Data Controller

NHS West Yorkshire Integrated Care Board

Purpose

The ICB collects and uses information from Serious Incident reports from Primary and Secondary Care Providers to ensure incidents are dealt with appropriately and lessons learnt.

Lawful basis

GDPR Article 6(1)(e) ‘processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority…’

Related legislation:

NHS Act 2006/Health and Social Care Act 2012.

GDPR Article 9(2)(h) processing is necessary for the purposes of the provision of health or social care or treatment or the management of health or social care systems and services.

Type of information used

Identifiable: Personal (such as name, address, date of birth) and Special Category Data.

Who we will share the information with (recipients)

Your information may be shared with Primary and Secondary healthcare providers involved in the incident.

Where there is a requirement to provide incident reports externally, the information will be anonymised unless there is a legal requirement to provide your details.

Do we use any processors

Datix system is used to record serious incidents received by ICB.

The Health Informatics Service (THIS), our IT supplier who store all our information securely on their servers.

Microsoft Azure, supported by IT staff, host our data.

How we collect (the source) and use the information

We are statutorily required to fully investigate and review incidents and will receive information from Primary and Secondary Care Providers.

You will be kept informed of the requirements we are required to meet, where information is to be shared externally.

How long we will keep the information

20 years.

Your Rights

With regards to Serious Incident reports, under the UK GDPR you have the following rights: