One Health and Care: Fair processing notice

The health and care professionals involved in your care keep records about your health and any treatment and care you receive from the NHS and Local Authority Social Care. Sometimes data is collected in order to provide services and sometimes it is collected because there is a statutory responsibility to do so. These records help to ensure that you receive the best possible care.

This information may include:

• Basic details about you such as name, address, date of birth, next of kin, NHS number etc.
• The name of your GP Practice and GP
• Notes and reports about your health, treatment and care
• Medications, allergies, ongoing and historic conditions, immunisations and diagnoses
• Procedures and investigations
• Test results, hospital referrals, admissions, discharges appointments and clinics attended
• Relevant information from people who care for you and know you well such as health staff and relatives / carers
• Social and mental health information and care plans

It is essential that your details are accurate and kept up to date. Always check that your personal details are correct and please inform the individuals involved in your care of any changes as soon as possible.

Your data may be collected directly from you, or data about you may be gathered from other agencies who work in partnership together. It may be that service providers ask other agencies or organisations for relevant data about you so that they can fulfil legal responsibilities or ensure they are providing you with the correct service.

Information about you is already collected by individual providers of health and care services. One Health and Care is about making this information available across providers, to help inform your care at the point of need. Pseudonymised or anonymised data might be used for Population Health Management.

Data for your care

Only health and social care professionals involved in your direct care will have access to your health and social care data within One Health and Care.

There will be an audit trail in your record of each person who accesses your information.

The personal information viewed within One Health and Care will be used for the purpose of your direct care. It will always be used in line with each organisation’s responsibilities, where there is a legal basis to do so, and in line with your rights under data protection legislation. Personal data viewed within One Health and Care will only be used to provide services you have requested or require.

If your data within One Health and Care is to be used for a purpose outside of this fair processing notice, you will be provided with information about it before it happens, and you will have the opportunity to object, as detailed below.

The information within One Health and Care will be used in order to:

• Deliver health and care services and understand your needs
• Contact you when necessary
• Obtain your opinion and feedback about the services provided
• Ensure that partner legal obligations are fulfilled.

One Health and Care will not use your personal data to make decisions about your direct care by automated means without any human involvement.

Data for planning

Data for planning helps us understand our current, and predict our future, health and care needs so we can take action in tailoring better care and support with individuals, design more joined up and sustainable health and care services and make better use of public resources.

Data for planning uses anonymised/pseudonymised historical and current data to understand what factors are driving poor outcomes in different population groups and helps the ICB design new proactive models of care which will improve health and wellbeing today as well as in 20 years time. This could be by stopping people becoming unwell in the first place, or, where this isn’t possible, improving the way the system works together to support them.

For the public, it should mean that health and care services are more proactive in helping people to manage their health and wellbeing, provide more personalised care when it’s needed and that local services are working together to offer a wider range of support closer to people’s homes.

If you have enacted an opt-out, as detailed below, then your information shall not be included within these planning activities.

One Health and Care allows your data to be shared between the partners involved. A list of these is included at the bottom of this page. An information sharing agreement is in place, which commits each partner to appropriate standards of privacy, security, and transparency.

Where necessary, information may be shared with other organisations that provide services on the partner’s behalf. In such cases, the information provided is only the minimum necessary to enable them to provide services to you. These organisations would be required to retain your information in a secure manner and only use it to undertake the services they provide to you.

Your information will not be disclosed to any other third parties without your permission unless required/permitted to do so by law.

At no time will the information viewed within One Health and Care be passed to organisations for marketing or sales purposes or for any commercial use.

Each health and care organisation in the Black Country and West Birmingham collects information about you and keeps records about the care and services they have provided. The One Health and Care record pulls together the information from different health and social care records and displays it in one combined record.

We ensure the information we hold is kept in secure locations, restrict access to information to authorised personnel only and protect personal and confidential information.

Appropriate technical and security measures in place to protect the One Health and Care Record include:

• Complying with Data Protection legislation.
• Encrypting Personal Data transmitted between partners.
• Implementing and maintaining business continuity, disaster recovery and other relevant policies and procedures.
• A requirement for organisations to complete the Data Security and Protection (DSP) Toolkit introduced in the National Data Guardian review of data security, consent and objections, and adhere to robust information governance management and accountability arrangements.
• Use of ‘user access authentication’ mechanisms to ensure that all instances of access to any Personal Data under the One Health and Care Record are auditable against an individual accessing the One Health and Care Record.
• Ensuring that all employees and contractors who are involved in the processing of Personal Data are suitably trained in maintaining the privacy and security of the Personal Data and are under contractual or statutory obligations of confidentiality concerning the Personal Data.

The NHS Digital Code of Practice on Confidential Information applies to all NHS and care staff, and they are required to protect your information, inform you of how your information will be used, and allow you to decide if and how your information can be shared. All staff with access to Personal Data are trained to ensure information is kept confidential.

Whilst you are automatically enrolled into the One Health and Care Record as a Black Country or West Birmingham citizen, you have the option to object to your information being shared for individual care and to opt out of your data being used for planning. More information about this is available below.

As the One Health and Care Record is an integrated digital care record that pulls together vital patient data from several health and social care providers, only data currently visible in each of the local systems will be visible in the One Health and Care Record. Each partner organisation feeding data into the One Health and Care Record has local retention rules set by the NHS Records Management Code of Practice.

Within the governance framework for the One Health and Care Record, the system supplier is also contractually obliged to comply with any requests by the partners to remove/delete data when instructed to do so.

Further information can be found here:

Records Management Code of Practice 2021 (pdf) - a guide to the management of health and care records.

To process personal data or identifiable data lawfully we are required to have a purpose or reason for processing that data. Please click below for a breakdown of the common legal bases that are used for the One Health and Care Record and the relevant legislation:

1. Lawful Basis: GDPR (UK)

The General Data Protection Regulations (UK) requires us to have a legal basis for processing information that can be used to identify an individual, including pseudonymised data, but not anonymised data. For further information please visit: https://ico.org.uk/for-the-public/does-an-organisation-need-my-consent/

To process personal data, as defined by the GDPR (UK) the following lawful bases from Article 6 are used, and may be used for either data related to individual care or data related to secondary uses:

6.1(e) processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.

In certain circumstances the following may be used when sharing information is necessary to protect an individual from harm.

6.1(d) processing is necessary in order to protect the vital interests of the data subject or of another natural person.

Additionally, when more sensitive data is processed, we require a further legal basis as laid out by Article 9. Sensitive data is defined by GDPR (UK) as special categories of personal data requiring further protection, for example racial or ethnic origin and health data. The following lawful bases from Article 9 are typically used:

For the purposes of improving individual care the condition which lifts the prohibition on processing of the special category of data is:

9.2(h) processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services on the basis of Union or Member State law or pursuant to contract with a health professional and subject to the conditions and safeguards referred to in paragraph 3 (available in the linked documentation above).

If the data processed for the purposes of planning NHS Services, improving patient safety or evaluating government and NHS Policy is still considered to be personal data under GDPR the condition which lifts the prohibition on processing of the special category of data is:

9.2(i) processing is necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health or ensuring high standards of quality and safety of health care and of medicinal products or medical devices, on the basis of Union or Member State law which provides for suitable and specific measures to safeguard the rights and freedoms of the data subject, in particular professional secrecy

If the data processed for the purposes of population health (for example to understand more about disease, or develop new treatments) is still considered to be personal data under GDPR the condition which lifts the prohibition on processing of the special category of data is:

9.2(j) processing is necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) based on Union or Member State law which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject

In certain circumstances the following may be used when sharing information is necessary to protect an individual from harm:

9.2(c) processing is necessary to protect the vital interests of the data subject or of another natural person where the data subject is physically or legally incapable of giving consent

2. Lawful Basis: Data Protection Act 2018 (DPA)

The DPA 2018 is legislation that further defines sections of the GDPR specifically for the UK. For further information please visit https://www.legislation.gov.uk/ukpga/2018/12/contents

Schedule 1, Part 1, condition(s) for processing:

(2) Health or social care                      

For health or social care:

(d) provision of health care or treatment

(e) provision of social care

Schedule 1, Part 1 makes further reference to the legal basis in the GDPR and whether or not the condition is met for the DPA.

In relation to Secondary Uses (Secondary Use Definition)

Schedule 1, Part 1, condition(s) for processing:

(2) Health or social care                      

(3) Public health

For health or social care:

(d) provision of health care or treatment

(e) provision of social care

(f) management of health care systems or services or social care systems or services

For the purpose of public health:

(b)(i) by or under responsibility of a health professional               

(b)(ii) by another person who in the circumstances owes a duty of confidentiality under an enactment or rule of law

For research purposes:

(a)  is necessary for archiving purposes, scientific or historical research purposes or statistical purposes

(b)  is carried out in accordance with Article 89(1) of the GDPR, and

(c)  is in the public interest

 

3. Lawful Basis: Common Law Duty of Confidentiality (CLDC)

The Common Law Duty of Confidentiality is not a codified piece of legislation but is an amalgamation of case law that allows data to be processed via specific legal gateways.

For individual care purposes implied consent is used as a reasonable expectation for the use of health and care records.

For uses beyond health and care the following gateways may be used:

Explicit Consent – Requesting consent directly from the individual that the record refers to.

Overriding Public Interest – When sharing the information can be clearly evidenced to be of overwhelming interest to public safety.

Other Statutory or Legal Duty – In the cases of court orders for instance or required by routes such as those below:

Confidentiality Advisory Group for section 251 approval – Section 251 of the NHS Act 2006 allows the use of confidential patient information for audit, planning or medical research when it is not possible to use anonymised information and when seeking consent is not practical. An application needs to be made for this approval.

In order to process data for secondary uses from the One Health and Care Record we have made an application to the NHS Health Research Authority’s Confidentiality Advisory Group (CAG) to allow our One Health and Care Record system supplier (Graphnet Health Ltd.) to remove identifiers e.g. name, address, date of birth etc.  This will enable us to then use that de-identified data to support our planning without the ability to identify any individual patients.  You can find out more about how we use data for planning by clicking on this link.

Whilst you are automatically enrolled into the One Health and Care Record as a Black Country and West Birmingham citizen, you have the option to object to your information being shared for individual care, and to opt out of your data being used for planning.

We apply the Type 1 opt out implemented via your GP Practice and the National Data Opt.  If you have either of these opt outs applied to your record, your One Health and Care record data will not be used for planning and population health purposes.

However, if you do not want to apply a national opt out and just opt out of the One Health and Care Record data being used for planning or population health within the Black Country and West Birmingham you can contact us to discuss your options on the below details:

Emailing us at: bcicb.ohc-shcrprogramme@nhs.net

Writing to us at:

FAO OHC Programme Team

NHS Black Country ICB

Civic Centre

St Peter’s Square

Wolverhampton

WV1 1SH

Once the Health Research Authority (HRA) (for research activity) and the Secretary of State for Health and Social Care (for non-research) have given Section 251 support for the activity following advice from the Confidentiality Advisory Group (CAG), we will insert the details of this below.

Once permission has been granted, it will replace this body of text. If this text is still present, permission to use data for secondary use has not yet been granted and as such, data is not currently being processed for secondary purposes.

For further information on the One Health and Care Record speak to your care provider or access the following link: https://blackcountryics.org.uk/

If you require information in an alternative format, please contact us via one of the methods listed above.

 

4. Lawful Basis: Further Related Legislation

The Health and Social Care (Safety and Quality) Act 2015 inserted a legal Duty to Share Information In Part 9 of the Health and Social Care Act 2012.

Official authority:

GP Practices	NHS England’s powers to commission health services under the NHS Act 2006. Also, Article 6 (1) c for GPs when subject to statutory regulation
NHS Trusts	National Health Service and Community Care Act 1990
NHS Foundation Trusts	Health and Social Care (Community Health and Standards) Act 2003
Local Authorities	Local Government Act 1974 Localism Act 2011 Children Act 1989 Children Act 2004 Care Act 2014

Under Data Protection Legislation you have various rights regarding your data. In relation to One Health and Care the following rights could be requested:

• Access - you have the right to request access to information held about you by organisations that are providing your care.
• Rectification - if you think data held about you is factually incorrect you have the right to ask for it to be corrected. You may be requested to provide evidence of the alleged inaccuracy.
• Erasure - you can ask an organisation that holds data about you to delete that data. In some circumstances, they must then do so. You may sometimes hear this called the ‘right to be forgotten’.
• Restriction - you have the right to request the restricting of processing your data in certain scenarios, for example if you contest the accuracy of the data and the verification of its accuracy requires checking.
• Object - you have the right to raise an objection to your data being included in One Health and Care. It should be noted this is not an absolute right and would be considered on a case-by-case basis, further details can be found in the ‘Your Choice to Opt Out’ section of this notice.
• Raise a complaint or concern - regarding how your data is handled to the relevant partner organisation.

Due to the One Health and Care System viewable data being sourced from varying partners, requests will need to go to the relevant originating organisation who can then process your request:

• For GP practices, please contact your own GP surgery for guidance.
• For each NHS organisation, please write to the Access to Health Records Department of the organisation that has generated the information.
• For local authorities, please write to the data protection officer of the relevant council.

The organisation should provide your information to you within one calendar month (or two months if the request is deemed complex) following receipt of:

• Adequate information (for example full name, address, date of birth, NHS number, etc.) so that your identity can be verified, and your records located.
• An indication of what information you are requesting to enable the organisation to locate it. 

If you wish to raise an objection to your data being viewed for the purpose of the digital shared care record, One Health and Care, then you can do this through contacting your GP Practice and discussing this with them. If it is deemed appropriate, they can action the objection and this will result in your data being restricted from view. GPs reserve the right to refuse the objection if they are satisfied that your removal from the record would cause significant detriment to your care or compromise your safety.

If you are aged 16 or above, we will process your ‘right to object’ by carrying out our normal checks on the details you have given us. From the age of 13 to 16, we will consider your right to object if submitted on your behalf by someone with parental responsibility. If it has not, we will ask a recognised health or care professional if they consider you to be competent to make such a decision. If you are under the age of 13, we will only consider your right to object if has been signed on your behalf by someone with parental responsibility.

If you would like more information or to discuss your options, please speak to your GP practice.

If your data is restricted from view, you can change your mind at any time and have your data viewable again by contacting your GP Practice. If your data is restricted, your information will not be viewable via One Health and Care, however, it will continue to be shared by care organisations by phone, email and on paper where required as part of your direct care.

Please consider carefully before raising an objection, as doing so could mean that vital information about you is not immediately available when you require health or social care support.

 

How can you opt out of the One Health and Care Record?

You can contact your GP who can discuss the option with you and apply a code to your GP record to prevent a shared care record being created. You can opt back in at any time by informing your GP.

We want anyone who does opt-out to understand that it could negatively impact the care the NHS and Social Care services can provide. If health and care staff can’t access your medical record:

• It might mean that tests or investigations are repeated because results from other organisations can’t be accessed.
• You may need to repeat the same information to different staff.
• The staff treating you won’t be able to see what has happened to you in different parts of the NHS. Staff will only be able to see your record in that specific organisation such as that particular hospital or GP practice.
• Staff might not know what medication you are taking.
• It may delay treatment.
• It will not stop health and care staff contacting one another to ask questions about your history.
• You may not be conscious or able to share details about your medical history if you arrive at hospital.

Whilst you are automatically enrolled into the One Health and Care Record, you have the option to object to your information being shared for individual care as described above and to opt-out of your data being used for planning.

 

How you can opt out of your data being used for planning

You can still have a shared care record to support your treatment and care, but you can opt out of your data being used for planning and population health in 3 ways:

 

1. Stopping a GP practice from sharing your data for planning. This is called a type 1 opt-out.

To do this, you need to fill in an opt-out form and return it to your GP practice. You need to either download a type 1 opt-out form, or contact your GP surgery who may be able to assist you to complete the form on the telephone or may be able to provide you with a printed copy.

Only your GP surgery can process your opt-out form. The GP surgery will be able to tell you if, and when, you have been opted out.

If you choose a type 1 opt-out, your GP will not share your data for planning and population health, but your data will still be used to support your direct care.

Find out more about type 1 opt-out from the NHS England Digital website.

Once the type 1 opt-out has been applied by your General practice, One Health and Care will acknowledge this opt-out and automatically remove your record from further processing for planning purposes.

 

2. Stopping NHS England and other health and care organisations from sharing your data for planning​​​​​​. This is called a national data opt-out.

To opt out online or find out more, you can visit the make your choice page on the NHS website or contact the NHS England Contact Centre by ringing 0300 303 5678.

If you choose this opt-out, NHS England and other health and care organisations will not be able to share any of your personal data with other organisations for planning and population health, except in certain situations. For example, when required by law.

If you want to check if you have opted out, you can enter your details again at make your choice or check your settings in the NHS App. You can opt out, or opt back in again, at any time.

 

3. Stopping your de-identified data being used for planning within Black Country and West Birmingham

We apply the type 1 opt-out implemented via the GP practice and the national data opt out already via the secure analytics platform.

If you have either of these opt-outs applied to your record, your One Health and Care Record data will not flow into the secure platform for planning.

If you do not want to apply for a national opt-out, and just opt out of your data from the One Health and Care Record being used for planning within the Black Country and West Birmingham, you can contact us as follows:

Emailing us at: bcicb.ohc-shcrprogramme@nhs.net

Writing to us at:

FAO OHC Programme Team

NHS Black Country ICB

Civic Centre

St Peter’s Square

Wolverhampton

WV1 1SH