – any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

Special Category (Sensitive) data – categories of personal data for which special safeguards are required by law. This includes records relating to health, sex life, race, ethnicity, political opinions, trade union membership, religion, genetics and biometrics.

Processing – any operation or set of operations which is performed on personal data or on sets of personal data whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

Data Protection Officer – Under GDPR all Public Authorities must appoint a Data Protection Officer. The role of this person, who must be an expert in Data Protection Law is to monitor ICB compliance with data protection:

Provide advice and assistance with regards to the completion of Data Protection Impact Assessments
Act as a contact point for the Information Commissioners Office (ICO), members of the public and ICB staff on matters relating to GDPR and the protection of personal information
Assist in implementing essential elements of the GDPR such as the principles of data processing, data subjects’ rights, privacy impact assessments, records of processing activities, security of processing and notification and communication of data breaches

Primary Care – Primary care settings include GP Practices, pharmacists, dentists and some specialised services such as military health services.

Secondary Care – Secondary care settings include local hospitals, rehabilitative care, urgent and emergency care (including out of hours and NHS 111), community and mental health services.

Caldicott Guardian – a senior person responsible for protecting the confidentiality of patient and service-user information and enabling appropriate information sharing. Each NHS and Social Care organisation is required to have a Caldicott Guardian.

Senior Information Risk Owner (SIRO) – an executive or member of the Senior Management Board of an organisation with overall responsibility for information risk across the organisation.

Right of Access Requests – The right a data subject has from the controller for confirmation as to whether or not personal data concerning him or her are being processed and, where that is the case, access to the personal data and further information about the processing.

Privacy Policy

Who we are and what we do

How we use your personal information

Types of information we hold

Details of information used for specific purposes

Use of Anonymised Data

Use of Pseudonymised (De-identified) Information

Use of Personal and Sensitive (Identifiable) Information

Sharing Information with Health and Care organisations

Our Commitment to Data Privacy and Confidentiality

Data Protection Impact Assessments

Your Rights

Queries, Complaints & Access

Details of information used for specific purposes

Continuing Healthcare and Children/Young People Continuing Care

Personal Health Budgets (PHBs) and Personal Wheelchair Budgets

Subject Access Requests

Assuring Transformation (Learning Disability Data)

Medicines Management

Cancer Waiting Times

Electronic Palliative Care Co-ordination System (EPaCCS) in Humber, Coast and Vale

Visitors to our Website

Population Health Management (PHM)

Use of Zoom for Public Events / Webinars

Declarations of Interests, Gifts and Hospitality Publication

Glossary

Stay up to date

Helpful Links

Who we are