Data Controller
NHS West Yorkshire Integrated Care Board
Purpose
Information from health and social care records, using the NHS Number provided via the Secondary Uses Service (SUS) at NHS Digital, is looked at to identify groups of patients who would benefit from some additional help from their GP or care team.
This is known as ‘Risk Stratification’. Risk stratification involves applying computer-based algorithms to secondary and primary care information to identify those patients who are most at risk from certain medical conditions and who will benefit from clinical care to help prevent or better treat their condition.
The aim is to prevent ill health and possible future hospital stays, rather than wait for you to become sick.
We are not allowed to access personal records of service users, so we receive de-identified information for risk stratification.
This de-identified information is provided to us by a service called Data Services for Commissioners Regional Office (DSRCO). They specialise in converting patient information, within a secure environment, into a format commissioners can legally use; anonymised patient level information. You can find more comprehensive information about this on the NHS Digital Website.
GPs are able to identify individual patients from the risk stratified data when it is necessary to discuss the outcome and consider preventative care, however the ICB cannot identify an individual from the risk stratified data that we see.
Lawful basis
The ICB’s legal basis for processing this personal data under the UK GDPR is Article 6(1) e exercise of official authority.
For special category data the basis is Article 9(2) h management of health or social care systems and services.
A section 251 approval (CAG 7-04(a)/2013) from the Secretary of State, through the Health Research Authority’s Confidentiality Advisory Group enables the pseudonymised information to be sent to the ICB via NHS Digital in order to help us plan the most appropriate health services for our population.
Type of information used
Only pseudonymised information (NHS number removed) is accessible to the ICB.
Only GP Practices have access to identifiable information (NHS Number) of their own patients in order to see who may benefit from additional help.
Who we will share the information with (recipients)
This information is not shared outside of the ICB.
Do we use any processors
Data Services for Commissioners Regional Office (DSCRO) hosted by North of England Commissioning Support (NECS)
The Health Informatics Service (THIS), our IT supplier who store all our information securely on their servers.
Microsoft Azure, supported by IT staff, host our data.
How we collect (the source) and use the information
We get this information from NHS Digital, who are able to share this with us under the Health and Social Care Act (2012). This allows NHS Digital to collect, analyse and share national data and statistical information. To access this information, we must submit an application and demonstrate that we meet the appropriate governance and security requirements.
Primary Care data extracted from individual GP practices and Secondary Care data (collected nationally via the Secondary Uses Service): Inpatient, Outpatient, Accident and Emergency is passed to the Data Services for Commissioners Regional Office (DSCRO) so that the information can be linked.
- De-identified information is made available to the ICB to provide a picture of the health and needs of the local population, which enables:
- priorities to be determined in the management and use of resources;
- planning services;
- cover the range of potential questions, and issues they may need to consider, and to support and evidence decisions.
How long we will keep the information
Datasets received from NHS Digital are retained for as long as the Data Sharing Agreement is in place.
Your Rights
With regards to risk stratification and PHM under the UK GDPR you have the following rights:
- The right to be informed about the processing of your data (this notice)
- The right of access to the data held about you
- The right to have that information amended in the event that it is not accurate
- The right to restrict processing
- The right to object to processing
- Right not to be subjected to automated decision making and profiling
- To be notified of data breaches