We use the following types of information/data:

• identifiable (personal/special category data) – containing details that identify individuals

• pseudonomised – about individuals but with identifying details (such as name or NHS number) replaced with a unique code

• anonymised – about individuals but with identifying details removed

• aggregated – anonymised information grouped together so that it doesn’t identify individuals

We use anonymised data to plan health care services. Specifically we use it to:

• check the quality and efficiency of the health services we commission

• prepare performance reports on the services we commission

• work out what illnesses people will have in the future, so we can plan and prioritise services and ensure these meet the needs of patients in the future

• review the care being provided to make sure it is of the highest standard

There are some limited exceptions where we may hold and use special category and personal information about you. For example the ICB is required by law to perform certain services that involve the processing of special category personal information.

The areas where we use special category and personal information include:

• the process where you or your GP can request treatments that are not routinely funded by the NHS, which are known as Individual Funding Requests. The lawful basis for this processing is based on the consent you will have provided to enable this request to be processed

• assessments for continuing healthcare and appeals. The lawful basis for this processing is based on the consent you will have provided to enable these assessments to take place

• responding to your queries, compliments or concerns. The lawful basis for this processing is to enable us to fulfil our legal obligations when you contact us in relation to the above. If your information needs to be shared further in relation to complaints or concerns then your consent will be sought for this additional processing.

• assessment and evaluation of safeguarding concerns. The lawful basis for this processing is to enable the ICB to fulfil a public task, in which case the processing has a clear basis in law.

• where there is a provision permitting the use of special category personal information under specific conditions, for example to:

– understand the local population needs and plan for future requirements, which is known as “risk stratification for commissioning”. – ensure that the ICB is billed accurately for the treatment of its patients, which is known as “invoice validation”.

The lawful basis for processing data in relation to the above is on the basis of fulfilling a public task, in which case the processing has a clear basis in law. Special category and personal information may also be used in the following cases:

• where the information is necessary for your direct healthcare, in which case the processing will be based on consent you have provided

• where we are responding to a Member of Parliament communication on our behalf where the processing will be based on consent you have provided

• where you have voluntarily given your informed agreement (consent) for us to use your information for a specific purpose

• where there is an overriding public interest in using the information e. g., in order to safeguard an individual or to prevent a serious crime. The lawful basis for processing data in relation to the above is on the basis of fulfilling a public task, in which case the processing has a clear basis in law.

• Where there is a legal requirement that will allow us to use or provide information (e.g. a formal court order). The lawful basis for processing data in relation to the above is on the basis of fulfilling a public task, in this case the processing has a clear basis in law.

GP Data and Secondary Uses Service (SUS) data (in-patient, out-patient and A&E) may be de-identified and linked so that it can be used by us to improve healthcare and development and monitor NHS performance. Where data is used for these statistical purposes, stringent measures are taken to ensure individual patients cannot be identified.

When analysing current health services and proposals for developing future services it is sometimes necessary to link separate individual datasets to be able to produce a comprehensive evaluation. This may involve linking primary care GP data with other data such as SUS data.

In some cases there may also be a need to link local datasets which could include a range of acute-based services such as radiology, physiotherapy, audiology etc., as well as mental health and community-based services such as Improving Access to Psychological Therapies (IAPT), district nursing, podiatry etc. When carrying out this analysis, the linkage of these datasets is always done using a unique identifier that does not reveal a person’s identity, as the ICB does not have any access to patient identifiable data through this process.

We also contract with other organisations to process data. These organisations are known as Data Processors. We ensure external data processors that support us are legally and contractually bound to operate and prove security arrangements are in place where data that could or does identify a person is processed.

How we use your data

Health care commissioners need information about the treatment of patients to review and plan current and future health care services. To do this they need to be able to see information about the health care provided to patients which can include patient level data.

The law says commissioners are not allowed to access Personal Confidential Data (PCD) because they are not providing direct patient care. As such, they need an intermediary service called Data Services for Commissioners Regional Office (DSCRO), that specialise in processing, analysing and packaging patient information within a secure environment into a format that commissioners can legally use, anonymised patient level data. You can find more comprehensive information about this on the former NHS Digital website.

Lawful basis

Personal data which is processed for the purposes of risk stratification:

Article 6(1)(e) ‘processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller..’.

Article 9(2)(h) ‘processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services..’.

We will also recognise your rights established under UK case law collectively known as the “Common Law Duty of Confidentiality”.  

The use of identifiable data for risk stratification has been approved by the Secretary of State, through the Confidentiality Advisory Group of the Health Research Authority (known as Section 251 approval under the Health Services (Control of Patient Information) Regulations 2002, under section 251 of the NHS Act 2006). Further information on Section 251 can be obtained by clicking here. This approval allows your GP or staff within your GP Practice who are responsible for providing your care, to see information that identifies you, but the ICB staff will only be able to see information in a format that does not reveal your identity.

NHS England (formerly NHS Digital) can disseminate data to commissioners under the Health and Social Care Act (2022). The act provides the powers for NHS England to collect, analyse and disseminate national data and statistical information. To access this data, organisations must submit an application and demonstrate that they meet the appropriate governance and security requirements.

NHS England, through its DSCROs, is permitted to collect, hold and process Personal Confidential Data (PCD). This is for purposes beyond direct patient care to support NHS commissioning organisations and the commissioning functions within local authorities.

GPs are able to identify individual patients from the risk stratified data when it is necessary to discuss the outcome and consider preventative care, however the ICB can never identify an individual from the risk stratified data that we see. Where the risk stratification process has linked GP data to health data obtained from other sources i.e. NHS England or other health care provider, the GP will ask for your permission to access the details of that information.

Sources of the data

Personal data is supplied into the national DSCRO arrangements by GPs and NHS England (commissioning data sets).

Data Processors

The ICB has agreements in place with the following organisations to process Risk Stratification Data:

NHS Arden and Greater East Midlands Commissioning Support Unit

Prescribing Services Ltd

Categories of data

Risk stratification tools use historic information about patients, such as age, gender, diagnoses and patterns of hospital attendance and admission collected by NHS England from NHS hospitals and community care services (Secondary Use Services data). This is linked to data collected in GP practices and analysed to produce a risk score.

The Secondary Uses Service (SUS) is the single, comprehensive repository for healthcare data in England which enables a range of reporting and analyses to support the NHS in the delivery of healthcare services. Information on care provided for all patients by Health Care Providers (both NHS and Independent Sector Healthcare Providers for NHS patients only) must be submitted to the Secondary Uses Service according to the Commissioning Data Set Mandated Data Flows guidelines.

Data from the GP practice system will be obtained by using a ‘bulk data extract’, uploaded directly by the risk stratification tool supplier (AGEM CSU) from the practice system. Prior to the upload, the supplier will obtain permission from the practice to request the data from the practice system provider and the practice will notify their system providers that this permission has been granted.

The data extract will EXCLUDE patients who have expressed a wish not to share information. Reports produced from the system, including identifiable data, is only provided back to your GP or member of your care team as data controller in an identifiable form. Your GP can provide more information about any risk stratification programme they are using. Should you have any concerns about how your information is managed at the surgery please contact the Practice Manager at your surgery to discuss how the disclosure of your personal information can be limited.

Recipients of data

The combined ICB Secondary Use Service (SUS) data and GP data which contains an identifier (usually NHS number) is made available to clinicians with a legitimate relationship with their patients to enable them to identify which patients should be offered targeted preventative support to reduce those risks. 

The ICB does not have access to identifiable information.

Opt out details

You have a choice about whether you want your confidential patient information to be used in this way. If you are happy with this use of information you do not need to do anything. If you do not wish your data to be included in the risk stratification service you can choose to opt-out. You can contact your GP practice who can apply a code which will stop your identifiable information being used for Risk Stratification purposes or you can contact the ICB who will inform your GP practice and ask them to apply the opt-out code to ensure that your information is not used in the programme.

You can contact the ICB by email, phone or post:

The validation of invoices is undertaken in line with NHS requirements to ensure that the ICB is paying for treatments relating to its patients only. The ICB receives identifiable data into its Controlled Environment for Finance (CEfF) to securely support the invoice validation process.

As a Data Controller the ICB is allowed to process Personal Confidential Data (PCD) which is required for invoice validation purposes under an authorisation from NHS England. This approval is subject to a set of conditions. The lawful basis for this processing is to fulfil our public task under the Health Service (Control of Patient Information) Regulations 2002 (a) also known as ‘section 251 support’) and details of Confidentiality Advisory Group (CAG) approval CAG 7- 07(a-c)/2013 are provided at https://www.hra.nhs.uk/planning-and-improving-research/application-summaries/confidentiality-advisory-group-registers/

Where information from which you can be identified is held, you have the right to ask to:

• view this or request copies of the records by making a Subject Access Request. Further details on this are available at https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/individual-rights/right-of-access/

Under the General Data Protection Regulation, which is effective in UK law through the Data Protection Act 2018, individual rights are summarised as

• The right to be informed

• The right of access

• The right to rectification

• The right to erasure

• The right to restrict processing

• The right to data portability

• The right to object

• Rights in relation to automated decision making and profiling

In relation to healthcare records some of these rights are qualified rights. If you require further information regarding these rights or to access records we may hold about you please contact the ICB Data Protection Officer using the details provided earlier in this document.

We only use information that may identify you in accordance with the Data Protection Act 2018. The Data Protection Act requires us to process personal data only if there is a lawful basis for doing so and that any processing must be fair and lawful.

Within the health sector, we also have to follow the common law duty of confidence, which means that where identifiable information about you has been given in confidence, it should be treated as confidential and only shared for the purpose of providing direct healthcare.

The law and the common law duty of confidentiality apply to all of our staff. They are required to protect your information, inform you of how your information will be used, and allow you to decide if and how your information can be shared. All ICB staff are expected to make sure information is kept confidential and receive annual training on how to do this. This is monitored by the ICB and can be enforced through disciplinary procedures.

We also ensure the information we hold is kept in secure locations, restrict access to information to authorised personnel only, protect personal and confidential information held on equipment such as laptops with encryption (which masks data so that unauthorised users cannot see or make sense of it).

We ensure external data processors that support us are legally and contractually bound to operate and prove security arrangements are in place where data that could or does identify a person are processed.

The ICB has an Executive Director, responsible for protecting the confidentiality of patient information. This person is also the Caldicott Guardian.

The ICB is registered with the Information Commissioner’s Office (ICO) as a data controller and collects data for a variety of purposes. A copy of the registration is available through the ICO website (search by ICB name).

All records held by the ICB will be kept for the duration specified in the NHS national guidance “Records Management Code of Practice for Health and Social Care 2021”.

View the latest Records Management Code of Practice 2021

The ICB does not directly provide health care services and therefore does not hold personal healthcare records. If you wish to have sight of, or obtain copies of your of your own personal health care records please apply to your GP Practice, the hospital or NHS organisation which provided your health care.

Every individual has the right to see, or have a copy, of data held that identifies you, known as a Subject Access Request. You do not need to give a reason to see your data. Under special circumstances, some information may be withheld.

If you wish to have a copy of the information we hold about you, please contact the ICB Data Protection Officer using the details provided earlier in this document.

The Freedom of Information Act 2000 (FOIA) gives people a general right of access to information held by or on behalf of public authorities, promoting a culture of openness and accountability across the public sector.

Your request must be made in writing and can be either posted or emailed to those who manage the service on behalf of the ICB, at the address details below:

FOI Lead

NHS Lincolnshire Integrated Care Board
Bridge House
The Point
Lions Way
Sleaford
Lincolnshire NG34 8GG

Email: agcsu.foi.lincs@nhs.net

You can contact the ICO office via https://ico.org.uk/global/contact-us/

Forms We do use electronic forms on our website making use of an available ‘forms module’ which has a number of built-in features to help ensure privacy. We also aim to use secure forms where appropriate, in compliance with EU legislation.

Cookies are small. We do not make use of cookies to collect any private or personally identifiable information. The technical platform of this website uses cookies solely to aid the proper technical functioning of the website. The cookies used contain random strings of characters alongside minimal information about the state and session of the website – which in no way collects or discloses any personal information about you as a visitor.

If you chose to, for any secure pages of this website, you can elect to save login information in a cookie to facilitate faster login to a private area of this site. A notification is given before any such cookie is dropped, and the process is ultimately within your control. Even where this is used, the cookie still contains minimal authentication information, and does not contain any private or personal data.

Advanced areas of this site may use cookies to store your presentation preferences in a purely technical fashion with no individually identifiable information. Note also our statement on analytics software below – as analytics software also uses cookies to function. Most web browsers allow some control of most cookies through the browser settings. To find out more about cookies, including how to see what cookies have been set and how to manage and delete them, visit www.allaboutcookies.org

Google Analytics sets the following cookies:

gtag.js cookies

The following table describes each cookie set by gtag.js. To learn more about the data that Analytics collects, see Safeguarding your data.

Cookie name: _ga | Default expiration time: 2 years | Description: Used to distinguish users

Cookie name: _ga <container-id> | Default expiration time: 2 years | Description: Used to persist session state.

For further information, please visit: : https://support.google.com/analytics/answer/11397207?hl=en

You can opt out of Google Analytics Cookies

Our platform operates with a clear data retention policy in order to comply with the Privacy Enhancing Technology guidance from the Information Commissioner. This means that data has predefined time limits for storage and is only retained by the system for as long as it is considered useful.