NHS Blackburn with Darwen CCG

Just another Sites site

Fair Processing Notice

At Blackburn with Darwen Clinical Commissioning Group we’re committed to protecting and respecting your privacy.

The Clinical Commissioning Group (CCG) has various roles and responsibilities, but a major part of our work involves making sure that:

  • Contracts are in place with local health service providers;
  • routine and emergency NHS services are available to patients;
  • those services provide high quality care and value for money; and
  • paying those services for the care and treatment they have provided.

This is called “commissioning” and is explained in more detail on our website at:  http://www.blackburnwithdarwenccg.nhs.uk/about-us

Accurate, timely and relevant information is essential for our work to help us to design and plan current and future health and care services, evidence and review our decisions and manage budgets.

As a commissioning organisation, our purpose is not to provide direct care and so we do not routinely hold or receive information about patients and service users in relation to your care. We do however sometimes hold information from which people can be identified to enable us to fulfil our responsibilities as outlined above and this is explained in this notice.

What is a privacy notice?

We respect your right with regards to data privacy and data protection when you communicate (online or offline) with us through our various websites, offline programs and events.

What information do we collect?

Find out what information we collect about you, what types of personal data we handle and what we do with that information.

Your rights

UK data protection laws give you several rights in relation to the information that Blackburn with Darwen CCG holds about you.

About our Privacy Notice

What is a Privacy Notice?

A privacy notice is a statement that describes how Blackburn with Darwen CCG
collects, uses, retains and discloses personal information. Different organisations
sometimes use different terms and it can be referred to as a privacy statement, a fair
processing notice or a privacy policy.

To ensure that we process your personal data fairly and lawfully we are required to
inform you:

  • Why we need your data
  • How it will be used and
  • Who it will be shared with

This information also explains what rights you have to control how we use your

The law determines how organisations can use personal information. The key laws
are: The Data Protection Act 2018 (DPA), the Human Rights Act 1998 (HRA), and
the common law duty of confidentiality.

Within these pages we describe instances where Blackburn with Darwen CCG is the
“Data Controller”, for the purposes of the Data Protection Act 2018, and where we
direct or commission the processing of patient data to help deliver better healthcare,
or to assist the management of healthcare services.

Blackburn with Darwen CCG recognises the importance of protecting personal and
confidential information in all that we do, all we direct or commission, and takes care
to meet its legal duties.

This part of the fair processing notice outlines the management of the notice, contact
details and other access to information legislation.

Complaints about how we process your personal information
In the first instance, you should contact:

Customer Care Team
Jubilee House
Lancashire Business Park Leyland PR26 6TR
Freephone: 0800 032 2424
Telephone: 01772 777 952
Textphone: 01772 227 005
Email: mlcsu.customercarelancashire@nhs.net

If, however, you are not satisfied that your complaint has been resolved, you have
the right to contact the Information Commissioner to lodge a complaint:

Information Commissioner’s Office
Wycliffe House
Water Lane,
Page 2 of 18
Wilmslow SK9 5AF
Tel: 0303 123 1113

Changes to our Privacy Notice
We keep our privacy notice under regular review and we will place any updates on
this web page. This notice was last updated on 18th November 2020.

Data Protection Notification
Blackburn with Darwen CCG is a ‘data controller’ under the DPA. We have notified
the Information Commissioner that we process personal data and the details are
publicly available from the:

Information Commissioner’s Office
Wycliffe House
Water Lane,
Wilmslow SK9 5AF
Registration number: ZA001552

How to contact us
Please contact us via our Data Protection Officer if you have any questions about
our privacy notice or information we hold about you:

Hayley Gidman
Head of Information Governance
Midlands and Lancashire CSU, Heron House, 120 Grove Road, Fenton, ST4 4LX
Email: hayley.gidman@nhs.net

The information we collect

What information do we collect about you?

We only collect and use your information for the lawful purposes of administering the
business of Blackburn with Darwen CCG.

We process personal information to enable us to support the provision of healthcare
services to patients, maintain our own accounts and records, promote our services,
and to support and manage our employees. In order to so effectively we are often
required to process personal data i.e. that which identifies a living individual.

We also process special category data. This is personal data which the Data
Protection Act 2018 (DPA) says is more sensitive, and so needs more protection:

  • racial and ethnic origin
  • offences (including alleged offences), criminal proceedings, outcomes and
  • trade union membership
  • religious or similar beliefs
  • employment tribunal applications, complaints, accidents, and incident details

This information will generally relate to our staff, covered by the Privacy Notice for

In terms of patient information, the special category data we process includes:

  • physical or mental health details
  • racial and ethnic origin
  • sexual life

How the NHS and care services use your information

Whenever you use a health or care service, such as attending Accident &
Emergency or using Community Care services, important information about you is
collected to help ensure you get the best possible care and treatment.

The information collected about you when you use these services can also be
provided to other approved organisations, where there is a legal basis, to help with
planning services, improving care provided, research into developing new treatments
and preventing illness. All of these help to provide better health and care for you,
your family and future generations. Confidential personal information about your
health and care is only used in this way where allowed by law and would never be
used for insurance or marketing purposes without your explicit consent.

You have a choice about whether you want your confidential patient information to
be used in this way.

To find out more about the wider use of confidential personal information and to
register your choice to opt out if you do not want your data to be used in this way,
visit www.nhs.uk/my-data-choice. If you do choose to opt out you can still consent to
your data being used for specific purposes.

If you are happy with this use of information you do not need to do anything. You can
change your choice at any time.

How will Blackburn with Darwen CCG use information about you?

NHS Continuing Healthcare

Purpose and legal basis for processing
NHS Continuing Healthcare (CHC) is explained by NHS Choices here.

To determine if someone is eligible for CHC and to then arrange a care and support
package that meets their assessed needs, information about the individual will need
to be collected, reviewed and shared with care providers such as care homes. As the
CCG has a duty to provide CHC services, this allows for the collection of information
about individuals for this purpose, the use of that information and the sharing of it
with third parties who need to be involved in the process; we will make sure that we
keep the individual concerned informed at all times of who will be providing or
receiving data about them and why.

The National Health Service Commissioning Board and Clinical Commissioning
Groups (Responsibilities and Standing Rules) Regulations 2012, Part 6 places a
duty on CCGs to make provision for, i.e. provide, CHC services. Blackburn with
Darwen CCG commission Midlands and Lancashire Commissioning Support Unit to
provide these services on their behalf. As such, Blackburn with Darwen CCG’s legal
basis for processing this personal data under GDPR is Article 6(1)(e) ‘…exercise of
official authority…’. For special categories (health) data the basis is Article 9(2)(h)
‘…health or social care…’

Sources of the data
The personal data are submitted by the CCG and the applicant for review.

Categories of personal data
The information CCGs use to assess eligibility, and which may be submitted to an
Independent Review Panel, fall under the following headings:

  • behaviour
  • cognition (understanding)
  • communication
  • psychological/emotional needs
  • mobility
  • nutrition (food and drink)
  • continence
  • skin (including wounds and ulcers)
  • breathing
  • symptom control through drug therapies and medication
  • altered states of consciousness
  • other significant needs

The obtained records that relate to these areas may include Care Home records,
Health Records (for example GP, Hospital, Mental Health, District Nursing) and
Social Care Records.

Recipients of personal data
Categories of recipient’s Personal data relating to the application is received by
Midlands and Lancashire Commissioning Support Unit Continuing Healthcare teams
and the members of the review panel. An Independent Review Panel is made up of:

  • an independent chair
  • a representative nominated by a Clinical Commissioning Group (not involved
    in the case);
  • a representative nominated by a Local Authority (not involved in the case);
  • at times there is also a clinical advisor in attendance

Complaints & Enquiries

Purpose and Legal basis for processing
Most NHS care and treatment goes well but sometimes things can go wrong. If you
are unhappy with your care or the service you have received, it is important to let us
know so we can improve. When Blackburn with Darwen CCG receive a complaint,
to allow it to be fairly and thoroughly managed, in most cases personal information
will be required. CCGs have statutory duties (Section 6 of the Local Authority Social
Services and National Health Service Complaints [England] Regulations (2009)
(under section 113 “Complaints about Healthcare” of the Health and Social Care
(Community Health and Standards) Act 2003)) which allow the processing of
personal data in relation to complaints.

The legal basis we rely on to process your personal data is article 6(1)(e) of the
GDPR, which allows us to process personal data when this is necessary to perform
our public tasks as a CCG.

If the information you provide us in relation to your complaint contains special
category data, such as health, religious or ethnic information the legal basis we rely
on to process it is article 9(2)(g) of the GDPR, which also relates to our public task
and the safeguarding of your fundamental rights. And Schedule 1 part 2(6) of the
DPA 2018 which relates to statutory and government purposes.

Sources of personal data
Blackburn with Darwen CCG will generally collect/receive information when
members of the public, their representatives, or members of Parliament, contact us
with concerns or enquiries. In order to process a complaint Blackburn with Darwen
CCG will collect the relevant information at the point of contact to enable the team to
provide a sufficient response to the request.

Categories of personal data
Information relating to complaints would generally include the following categories of
personal data:

  • Patient’s name
  • Patient’s address
  • Patient’s contact number
  • GP Surgery
  • Patient’s NHS number
  • Patient’s date of birth
  • Representative details (if applicable)
  • Representative address (if applicable)
  • The nature of the complaint

Recipients of personal data
The recipients of personal data relating to complaints include:

  • Any team within the CCG that may receive an enquiry or complaint
  • Midlands and Lancashire Commissioning Support Unit who manage
    complaints on behalf of the CCG under contract
  • Relevant providers (with the consent of the data subject) in order to fully
    investigate the complaint being made

Do we use any processors?
Yes — Blackburn with Darwen CCG commission Midlands and Lancashire
Commissioning Support Unit to provide these services on their behalf.

Communications & Engagement

Purpose and legal basis for processing
Blackburn with Darwen CCG offers various services to the public giving them the
opportunity to engage with us. This could be providing people with the latest news
and information from the CCG, opportunities, events and details on how to get

We have to hold the details of the people who have requested the service in order to
provide it. However, we only use these details to provide the service the person has
requested and for other closely related purposes. For example, we might use
information about people who have requested a publication to carry out a survey to
find out if they are happy with the level of service they received or if the information
is useful to them. We will never ask you to provide any personal data that will identify
you, in response to a survey. , although we may occasionally ask for the first part of
your post code. Any personal data received in responses is removed before
responses are collated, analysed or disseminated.

When people do subscribe to our services, they can cancel their subscription at any
time and are given an easy way of doing this. Personal data collected for the above
purposes is only processed with the explicit consent of the data subject unless it
becomes apparent that we are required to process the personal data due to statutory
obligations such as investigating a complaint.

Source of personal data
The personal data is provided by data subjects when signing up to receive one of our
newsletters either via our website or by completing one of our sign-up forms at one
of our stakeholder events we hold from time to time.

Categories of Personal data
We only require you to provide us with your name and email address so that we can
send you our publications. Information regarding your gender, sexual orientation,
marital status and disabilities is collected so that we can ensure that our patient
involvement groups are representative of our population we serve. We may also use
it to send you targeted information or news. However, it is not mandatory to provide
this information.

Recipients of personal data
The information you provide as a member of one of our patient involvement groups
is never shared outside of Blackburn with Darwen CCG.

Do we use any processors?
We use MailChimp to manage our contact database and deliver our newsletters. For
more information, please see MailChimp’s Privacy notice.

Individual Funding Requests

Purpose and Legal basis for processing
The NHS has a duty to spend the money it receives from the Government in a fair
way, taking into account the health needs of the whole community. The CCGs role is
to ensure it gets best value for this money by spending it wisely on behalf of the

CCGs pay for local NHS health services and NHS England pays for highly
specialised health services. The CCGs have a legal duty to provide health services
for patients in the county with the fixed amount of money they have received from
the Government. They have a legal duty not to spend more than this. This means
that some hard choices have to be made. Not all treatments can be provided by the
NHS. Treatments that are limited by CCGs are shown in their Clinical
Commissioning Policies

However, the CCGs know that there will always be times when a patient would
benefit from a particular treatment not usually given by the NHS. To apply for this
treatment, an Individual Funding Request is made. To allow the CCG to consider
these requests, access to both personal and health information regarding the
individual to whom the request relates is required. As the National Health Service
Commissioning Board and Clinical Commissioning Groups (Responsibilities and
Standing Rules) Regulations 2012, Part 7, Regulation 34 places a duty on CCGs in
respect of the funding and commissioning of drugs and other treatments, this
provides the CCG with a legal basis to use personal data as part of this process.

Blackburn with Darwen CCG commission Midlands and Lancashire Commissioning
Support Unit (MLCSU) to provide these services on their behalf.

Source of personal data
The information may be provided by a clinician who submits an IFR application form
on behalf of a patient.

Categories of personal data
The IFR application form includes NHS number, name and address, date of birth,
GP details, diagnosis, requested intervention and other information relevant to the
request. Gender and ethnicity are also collected and held in anonymous form for
equality monitoring.

Categories of recipients
Applications are considered by an independent panel who have not been involved in
your treatment. The panel is made up of doctors, nurses, public health experts,
pharmacists, NHS England representatives and lay members and is led by a lay

Invoice Validation

Purpose and Legal basis for processing
Invoice validation is an important process. It involves using your NHS number to
check that we are the CCG that is responsible for paying for your treatment.

There are situations where identifiable patient personal data is required to ensure
that the correct service provider is paid.

In such cases, service providers are required to send identifiable patient personal
data such as the NHS Number to a Controlled Environment for Finance (CEfF).
Midlands and Lancashire Commissioning Support Unit is an accredited Controlled
Environment for Finance (CEfF) which enables them to process patient identifiable
information on behalf of Blackburn with Darwen CCG without consent for the
purposes of invoice validation. We will also use your NHS number to check whether
your care has been funded through specialist commissioning, which NHS England
will pay for. The process makes sure that the organisations providing your care are
paid correctly.

NHS England has published guidance on how invoices must be processed and
Commissioners have a duty to detect report and investigate any incidents of where a
breach of confidentiality has been made.

Under the NHS Act 2006, provision is made for the sharing of patient information that
is in the interests of improving patient care or deemed to be in the public interest.
This is commonly referred to as a Section 251 exemption that allows the common
law duty of confidentiality to be bypassed in order to fulfil a task in the interests of
improving patient care or in the public interest. The specific reference for this
exemption is: CAG 7–07(a)(b)©/2013. As such, our legal basis under GDPR is
Article 6(1)(e) ‘…exercise of official authority…’. For special categories (health) data
the basis is Article 9(2)(h) ‘…health or social care…’.

Sources of the data

The sources of data are providers who submit invoices to  NHS Shared Business Services for payment.

Categories of Personal data
The data required for effective invoice validations can be found in appendix B. of
“Who Pays? Information Governance Advice for Invoice Validation” which you can
find here:

Recipients of personal data

Midlands and Lancashire Commissioning Support Unit is the only organisation that will have receive personal data relating to invoice validation as an accredited Controlled Environment for Finance.

Liaison Financial Services will receive personal data relating to invoice validation. This is for the purpose of completing Continuing Healthcare (CHC) retrospective financial one-off invoice validation reviews.  This enables Liaison to identify and recover overpayments made by the CCGs where invoices and payments have not been made in accordance with local policies, agreements or contracts.

Patient NHS Number is required to complete the reviews and it is the only common link between CCG transactions and externally held data (Mortality and SUS+ admissions data)

Liaison require the NHS Number to facilitate accurate record matching to enable them to complete the reviews where external data is required. Liaison will then identify where overpayments have been made regarding patients.

NHS Number is a permitted dataset field (Appendix B) within the CAG Section 251 approval under NHS England.

CAG approval (8J035 Liaisons DSP Reference Number) and Section 251 – CAG Reference Number — CAG 7–07(a‑c)/2013.

Risk stratification

Purpose and legal basis for processing
Health care commissioners need information about the treatment of patients to
review and plan current and future health care services. To do this they need to be
able to see information about the health care provided to patients which can include
patient level data.

The law says commissioners are not allowed to access Personal Confidential Data
(PCD) because they are not providing direct patient care. So they need an
intermediary service called Data Services for Commissioners Regional Office
(DSRCO), that specialise in processing, analysing and packaging patient information
within a secure environment into a format commissioners can legally use;
anonymised patient level data. You can find more comprehensive information about
this on the NHS Digital Website.

NHS Digital is able to disseminate data to commissioners under the Health and
Social Care Act (2012). The act provides the powers for NHS Digital to collect,
analyse and disseminate national data and statistical information. To access this
data organisations must submit an application and demonstrate that they meet the
appropriate governance and security requirements. For GDPR purposes Blackburn
with Darwen CCGs lawful basis for processing is Article 6(1)(e) ‘…exercise of official
authority…’. For special categories (health) data the basis is Article 9(2)(h) ‘…health
or social care…’

NHS Digital, through its Data Services for Commissioners Regional Offices
(DSCROs), is permitted to collect, hold and process Personal Confidential Data
(PCD). This is for purposes beyond direct patient care to support NHS
commissioning organisations and the commissioning functions within local

GPs are able to identify individual patients from the risk stratified data when it is
necessary to discuss the outcome and consider preventative care, however the CCG
can never identify an individual from the risk stratified data that we see. Where the
risk stratification process has linked GP data to health data obtained from other
sources i.e. NHS Digital or other health care provider, the GP will ask for your
permission to access the details of that information.

Within Risk Stratification are assessment tools which score people according to certain criteria, however we don’t use them as the sole way of making decisions about patients as there is an element of human decision making.

There is profiling involved within risk stratification to gain knowledge of the risk profile of our population to help the CCG to commission appropriate services to improve health and wellbeing.

Source of personal data
Personal data is supplied by GPs and NHS Digital (commissioning data sets)

Categories of Personal data
Risk stratification tools use historic information about patients, such as age, gender,
diagnoses and patterns of hospital attendance and admission collected by NHS
Digital from NHS hospitals and community care services (Secondary Use Services
data). This is linked to data collected in GP practices and analysed to produce a risk

The Secondary Uses Service (SUS) is the single, comprehensive repository for
healthcare data in England which enables a range of reporting and analyses to
support the NHS in the delivery of healthcare services. Information on care provided
for all patients by Health Care Providers (both NHS and Independent Sector
Healthcare Providers for NHS patients only) must be submitted to the Secondary
Uses Service according to the Commissioning Data Set Mandated Data Flows

The data extract will exclude patients who have expressed a wish not to share
information. Reports produced from the system including identifiable data is only
provided back to your GP or member of your care team as data controller in an
identifiable form.

Your GP can provide more information about any risk stratification programme they
are using. Should you have any concerns about how your information is managed at
the surgery please contact the Practice Manager at your surgery to discuss how the
disclosure of your personal information can be limited.

Recipients of personal data
The combined CCGs Secondary Use Service (SUS) data and GP data which
contains an identifier (usually NHS number) is made available to clinicians with a
legitimate relationship with their patients to enable them to identify which patients
should be offered targeted preventative support to reduce those risks. Blackburn with
Darwen CCG does not have access to identifiable information.


Purposes and basis for processing
Blackburn with Darwen CCG is dedicated in ensuring that the principles and duties
of safeguarding adults and children are holistically, consistently and conscientiously
applied with the wellbeing of all, at the heart of what we do.

Our Legal basis for processing For the General Data Protection Regulation (GDPR)
purposes is Article 6(1)(e) ‘…exercise of official authority…’. For the processing of
special categories data, the basis is Article 9(2)(b) – ‘processing is necessary for the
purposes of carrying out the obligations and exercising specific rights of the
controller or of the data subject in the field of employment and social security and
social protection law…’

Categories of personal data
The data collected by Blackburn with Darwen CCG staff including its hosted bodies
in the event of a safeguarding situation will be as much personal information as is
necessary or possible to obtain in order to handle the situation. In addition to some
basic demographics and contact details, we will also process details of what the
safeguarding concern is. This is likely to be special category information (such as
health information).

Sources of the data
Blackburn with Darwen CCG will either receive or collect information when someone
contacts the organisation with safeguarding concerns or we believe there may be
safeguarding concerns and make enquiries to relevant providers.

Recipients of personal data
The information is used by Blackburn with Darwen when handling a safeguarding
incident or concern. We may share information accordingly to ensure duty of care
and investigation as required with other partners such as Local Authorities, the
Police, healthcare professional (i.e. their GP or mental health team).

Medicines Optimisation

Purpose and legal basis for processing
Blackburn with Darwen CCG has a duty to secure continuous improvement in the
quality of services provided to individuals for or in connection with the prevention,
diagnosis or treatment of illness. Taking that into account, The Medicines
Management Team supports the CCG with commissioning services that make best
use of available medicines. Your personal data will be used to fulfil this duty in
respect of promoting cost-effective use of medicines as well as implementing
projects or actions to optimise the use of medicines to improve outcomes, enhance
patient safety and improve capacity within the local health economy.

The legal basis we rely on under GDPR is Article 6(1)(e) “processing is necessary
for the performance of a task carried out in the public interest or in the exercise of
official authority vested in the controller.” For the special categories of data, we rely
on Article 9(2)(h) “processing is necessary for the purposes of….the provision of
health or social care or treatment”

Source of Data
Data used to fulfil the above duties is received directly from the primary and
secondary healthcare providers for which the CCG has responsibility for.

Categories of Data
Typically, clinicians and pharmacists will require access to patient information
including NHS Numbers and medication lists.

Recipients of Personal Data
Personal data is shared between the CCG and local healthcare providers including
GP Practices. They do this to facilitate the implementation of recommendations by
the Medicines Management Team.


Purpose and basis for processing
Blackburn with Darwen has a duty to the improvement of quality and delivery of
services and uses incident events, investigation, evidence and reports relating to
incidents under various policy and procedural structures.

An incident requiring investigation is defined as an incident that occurred in relation
to NHS funded services and care resulting in unexpected or avoidable death, harm
or injury to patient, carer, staff or visitor. In order to promote quality and compliance,
Blackburn with Darwen has several reporting protocols for incidents and provides
investigation and learning to improve systems and services they commission.

Categories of personal data
NHS Number and other personal details, including relevant healthcare records and
information about the incident, including others involved or impacted by the event are
used by the CCG to facilitate incident investigations.

Sources of the data
Data received in order to fulfil the duties relating to incident investigation will be
received directly from the reporting organisation, such as a GP practice or provider.

Recipient of personal data
Information relating to outcomes will be sent back to the relevant providers.

Children’s Information

We do not provide services directly to children or proactively collect their personal
information. However, we are sometimes given information about children while
handling a complaint or conducting an investigation. The information in the relevant
parts of this notice applies to children as well as adults.

Automated Decision Making

You have the right not to be subject to decisions based on automated processing which have a significant effect on you. Within Risk Stratification assessment tools which score people according to certain criteria, however we don’t use them as the sole way of making decisions about patients as there is an element of human decision making.

There is profiling involved within risk stratification to gain knowledge of the risk profile of our population to help the CCG to commission appropriate services to improve health and wellbeing.  Where we do that we will be open about the logic that we use, will use reliable processes and make sure the processing is secure.

How we use information provided by NHS Digital

We use information collected by NHS Digital from healthcare providers such as
hospitals, community services and GPs, which includes information about the
patients who have received care and treatment from the services that we fund.

The data we receive does not include patients’ names or home addresses, but it will
usually include information such as your NHS number, postcode, date of birth,
ethnicity and gender as well as coded information about your visits to clinics,
Emergency Department, hospital admissions and other NHS services.

The Secretary of State for Health has given limited permission for us (and other NHS
commissioners) to use certain confidential patient information when it is necessary
for our work and unless we have a legal basis to use identifiable data, de-identified
information is used for all purposes other than direct care. This approval is given
under Regulations made under Section 251 of the NHS Act 2006 and is based on
the advice of the Health Research Authority’s Confidentiality and Advisory Group.

In order to use this data, we have to meet strict conditions that we are legally
required to follow, which includes making a written commitment to NHS Digital that
we will not use information in any way that would reveal your identity.

You can find more information about this in the sections on invoice validations and
risk stratification.

Retaining Information

Information in the CCG is held for a specific length of time depending on the type of
information it is. The length of time we retain your information for is defined by the
NHS retention schedule which can be viewed online here:
NHS Digital Records Management Code of Practice for Health and Social Care 2016

Once information has been reviewed and is no longer required to be kept by a
retention period the information will be securely destroyed.

Security of your information
Blackburn with Darwen CCG take our duty to protect your personal information and
confidentiality seriously. We are committed to taking all reasonable measures to
ensure the confidentiality and security of personal data for which we are responsible,
whether computerised or on paper.

Alongside the Data Protection Officer (DPO), we have appointed a Senior
Information Risk Owner (SIRO) who is accountable for the management of all
information assets and any associated risks and incidents, and a ‘Caldicott Guardian’
who is responsible for the management of patient information and
patient confidentiality.

All staff are required to undertake annual information governance training and are
provided with an information governance handbook that they are required to read
and agree to adhere to. The handbook ensures that staff are aware of their
information governance responsibilities and follow best practice guidelines ensuring
the necessary safeguards and appropriate use of person-identifiable and confidential

Under the NHS Confidentiality Code of Conduct, all our staff are also required to
protect your information and inform you of how your information will be used. This
includes, in most circumstances, allowing you to decide if and how your information
can be shared.

Everyone working for the NHS is subject to the common law duty of
confidentiality. Information provided in confidence will only be used for the purposes
advised and consented to by the service user, unless it is required or permitted by
the law.

Your Rights

The right to be informed

You have the right to be informed about the collection and use of your personal data.
This privacy notice is one of Blackburn with Darwen CCG’s key methods for
providing you with this information. In addition to this notice, we will provide you with
more specific information at the time we collect personal data from you, such as
when you apply for Continuing Healthcare or make a complaint to us.

The right of access

You have the right to ask us for confirmation of whether we process data about you
and if we do, to have access to that data so you are aware and can verify the
lawfulness of the processing.

You can make your own application to see the information we hold about you, or you
can authorise someone else to make an application on your behalf. A child’s parent
or guardian, a patient representative, or a person appointed by the Court may also
apply. If you wish to ask us for confirmation of whether we process data about you or
access your personal data, then please contact:

Subject Access Lead
NHS Blackburn with Darwen Clinical Commissioning Group
Fusion House
Evolution Park
Haslingden Road
Phone: 01254 282000
Email: Claire.moir1@nhs.net

The right to rectification

You are entitled to have personal data that we hold about you rectified if it is
inaccurate or incomplete. If we have passed the data concerned on to others, we will
contact each recipient and inform them of the rectification — unless this proves
impossible or involves disproportionate effort. If this is the case, we will explain to
you why.

The right to erasure

You have the right to have personal data we hold about you erased and to prevent
processing in specific circumstances:

  • Where the personal data is no longer necessary in relation to the purpose for
    which it was originally collected/processed.
  • If you withdraw your consent for us to process your data (if this was the basis
    on which it was collected).
  • The personal data was unlawfully processed (i.e. a breach of UK data
    protection laws).
  • The personal data has to be erased in order to comply with a legal obligation.

However, if we have collected and are processing data about you to comply with a
legal obligation for the performance of a public interest task or exercise of official
authority, i.e. because we have a legal duty to do so in our functioning as a CCG,
then the right to erasure does not apply.

The right to restrict processing

You have the right to ‘block’ or suppress processing of your personal data which
means that if you exercise this right, we can still store your data but not to further
process it and will retain just enough information about you to ensure that the
restriction is respected in future.

You can ask us to restrict the processing of your personal data in the following

  • If you contest the accuracy of the data, we hold about you we will restrict the
    processing until the accuracy of the data has been verified;
  • If we are processing your data as it is necessary for the performance of a
    public interest task and you have objected to the processing, we will restrict
    processing while we consider whether our legitimate grounds for processing
    are overriding.;
  • If the processing of your personal data is found to be unlawful but you oppose
    erasure and request restriction instead; or
  • If we no longer need the data we hold about you, but you require the data to
    establish, exercise or defend a legal claim.

If we have disclosed the personal data in question to others, we will contact each
recipient and inform them of the restriction on the processing of the personal data -
unless this proves impossible or involves disproportionate effort. If asked to, we will
must also inform you about these recipients.

We will inform you if we decide to lift a restriction on processing.

The right to data portability

The right to data portability allows you to obtain and reuse your personal data for
your own purposes across different services. It allows you to move, copy or transfer
personal data easily from one IT environment to another in a safe and secure way,
without hindrance to usability although it only applies where we are processing your
personal data based on your consent for us to do so or for the performance of a
contract and where the processing is carried out by automated means. This means
that currently, the CCG dos not hold any data which would be subject to the right to
data portability.

The right to object

Where the CCG processes personal data about you on the basis of being required to
do so for the performance of a task in the public interest/exercise of official authority,
you have a right to object to the processing.

You must have an objection on grounds relating to your particular situation.

If you raise an objection, we will no longer process the personal data we can
demonstrate compelling legitimate grounds for the processing which override your
interests, rights and freedoms or the processing is for the establishment, exercise or
defence of legal claims.

Rights in relation to automated decision making and profiling

You have the right not to be subject to decisions based on automated processing which have a significant effect on you.  Where there is automated decision making or processing, we will be open about the logic that we use, will use reliable processes and make sure the processing is secure.

The right to withdraw consent

If the CCG processes data about you on the basis that you have given your consent
for us to do so, you have the right to withdraw that consent at any time. Where
possible, we will make sure that you are able to withdraw your consent using the
same method as when you gave it.

If you withdraw your consent, we will stop the processing as soon as possible.


BwD CCG Employee Privacy Notice Aug20