NHS Sheffield Clinical Commissioning Group

We want you to have more care closer to your home...

branch graphic

Appendix A - Legal Basis

Appendix A - Legal Basis

Purpose of

Activity

Data required

Reason for the data

Legal basis

 

Complaints

We receive identifiable

personal information

direct from yourself

along with any data

from other sources

which you give us

permission to access to

allow us to process and

investigate your

complaint. The CCG will only hold the minimum information required to process your complaint.

 

To process your

personal information if

it relates to a complaint

where you have asked

for our help or

involvement.

 

Explicit consent is

provided to action

complaints containing

your identifiable

information

 

Individual Funding

Requests (IFR)

 

The initial information

can come from Primary

Care or other health and care professionals. To continue with

using this information

for your IFR request we require further

information from

yourself, along with any data from other sources which you give us permission to access to allow us to process your request

 

When we are required

to fund specific

treatment for you for a

particular condition that is not already covered in our contracts.

 

The initial assessment

is carried out by a

health professional

then explicit consent

will be gained to

continue

 

Continuing

Healthcare

 

The initial information

can come from Primary

Care or other health and care professionals. To continue with

using this information

for your CHC request we require further

information from

yourself, along with any data from other sources which you give us permission to access to allow us to process your request

 

 

We will collect and

process your identifiable information where you have asked us to undertake assessments for Continuing Healthcare (a package of care for those with complex medical needs) and commission resulting

care packages.

 

The initial assessment

is carried out by a

health professional

then explicit consent

will be gained to

continue

 

Safeguarding

The information may be primary care data or may be information

provided from a member of the public or staff

 

We will need to collect

and process identifiable information where

there are specific

safeguarding concerns

 

It is not always

possible to rely on

explicit consent to

process information

for safeguarding

purposes. Where

consent cannot be

gained we will use a

statutory basis

 

Risk stratification

The data is initially

primary care data. This

data is then provided to our risk stratification

provider who will

cross reference the

information to give a

risk score for patients.

 

The CCG will not see

identifiable primary care data.

 

Identifying patients who are at a high risk of hospital admission. The risk stratification tool used utilises primary care data from GPs or people who have not made a Type 1 objection. This data is pseudonymised and

linked with data from

NHS Digital to provide a risk score for each

patient. The CCG will

not see the identifiable

data within this process.

 

The use of identifiable

data by CCGs and GPs

for risk stratification

has been approved by

the Secretary of State,

through the

Confidentiality

Advisory Group of the

Health Research

Authority under S251

and this approval has

been extended to

April 2017.

 

Invoice Validation

The Invoice validation

process involves using

your NHS number and

occasionally your

postcode or date of

birth to establish which NHS organisation is

responsible for paying

for your treatment. The information is only

accessible by named

staff in a controlled environment.

 

Information is used

within a controlled

setting (known as a

Controlled Environment for

Finance) to ensure that

organisations have

provided the correct

care and can be paid.

 

Sheffield CCG uses Rotherham CCGs accredited

Controlled

Environment for

Finance (CEfF) under a

Section 251

exemption which

enables us to process

patient identifiable

information without

consent for the

purposes of invoice

validation – CAG 7-

07(a)(b)(c)/2013.

 

Commissioning

Secondary Use data is

available to the CCG as datasets from NHS

Digital.

The datasets include

information about the

service users who have

received care and

treatment from those

services that we are

responsible for funding.

The dataset information is not identifiable. They do not include your name, home address, NHS number, post code

or date of birth.

Information such as

your age, ethnicity and

gender as well as coded information about any clinic or accident and emergency attendances,

hospital admissions and treatment will be

included.

 

To collect and report

NHS data we are

responsible for

 

We are required to

provide NHS Digital

with certain datasets

of information. The

legal basis  for this is

statutory.

 

The data comes from

NHS Digital and relates

to service users who

are registered to a GP

in a CCG area. The

datasets are used in a

format which does not

directly identify

individuals.

 

Patient and public

involvement

groups

 

We receive identifiable

information direct from yourself

 

If you are actively

involved in our

engagement and

consultation activities

or patient participation

groups, we will collect

and process personal

confidential data which

you share with us

 

Explicit consent is

required to use your

information for these

purposes

 

Research

We will hold some

information in

anonymised form to

complete research

projects. If the research requires identifiable or

pseudonymised primary

care data then you will

be contacted for

consent before the

information is  accessible to the CCG.

You can object to your

information being used

for research purposes in identifiable or non-identifiable form.

Please speak to your GP if you wish to notify

your objections.

 

To support and conduct research proposals and activities

 

We will seek explicit

consent for research

requiring identifiable

information.

Some research will be

conducted using

anonymised

information. We will

not require consent

for these purposes

 

For other organisations we

have

commissioned ‘Data Processors’

 

We share the minimum information necessary to allow the data processors to act on our behalf. Each contract will have a specific list of

information to be

shared and the legal

basis allowing us to

legitimately share the

information.

 

We commission some services to be provided

on our behalf. These

are known as ‘data

processors’.

 

We have entered into

contracts with other

NHS organisations to

provide some services

for us or on our behalf.

 

NHS Sheffield Clinical Commissioning Group

Headquarters
722 Prince of Wales Road
Sheffield
S9 4EU