What is a privacy notice?
The EU General Data Protection Regulation (GDPR) requires that data controllers provide certain information to people whose information (personal data) they hold and use. A privacy notice is one way of providing this information. This is sometimes referred to as a fair processing notice.
A privacy notice should identify who the data controller is, with contact details for its Data Protection Officer. It should also explain the purposes for which personal data are collected and used, how the data are used and disclosed, how long it is kept, and the controller’s legal basis for processing.
What we use your information for – Please select the information that is relevant to you from the list below for full details on how your information is used.
- Direct care and Enfield Referral Service
- Complaints, subject access requests and Freedom of Information Act requests
- Incident management
- Medicines management
- Patient communications
- Patient participation or engagement
- Public health
- Quality alerts
- Risk stratification
- Litigations and claims
Enfield Clinical Commissioning Group (CCG) is responsible for planning and buying (also known as ‘commissioning’) health services from healthcare providers such as hospitals, as well as directly providing some health services such as continuing healthcare, the Enfield Referral Service, Personal Health Budgets and Individual Funding Requests.
We are a membership body made up of all GP practices in Enfield. We do not provide healthcare services like a GP practice or hospital. Our role is to make sure the appropriate NHS care is in place for the people of Enfield within our available budget.
As an NHS organisation, Enfield CCG operates at a number of different levels in regards to the processing of personal data. We act as a Data Controller primarily for the management of data relating to our employees and those working on behalf of or with our organisation and also covering some NHS patient provider functions.
Enfield CCG may collect information about you which helps us to respond to your queries and help us to design services to improve the health needs and outcomes of local people.
Why we collect information about you
In carrying out our role and responsibilities as a commissioner of services for people living in Enfield, it is essential that the CCG has an understanding of the health and social care needs of our community. The only way that we can achieve this is by using information that your GP, your clinician or your social worker has entered into your care record, as well as some information that is provided via external public sources such, as hospitals and the London Borough of Enfield. This information may exist on paper or in electronic format and Enfield CCG ensures that these are kept safe and secure in an appropriate way.
We do not however, need to have and use all the information that is provided. Where this is identified, information is de-identified by the Data Services for Commissioners Regional Offices (DSCRO) prior to being shared with the rest of the CCG for its use. (For further explanation, see section below on mechanisms for processing your data).
We may keep your information in written form and / or in digital form. The records may include basic details about you, such as your name and address or may also contain more sensitive information about your health and social care usage and also information such as outcomes of needs assessments.
CCG oversight and responsibility
The Enfield CCG Governing Body is supported by a number of key roles within the CCG led by the Senior Information Risk Owner, who is accountable to the Governing Body for information risk management within the CCG; The Caldicott Guardian who advises the Governing Body on specific issues relating to the use of patient confidential data and the Data Protection Officer who provide advice and support to the CCG on Data Protection compliance and monitoring obligation. These roles have oversight of the handling of information within the CCG or by any support organisations we may buy services from.
The Senior Information Risk Officer for the CCG is Deborah McBeal, Director of Primary Care Commissioning & Deputy Chief Operating Officer.
Email address is Deborah.firstname.lastname@example.org
The Caldicott Guardian for the CCG is Aimee Fairbairns, Director of Quality and Clinical Services. Email address is email@example.com
The Data Protection Officer for the CCG is Dayo Adebari, Information Governance & FOI Manager, NCL CCGs. Email address is: firstname.lastname@example.org
The North and East London Commissioning Support Unit (NELCSU) provides administrative support for a number of CCG functions. You can visit their website for further information here.
To help you in reading this information, the following definitions have been used in this notification and across the CCG.
What is personal confidential data?
Personal confidential data is a term used in the Caldicott Information Governance Review and describes personal information about identified or identifiable individuals, which should be kept private or confidential and includes dead as well as living people.
The review interpreted 'personal' as including the Data Protection Act definition of personal data, but included data relating to deceased as well as living people, and 'confidential' includes both information 'given in confidence' and 'that which is owed a duty of confidence' and is adapted to include 'sensitive' as defined in the Data Protection Act.
Examples of identifiable data are:
- date of birth
- NHS number
What is personal data?
As per the EU General Data Protection Regulation (GDPR) and the Data Protection Act 2018, and defined by the Information Commissioner's Office. Personal data means data which relate to a living individual who can be identified:
(a) From those data, or
(b) from those data and other information which is in the possession of, or is likely to come into the possession of, the data controller, and includes any expression of opinion about the individual and any indication of the intentions of the data controller or any other person in respect of the individual.
What is sensitive personal data?
Sensitive personal data is different from personal data. Sensitive personal data means personal data consisting of information as to:
(a) the racial or ethnic origin of the data subject,
(b) their political opinions,
(c) their religious beliefs or other beliefs of a similar nature,
(d) whether a member of a trade union (within the meaning of the Trade Union and Labour Relations (Consolidation) Act 1992),
(e) their physical or mental health or condition,
(f) their sexual life,
(g) the commission or alleged commission of any offence,
(h) any proceedings for any offence committed or alleged to have been committed, the disposal of such proceedings or the sentence of any court in such proceedings
What is secondary care data?
Secondary care data is information we have obtained from local hospitals, other care providers and other external public sources.
What is primary care data?
Primary care data is information that is provided by your GP surgery and other community service providers.
How is direct patient care defined?
The Caldicott Review defined direct patient care as a clinical, social or public health activity concerned with the prevention, investigation and treatment of illness and the alleviation of suffering of individuals.
It includes supporting individuals' ability to function and improve their participation in life and society.
It includes the assurance of safe and high quality care and treatment through local audit, the management of untoward or adverse incidents, person satisfaction including measurement of outcomes undertaken by one or more registered and regulated health or social care professionals and their team with whom the individual has a legitimate relationship for their care.
How is indirect patient care defined?
Indirect patient care is defined by the Caldicott Review as activities that contribute to the overall provision of services to a population as a whole or a group of patients with a particular condition, but which fall outside the scope of direct care. It covers health services management, preventative medicine, and medical research. Examples of activities would be risk prediction and stratification, service evaluation, needs assessment, financial audit.
Who is a Data Controller?
A Data Controller is a person who (either alone or jointly or in common with other persons) determines the purposes for which and the manner in which any personal data are, or are to be, processed.
Who is the Data Protection Officer (DPO)?
A person who has expert knowledge of data protection law and practice. This person report to the highest management level of the organisation. The DPO, advice the organisation on Data Protection compliance and monitoring.
What is Data Services for Commissioners Regional Offices?
Data Services for Commissioners Regional Offices is a regional secure service provided by the Health and Social Care Information Centre (NHS Digital) to process information for NHS organisations. For more information please visit the Health and Social Care Information Centre (NHS Digital).
How your records are used to help the wider NHS
Your information may be used to help assess the needs of the general population and make informed decisions about the provision of future services. Information can also be used to conduct health research and development and monitor NHS performance.
Where information is used for statistical purposes, stringent measures are taken to ensure individual patients cannot be identified. Anonymous statistical information may also be passed to organisations with a legitimate interest, including universities, community safety units and research institutions.
How your records are processed by Enfield CCG
Enfield CCG processes personal data for a number of reasons and in various ways. These are outlined below:
- For the purpose of internal operations, Enfield CCG will use both electronic and manual mechanisms to process personal confidential information relating to its employees and visitors to our sites and services. This is based on explicit consent provided by each employee at the time of joining and updated when any changes are made through internal communications.
- For the purpose of direct patient care, Enfield CCG will ensure that any information collected about you is initially provided by you and where any additional information is collected or used this will be with your explicit consent.
- For the provision of indirect care and to maintain rules for use of information,EnfieldCCG uses a number of approved and secure services / systems to process information about you such as:
- Data Services for Commissioners Regional Offices – this is a regional secure service provided by the Health and Social Care Information Centre via the North and East London Commissioning Support Unit (NELCSU). Further information can be found on the Health and Social Care Information Centre (NHS Digital) website.
- Controlled Environment for Finance (CEfF) – this is another established group provided by the North and East London Commissioning Support Unit (NELCSU) on behalf of NHS England to support invoice validation. This service was established under a Section 251 exemption of the Health and Social Care Act 2012 to allow commissioning organisations to validate invoices it received ensuring correct payments are identified and made on behalf of Enfield CCG.