The purpose of this notice is to inform you of the type of information (including personal information) that NHS Cheshire & Merseyside's CCG holds, how that information is used, who we may share that information with, and how we keep it secure and confidential.
What we do
The Cheshire & Merseyside's Clinical Commissioning Group is responsible for buying (also known as commissioning) health services from healthcare providers such as hospitals, GP Practices, Dentists and Pharmacists for our local population to ensure the highest quality of healthcare. We also have a performance monitoring role of these services, which includes responding to any concerns from our patients on services offered.
How we use information
We hold information centrally which is used for statistical purposes to allow us to plan the provision of healthcare services. Examples of this include:
- Evaluation and review of services such as checking their quality and efficiency
- Paying your GP for the care they provide
- Checking NHS accounts and services
- Working out what illnesses people will have in the future so we can prioritise NHS services
- Making sure our services can meet patient needs in the future
- Preparing statistics on NHS performance
- Reviewing the care we provide to make sure it is of the highest standard.
Personal and confidential information
For the purposes listed above, we will only use anonymised data which will mean you would not be able to be identified from that information. For information that may identify you (known as personal information) we would only use in accordance with the Data Protection Act 1998. This Data Protection Act requires us to have a legal basis if we wish to process any personal information. We also have to honour any duty of confidence attached to information and apply Common Law Duty of Confidentiality requirements. This will mean where a legal basis does not exist to use your personal or confidential information we will not do so.
Therefore, as a commissioning organisation we do not routinely hold medical records or patient confidential data. There are some specific areas, however, because of our assigned responsibilities where we do hold and use personal information. In order to process that information we will have met a legal requirement, in general this is where we have complied with one of the following:
- The information is necessary for direct healthcare for patients
- We have received consent from individuals to be able to use their information for a specific purpose
- There is an overidding public interest in using the information e.g. in order to safeguard an individual, or to prevent a serious crime
- There is a legal requirement that will allow us to use or provide information (e.g. a formal court order)
The areas where we use personal information are:
- Individual funding requests a process where patients and their GPs can request special treatments not routinely funded by the NHS
- Assessments for continuing healthcare assessments (a package of care for those with complex medical needs)
- Responding to your queries, concerns or complaints
- Assessment and evaluation of safeguarding concerns for individuals
We work with a number of other NHS and partner agencies to provide healthcare services to you. We may also share de-identified statistical information with them for the purpose of improving local services, for example understanding how conditions spread across our local area compared against other areas.
We may also contract with other organisations to provide a range of services to us such as analysis of data, Human Resource and IT services. In these instances we ensure that our partner agencies handle our information under strict conditions and in line with the law.
Keeping information secure and confidential
All staff have contractual obligations of confidentiality, enforceable through disciplinary procedures. All staff will receive appropriate training on confidentiality of information and staff (who because of their roll) have regular access to personal information will have received additional specialist training.
We take relevant organisational and technical measures to unsure the information we hold is secure such as holding information in secure locations, restricting access to information to authorised personnel, protecting personal and confidential information held on equipment such as laptops with encryption.
Each NHS organisation has a senior person responsible for protecting the confidentiality of patient information and enabling appropriate information sharing. This person is called the Caldicott Guardian, who in the Cheshire & Merseyside's CCG is [NAME SURNAME].