Our uses of information

Although this is not an exhaustive detailed listing, the following table lists key examples of the purposes and rationale for why we collect and process information:

Purpose ActivityRationale
ComplaintsTo process your personal information if it relates to a complaint where you have asked for our help or involvement.
Legal Basis – Explicit consent – We will need to rely on your explicit consent to undertake such activities.
Complaint Processing Activities
When we receive a complaint from a person we make up a file containing the details of the complaint. This normally contains the identity of the complainant and any other individuals involved in the complaint.
We will only use the personal information we collect to process the complaint and to check on the level of service we provide.
We usually have to disclose the complainant’s identity to whoever the complaint is about. This is inevitable where, for example, the accuracy of a person’s record is in dispute.
If a complainant doesn’t want information identifying him or her to be disclosed, we will try to respect that. However, it may not be possible to handle a complaint on an anonymous basis.
We will keep personal information contained in complaint files in line with NHS retention policy. It will be retained in a secure environment and access to it will be restricted according to the ‘need to know’ principle.
We will publish service user stories, following upheld complaints, anonymously via our governing body. The service user stories will provide a summary of the concern, service improvements identified and how well the complaints procedure has been applied. Consent will always be sought from the service user and carer or both before we publish the service user story.
Funding TreatmentsWe will collect and process your personal information where we are required to fund specific treatment for you for a particular condition that is not already covered in our contracts.

This may be called an “Individual Funding Request” (IFR).

Legal Basis Direct Care Provision – GDPR Article 9(2)(h) – Processing is necessary for the …. provision of health or social care or treatment or the management of health or social care systems and services.
The clinical professional who first identifies that you may need the treatment will explain to you the information that we need to collect and process in order for us to assess your needs and commission your care and gain your explicit consent.
Continuing HealthcareWe will collect and process your identifiable information where you have asked us to undertake assessments for Continuing Healthcare (a package of care for those with complex medical needs) and commission resulting care packages.

Legal Basis – Direct Care Provision – GDPR Article 9(2)(h) – Processing is necessary for the …. provision of health or social care or treatment or the management of health or social care systems and services.

The clinical professional who first sees you to discuss your needs will explain to you the information that they need to collect and process in order for us to assess your needs and commission your care and gain your explicit consent.
SafeguardingWe will collect and process identifiable information where we need to assess and evaluate any safeguarding concerns.

Legal Basis – Statutory – Care Act 2012
Because of public Interest issues, e.g. to protect the safety and welfare of vulnerable children and adults, we will rely on a statutory basis rather than consent to process information for this use.
Risk StratificationRisk stratification is a process for identifying and managing patients who are at high risk of emergency hospital admission.

Legal Basis – Section 251 NHS Act 2006
We are committed to conducting risk stratification effectively, in ways that are consistent with the laws that protect your confidentiality.

Commissioning Benefits
Typically this is because patients have a long term condition such as Chronic Obstructive Pulmonary Disease. NHS England encourages CCGs and GPs to use risk stratification tools as part of their local strategies for supporting patients with long-term conditions and to help and prevent avoidable admissions.

Knowledge of the risk profile of our population will help the CCG to commission appropriate preventative services and to promote quality improvement in collaboration with our GP practices.

Data Processing Activities
Risk stratification tools use various combinations of historic information about patients, for example, age, gender, diagnoses and patterns of hospital attendance and admission and primary care data collected in GP practice systems.

The CCG will use pseudonymised information to understand the local population needs, whereas GPs will be able to identify which of their patients are at risk in order to offer a preventative service to them.

The service provider that is for our data processor for Risk Stratification purposes is the North of England Commissioning Support Unit (CSU).

The CCG has commissioned North of England CSU to conduct risk stratification on behalf of itself and its GP practices.

This processing for risk stratification takes place under contract with the North of England CSU following these steps below:

• The CCG has asked NHS Digital to provide data identifiable by your NHS Number about your Acute Hospital attendances for risk stratification purposes and has signed an NHS Digital data sharing contract for the SUS data.

• Your GP practice instructs its GP IT system supplier to provide primary care data identifiable by your NHS Number for those patients that have not objected to Risk Stratification or there is no Type 1 objection made by the Patient. The data, containing the same verified NHS numbers, are sent via secure transfer, directly into the landing stage of the North of England CSU system.

• Within the landing stage, the risk stratification system automatically links and pseudonymises the identifiable data from GP’s and the NHS Digital. No identifiable data of any patient is seen by North of England CSU staff.

• North of England CSU has set up a formula to analyse the data in pseudonymised form to produce a risk score for each patient.
The risk scores are only made available to authorised users within the GP Practice where you are registered via a secure portal.

This portal allows only the GPs to view the risk scores for the individual patients registered in their practice in identifiable form.

If you do not wish information about you to be included in our risk stratification programme, please contact your GP Practice. They can add a code to your records that will stop your information from being used for this purpose.

Further information about risk stratification is available from: https://www.england.nhs.uk/ourwork/tsd/ig/risk-stratification/
Invoice ValidationA small amount of information that could identify you is used within a special secure area within the commissioning environment, known as a Controlled Environment for Finance (CefF), so that the organisations that have provided care for you can be paid.

The process ensures that those who provide you with care and treatment are reimbursed correctly for this.

Legal Basis – Section 251 NHS Act 2006, Health and Social Care Act 2012

NHS Manchester CCG is an accredited Controlled Environment for Finance (CEfF) under a Section 251 exemption which enables us to process patient identifiable information without consent for the purposes of invoice validation – CAG 7-07(a)(b)(c)/2013.

Commissioning Benefits
Where we pay for care, particularly where different providers are caring for the same person, we may ask for evidence before paying, or we may design a service where the payment is all or partly based on the providers ensuring the service user has a healthy outcome. In such instances, we use your personal confidential data to ensure that we are paying the right amount for the right services to the right people.

Processing Activities
We have a signed Controlled Environment for Finance assurance statement which we submitted to NHS England.

The invoice validation process involves using your NHS number and occasionally your postcode or date of birth to establish which NHS organisation is responsible for paying for your treatment.
The minimum amount of information about you is used.

We have commissioned NHS Shared Business Services to provide this service for us in their Controlled Environments for Finance.
All invoices received through this service are stored securely within the Controlled Environment for Finance and are accessible only to authorised team members.

The requirements which they comply with, within the Controlled Environment for Finance to protect your privacy, can be found on the NHS England website.

Further information about invoice validation may found at: https://www.england.nhs.uk/ourwork/tsd/ig/in-val/invoice-validation- faqs/
Patient and Public InvolvementIf you have asked us to keep you regularly informed and up to date about the work of the CCG or if you are actively involved in our engagement and consultation activities or patient participation groups, we will collect and process personal confidential data which you share with us.

Legal Basis – Explicit consent – We will rely on your consent for this purpose.

Where you submit your details to us for involvement purposes, we will only use your information for this purpose. You can opt out at any time by contacting us using our contact details at the end of this document.
CommissioningTo collect NHS data about patients that we are responsible for to support the planning and monitoring of health care services.

Legal Basis – Section 251 NHS Act 2006, Health and Social Care Act 2012

Processing Activities
Hospitals and community organisations that provide NHS-funded care must submit certain information to NHS Digital about services provided to our service users.

This information is generally known as commissioning datasets. The CCG obtains these datasets from NHS Digital and they relate to service users registered with GP Practices that are members of the CCG.

These datasets are then used in a format that does not directly identify you, for wider NHS purposes such as managing and funding the NHS, monitoring activity to understand and plan the health needs of the population and to gain evidence that will improve health and care through research.

The datasets include information about the service users who have received care and treatment from those services that we are responsible for funding. The CCG is unable to identify you from these datasets. They do not include your name, home address, NHS number, post code or date of birth. Information such as your age, ethnicity and gender as well as coded information about any clinic or accident and emergency attendances, hospital admissions and treatment will be included.

The specific terms and conditions and security controls that we are obliged to follow when using those commissioning datasets can also be found on the NHS Digital Services website.

We also receive similar information from GP Practices within our CCG membership that does not identify you. We use these datasets for a number of purposes such as:

• Performance managing contracts;

• Reviewing the care delivered by providers to ensure service users are receiving quality and cost effective care;

• To prepare statistics on NHS performance to understand health needs and support service re-design, modernisation and improvement;

• To help us plan future services to ensure they continue to meet our local population needs;

• To reconcile claims for payments for services received in your GP Practice;

• To audit NHS accounts and services;
If you do not wish your information to be included in these datasets, even though it does not directly identify you to us, please contact your GP Practice and they can apply a code to your records that will stop your information from being included.
For other organisations to provide support services for usThis often involves those organisations processing data on our behalf.

Legal Basis – GDPR Article 6(1)(e) – Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller

We have entered into contracts with other NHS organisations to provide some services for us or on our behalf.

These organisations are known as “data processors”. Below are details of our data processors and the function that they carry out on our behalf:

• North of England CSU – Risk Stratification, Invoice Validation, Commissioning Intelligence analysis, Continuing Healthcare, Individual Funding Requests, Medicines Optimisation, HR

• Iron Mountain – Archiving of Records

• Internal and External Audit related purposes

• NHSLA – Claims Management

• NHS Property Services – The CCG’s Confidential Waste Disposal liaison

• Shared Business Service –Staff Payroll

These organisations are subject to the same legal rules and conditions for keeping personal confidential data and secure and are underpinned by a contract with us.

Before awarding any contract, we ensure that organisations will look after your information to the same high standards that we do. Those organisations can only use your information for the service we have contracted them for and cannot use it for any other purpose.
National Registries National Registries (such as the Learning Disabilities Register) have statutory permission under Section 251 of the NHS Act 2006, to collect and hold service user identifiable information without the need to seek informed consent from each individual service user.
ResearchTo support research oriented proposals and activities in our commissioning system.
Legal Basis – Explicit consent – Your consent will be obtained by the organisation holding your records before identifiable information about you is disclosed for any research.

Sometimes research can be undertaken using information that does not identify you. The law does not require us to seek your consent in this case, but the organisation holding your information will make notices available on the premises and on the website about any research projects that are undertaken.

Researchers can provide direct benefit to individuals who take part in medical trials and indirect benefit to the population as a whole.
Service user records can also be used to identify people to invite them to take part in clinical trials, other interventional studies or studies purely using information from medical records.

Processing Activities
Where identifiable data is needed for research, service users will be approached by the organisation where treatment was received, to see if they wish to participate in research studies.

If you do not wish your information to be used for research, whether identifiable or non-identifiable, please let you GP Practice know. They will add a code to your records that will stop you information from being used for research.
Medicines Management and OptimisationOur medicines optimisation team work with GP practices to provide advice on medicines and prescribing queries which generally don’t require your personal data.

Legal Basis – Direct Care Provision – GDPR Article 9(2)(h) – “Processing is necessary for the …. provision of health or social care or treatment or the management of health or social care systems and services” and/or explicit consent.

Processing Activities
Our medicines optimisation team work with your GP practice to provide advice on medicines and prescribing queries, and review prescribing of medicines to ensure that it is safe and the most effective option. No personal data is removed from the practice and no changes are made to patient’s records without permission from the GP. Patient records may be viewed from the CCG’s premises only if GPs have agreed to this working practice.

Medicines optimisation team processes the details and monitors the prescribing practice of Non-Medical Prescribers (NMPs), who are employed by GP practices and Primary Care providers within the vicinity of the CCG. This is to ensure prescribing costs are attributed to the correct prescriber and prescribing budget whilst ensuring patients receive the most appropriate, safe, up to date and cost-effective treatments.
Incident ManagementWe are accountable for effective governance and learning following all Serious Incidents (SIs) and work closely with all provider organisations as well as commissioning staff members to ensure all SIs are reported and managed appropriately.

Legal Basis – Statutory – Serious Incident Framework 2015
GM Care RecordThe GM Care Record is an electronic record allowing health and social care professionals who are directly involved in your care to share a summary of information about you. It enables them to coordinate your care more efficiently.

The GM Care Record contains Personal Confidential Data which only available in health settings across Greater Manchester. It can only be accessed by authorised staff with a legitimate lawful basis.

Legal Basis – Health and social care organisations have a duty to share personal data under s251B of the Health and Social Care Act 2012, where it is:

(a) likely to facilitate the provision to the individual of health services or social care in England, and
(b) in the individual’s best interests.