Privacy Notice

The ICB uses and process several different types of information such as:

• Anonymised information – information about individuals with identifiable details removed.
• Aggregated data – statistical information about multiple individuals that has been combined to show general trends or values without identifying individuals within the data. 
• Pseudonymised data – individual-level information where identifiable information is replaced with a code which does not reveal an individual’s “real world” identity.  However, if required the data can be used, under strict rules by your health care provider to identify you using a deciphered code..
• Identifiable information – containing details that identify individuals. The following are data items that are considered identifiable: name, address, NHS Number, full postcode, date of birth

Throughout this Notice you will see reference to an organisation called NHS England. They are the national body responsible for data management and information processing in health and social care. NHS England is legally responsible for receiving specific identifiable information from Providers in a secure manner, so that it can be reformatted into pseudonymised dataset that can be legally used by the ICB.

Norfolk and Suffolk Integrated Care Board collects data from various sources, this is not an exhaustive list:

• Directly from you, as a request for a service, to investigate a concern etc.
• Family members or carers to support your care
• Other health and care organisations involved in your care so that we can provide you with care e.g., Care Homes, GPs
• Provider organisations we commission to provide service. Such as Hospitals, Community organisations, Transport services etc.
• Local Authorities
• NHS England
• Members of Parliament (if they raise an enquiry or complaint on your behalf with your consent)
• Parliamentary and Health Service Ombudsman

We hold information centrally which is used for statistical purposes to allow us to plan the commissioning of healthcare services. We will only use Pseudonymised / anonymised data for this purpose which will mean you would not be able to be identified from that information.

Examples of this include:

• Evaluation and review of services such as checking their quality and efficiency
• Checking NHS accounts and services
• Working out what illnesses people will have in the future so that we can work with the local primary care services, community services and hospital services to make sure that patient needs are met
• Preparing performance reports about the services we commission
• Reviewing the care we commission to make sure it is of the highest standard

The ICB will use patient data to analyse the health of a population. This is required for the commissioning of health services, or to help target preventive care at certain groups of patients.  If we use your information for the above reasons, we will remove your name and other details which could identify you. 

We will only use information that may identify you (known also as personal confidential data) in accordance with the: Data Protection Act 2018 – The Data Protection Act requires us to have a legal basis if we wish to process any personal information.

As a commissioning organisation we do not routinely hold medical records or patient confidential data. There are some specific areas, however, because of our assigned responsibilities where we do hold and use personal information. In order to process that information, we will have met a legal requirement, in general this is where we have complied with one of the following:

• The information is necessary for facilitating direct healthcare for patients
• We have received consent from individuals to be able to use their information for a specific purpose
• There is an overriding public interest in using the information e.g. in order to safeguard an individual, or to prevent a serious crime
• There is a legal requirement that will allow us to use or provide information (e.g. a formal court order)
• We have special permission for health purposes (granted by the Health Research Authority Section 251)
• For the health and safety of others, for example to report an infectious disease such as COVID-19, meningitis or measles

Circumstances where we might need to use personal information

The areas where we use personal information are:

• Individual Funding Requests (IFR) – a process where patients and their GPs can request special treatments not routinely funded by the NHS (GDPR Article 6 (1)(e) Public Task, GDPR Article 9 (2)(h) Health)
• Continuing Healthcare Assessments (a package of care for those with complex medical needs) (GDPR Article 6 (1)(a) Consent, GDPR Article 9 (2)(h) Health)
• The Medicines Management team work closely with the GP practices to support effective prescribing (GDPR Article 6 (1)(e) Public Task, GDPR Article 9 (2)(h) Health)
• Social Prescribing Team (GDPR Article 6 (1)(e) Public Task, GDPR Article 9 (2)(h) Health)
• Responding to your queries, concerns or complaints (GDPR Article 6 (1)(a) Consent, GDPR Article 9 (2)(a) Explicit Consent)
• Incident investigations (GDPR Article 6 (1)(e) Public Task, GDPR Article 9 (2)(h) Health)
• Assessment and evaluation of safeguarding concerns for individuals (GDPR Article 6 (1)(e) Public Task, GDPR Article 9 (2)(h) Health)
• If you are a member of our patient participation group, or have asked us to keep you up to date about our work and involved in our engagement and public consultations (GDPR Article 6 (1)(a) Consent)
• To assess the needs of the general population (Section 251 of the National Health Service Act 2006)
• To process job applications (GDPR Article 6(1)b) Contract)

As a result of the above processing activities, the information held by the ICBs about you may contain information provided by a relative, carer, health professional, social care provider, or those who are / have been directly involved in your health and social care.

We work with several other NHS and partner agencies to provide health and social care services to you. We may also share anonymised statistical information with them for the purpose of improving local services, for example understanding how conditions spread across our local area compared against other areas.

We contract with other organisations to provide a range of services to us such as IT services, Payroll, and other support services. In these instances, we ensure that our partner agencies have contracts which outline that your information is processed under strict conditions and in line with the law.

We ensure our external data processors that support us are legally and contractually bound to operate and prove security arrangements are in place where data that could or does identify a person are processed.

Current external data processors:

• NHS Arden and Greater East Midlands CSU – Data Services for Commissioners Regional Offices (DSCRO) this is a regional secure service provided to the ICB by NHS England via the CSU, primary care IT Service Provider, commissioning intelligence analysis,
• Prescribing Services Limited – provider of risk stratification and population health management tools
• NHS Resolution – management of claims
• TIAA – Internal Audit
• Ernst & Young – External Audit – National Fraud Initiative National Fraud Initiative – GOV.UK (www.gov.uk)
• Grant Thornton – Counter Fraud Service
• NHS England
• NHS Improvement
• Public Health England
• Optum Health Solutions (UK) Limited – population health management
• Liaison Group and Xyla – Continuing Healthcare & Invoice Validation
• Norfolk Community Health & Care NHS Trust (NCH&C) – IT Service Provider
• NHS Midlands and Lancashire Commissioning Support Unit – supporting the community deprivation of liberty safeguard applications to the court of protection
• Wavenet System – for telephony systems
• Amazon Web Services – cloud hosting
• Liasion Financial Services – CHC invoicing
• Snowflake software for data processing

Information may also be required to be shared for your benefit with other non-NHS Health and Social Care partner organisations, from which you are also receiving care, such as social services and other providers from which we commission services. Where information sharing is required with third parties, we will not disclose any health information without your explicit consent unless it is to facilitate direct care or there are exceptional circumstances or a legal obligation such as;

• There is a risk of harm to someone or the wider community
• The prevention or detection of a serious crime
• Where we are required to do so by law
• Reporting some infectious diseases
• Prevention and detection of fraud – National Fraud Initiative (NFI)

If we are obligated to release information as described above, this will usually only be done with the approval of our Caldicott Guardian.

The ICB is party to several information sharing agreements which are drawn up to ensure information is shared in a way that complies with relevant legislation. These NHS and non-NHS organisations may include, but are not restricted to social services, education services, local authorities, police, and public health.  NHS England allows ICB to sub license commissioning data sets. A list of sub-licensees can be found here. For further details, please NHS England sub licensing information here.

This notice informs you how the ICB will use your information for the purposes of managing the local healthcare system.

You have the general right to see or be given a copy of personal data an organisation holds about you.  This is known as a Subject Access Request.  Full details of how to raise a request can be found in the ICB’s Subject Access Request & Information Rights Policy, which is available on our website. Further information on Subject Access Requests can be found via the Information Commissioners Office (ICO): For the public | ICO

The NHS Constitution states, “you have a right to request that your confidential information is not used beyond your own care and treatment, and to have your objections considered”.  These are known as opt-outs and available at different levels. Further details of how to opt-out is contained within this Notice.

Under UK GDPR you have the right to have inaccurate (i.e. incorrect or misleading) personal data rectified or completed, if you feel that there are omissions (subject to the original purpose for the processing).   You can make this request either in writing or verbally, however the ICB has a duty to ensure that we have taken all reasonable steps to check that the information is correct.

This is also known as the “right to be forgotten”.  You can request that your information is erased if:

• Your personal data is no longer necessary for the purpose it was originally collected and/or processed by the ICB
• You wish to withdraw your consent for the ICB to hold your data and there is no overriding legitimate interest or legal obligation for the ICB to continue to process your data
• You consider that the ICB has processed your information unlawfully; or
• You have to exercise your right to erasure in order to comply with a legal obligation
  
  We will communicate any erasure of information to anyone to whom it has been disclosed unless this is not possible or involves disproportionate effort. We will tell you who those recipients are if you ask us.  We will also ensure that your information is erased from any backup systems as well as live systems. 
   
  The right to erasure is not an absolute right and so there maybe situations where your request cannot be satisfied, such as:
• The ICB must retain your data in order to comply with a legal obligation
• The ICB is required to process your data to carry out a task in the public interest or in the exercise of an official authority
• The ICB must retain your information for archiving purposes in the public interest, such as scientific research, historical research or statistical purposes where erasure is likely to render impossible or seriously hinder our ability to process information for commissioning purposes
• Where the ICB needs to retain your data for the purposes of a defence or legal claim; or
• In the case of special category data;
  • where we need to process data to protect the public’s health such as protecting against cross-border health threats and pandemics; and/or
  • where a health professional processes data for the purposes of preventative or occupational medicine.

The ICB can also refuse to comply with your request if it is manifestly unfounded or excessive, taking into account whether the request is repetitive in nature.  In these circumstances we can:

• request a “reasonable fee” to deal with your request, based on the administrative costs we may incur; or
• inform you within one calendar month that we must refuse your request.

You have the right to get your personal data from an organisation in a way that is accessible and machine-readable, for example as a csv file.
 
You also have the right to ask an organisation to transfer your data to another organisation. They must do this if the transfer is, as the regulation says, “technically feasible”.
 
As ICBs are not health care providers, we are unable to arrange the transfer of your medical files.  However, we can arrange to transfer any information you have provided to us with your consent.   You can make this request in writing using the contact details below, stating what information you would like transferred and to whom.

The ICB will not publish any information that identifies you or routinely disclose any information about you without your express permission.
 
You have the right to consent / refuse / withdraw consent to information sharing at any moment in time. There are possible consequences to not sharing but these will be fully explained to you to help you with making your decision.  Please note that you can only raise an objection if your information is being processed to:

• Carry out a task in the public interest
• Fulfil the ICB’s legitimate interests
• Conduct scientific or historical research of for statistical purposes; or
• Conduct direct marketing

When decisions are made about you without people being involved, this is called ‘automated individual decision-making and profiling’ or ‘automated processing’, for short.
 
In many circumstances, you have a right to prevent automated processing.
 
The ICB uses an automated decision-making tool for recruitment purposes, to enable us to short list candidates for interview without revealing the identity of the applicant during the application process. This is to ensure that our selection process is only based on the individual’s suitability for the job, rather than prior knowledge of who the applicant is. 
 
In addition, an automated decision-making tool is used to identify whether a group of patients is at risk of a deterioration in their health. By exercising an opt-out, your data will be excluded from an automated decision-making tool.

You have the right to be confident that organisations handle your personal information responsibly and in line with good practice.  You can raise a concern about the way the ICB is handling your information if you feel:

• We are not keeping your information secure;
• We are holding inaccurate information about you;
• We have disclosed information about you;
• We are keeping information about you for longer than is necessary; or
• We have collected information for one reason and are using it for something else;

Details of our complaints procedure is contained within this Notice.

The Lampard Inquiry is an independent statutory inquiry established under the Inquiries Act 2005, investigating the deaths of mental health inpatients in Essex.

There are three Integrated Care Boards (ICB) that have responsibility for commissioning most NHS health services in Essex; Mid and South Essex ICB, Hertfordshire and West Essex ICB, and Suffolk and North East Essex ICB (SNEE). The ICBs will be working collaboratively in response to the Inquiry.  Norfolk and Suffolk ICB will take ownership of some records following the closure of SNEE.

The ICBs are committed to engaging with the Inquiry with openness and transparency to support the Chair’s full investigation, to learn as organisations from the Inquiry’s findings, and to understand and respond to the needs of people accessing mental health services across Essex.

• Article 6 (1) (c) legal obligation, in this case compliance with a notice made under section 21 of the Inquiries Act 2005
• Article 9 (2) (g) substantial public interest on the basis of law, to meet the statutory functions of the Inquiry

To find out more information about the Inquiry, please visit the Lampard Inquiry’s webpage.

NHS England is progressing the plan to delegate 59 specialised commissioning services to ICBs. These services will be support via Integrated Care boards.  Further information on which services will be supported by Norfolk and Suffolk ICB will be provided here in the coming months. 

The NHS England website has more information on how commissioning is changing, integrated care and their commissioning road map.

Population Health Management (PHM) – is helping Norfolk & Suffolk Integrated Care System (ICS) understand our current, and predict our future, health and care needs so we can take action in tailoring better care and support with individuals, design more joined up and sustainable health and care services and make better use of public resources.

We use historical and current patient level data to understand what factors are driving poor outcomes in different population groups, we then design new proactive models of care which will improve health and wellbeing. This could be by stopping people becoming unwell in the first place, or, where this isn’t possible, improving the way the system works together to support them.

This only uses pseudonymised data i.e. where information that identifies you has been removed and replaced with a pseudonym. This will only ever be re-identified if we discover that you may benefit from a particular health intervention, in which case only the relevant staff within your practice or health/care provider will be able to see your personal information in order to offer this service to you.

To carry out this data linkage, your data will be handled by the NHS Arden and GEM Support Unit (AGEM), part of NHS England. AGEM will pseudonymise the data and enable linkage to other local and national data sources in order to undertake appropriate analyses. The resulting linked datasets will be shared securely with the ICB analytical team and Optum Health Solutions, who act as a Data Processor for the ICB, to carry out any further analysis required to support improvements in the local population’s health and to help target health and social care resources effectively. Pseudonymised data is also shared with Sub-Licensees. Please refer to How we use your information – Norfolk & Suffolk ICB for more information about Sub-Licensing.

PHM is a partnership approach across the NHS and other public services; the outputs of the PHM programme will be shared across these organisations. All have a role to play in in addressing the interdependent issues that affect people’s health and wellbeing.

Risk Stratification / Health Risk Screening Tool

• Why is it important?

Risk stratification helps identify individuals at higher risk for developing certain health conditions, enabling earlier and more targeted interventions. By pinpointing these individuals early on, healthcare providers can implement targeted interventions that are both timely and effective. The importance of prevention cannot be overstated; proactive measures are often more effective and cost-efficient than treatment after a condition has developed.

Utilising data analytics to predict which patients may experience complications or deteriorating health empowers healthcare professionals to focus their efforts on the most vulnerable populations. For instance, if data analysis reveals that certain patients are at heightened risk for chronic conditions such as heart disease, diabetes, or respiratory illnesses, these individuals can be offered more frequent monitoring, lifestyle modifications, and personalised treatment plans.

This approach not only improves patient outcomes by preventing hospitalisations and emergencies but also reduces the strain on healthcare services, making it a key tool for efficient resource management. With limited resources, risk stratification allows the NHS and care providers to prioritize care where it’s needed most, ultimately leading to a healthier population and more sustainable healthcare systems.

• How will it be done?

The process of risk stratification will be executed through advanced algorithms and data analysis techniques that assess patient data to identify those at elevated risk for conditions like diabetes, heart disease, or respiratory issues.

To conduct risk stratification, national datasets are linked with GP data via the NHS Number (Or the pre pseudonymised data as per PHM above) and an algorithm is applied to produce risk scores. Risk Stratification provides focus for future demands by enabling Commissioners to prepare plans for both individual and groups of vulnerable patients who may require elevated levels of care. Risk Stratification also enables General Practitioners (GPs) to better target intervention in Primary Care.

GPs have access to a risk stratification tool called Eclipse, which utilises sophisticated predictive analytics to stratify patients, allowing the ICB to identify at-risk cohorts effectively. Initially, patient data is de-identified to protect privacy, but it can be re-identified by the relevant patients registered GP practice when direct care is necessary. The ICB ensures that the entire process complies with all legal and ethical standards, safeguarding patient confidentiality while allowing for informed clinical decision-making.

• Data Processing Activities

The ICB processes this data internally. Data is also processed by NHS Arden and GEM Commissioning Support Unit (AGEM) and Prescribing Services Ltd (Eclipse) on behalf of the ICB.

• What will be the outcomes?

The primary outcomes of effective risk stratification will be a more focused and proactive approach to patient care, particularly for those identified as high-risk. These patients will receive tailored interventions designed to reduce the likelihood of serious health events, such as hospital admissions or complications arising from chronic conditions.

This proactive approach will not only enhance individual patient outcomes but will also lead to a more efficient allocation of healthcare resources. By focusing on prevention rather than reactive treatment, the ICB can ensure that care is delivered to those who need it most, ultimately contributing to the overall health of the population and the sustainability of healthcare services. Furthermore, the insights gained from risk stratification efforts will enable continuous improvements in care delivery, helping to address and reduce health inequalities across the community.

• Legal Basis

UKGDPR Article 6 1(e):  processing is necessary for the performance of a task carried out in the exercise of official authority vested in the controller.

UKGDPR Article 9 2(h): processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services on the basis of Union or Member State law or pursuant to contract with a health professional and subject to the conditions and safeguards referred to in paragraph 3;

A Section 251 approval (23/CAG/0127) from the Secretary of State, through the Confidentiality Advisory Group (CAG) of the Health Research Authority, enables the use of pseudonymised information about patients included in the datasets.

The CAG register can be found on the NHS Health Research Authority website.

There is no requirement for a legal basis for use of the aggregated information which is available to the ICB as this does not identify individuals.

• If you wish to Opt-out / object to your information being used in this way

You have a choice about whether you want your confidential patient information to be used in this way. If you are happy with this use of information you do not need to do anything.

If you do not wish your data to be included in the risk stratification service (even though it is in a format which does not directly identify you) you can choose to opt-out.

In this case, because pseudonymised data is being used, the National Data Opt-Out does not apply.

Instead, you can contact the ICB’s Contact Us team at [email protected] or contact your GP practice who will apply an opt-out code to your record to ensure that your information is not included in the Risk Stratification programme.