General Data Protection Regulation
The General Data Protection Regulation regulates the processing of information relating to living individuals, including the collecting, holding, use, and sharing (disclosure) of such information. NHS Warwickshire North CCG as a Data Controller is required to ensure the principles of the GDPR are adhered to ensuring we are legally compliant in the way we collect and use your information.
A person (individual or organisation) who determines the purposes for which and the manner in which your identifiable information will be collected and used. Data Controllers must ensure that any collection and use of identifiable information complies with the principles of the General Data Protection Regulation. For health and social care organisations the Data Controller will be the organisation holding your information. Providing a complete, factually correct and easy to read Privacy Notice is just one of the requirements of a Data Controller. Warwickshire North CCG is the Data Controller unless otherwise stated in this Privacy Notice.
Any person (other than an employee of the Data Controller) who process the data on behalf of the Data Controller. Data Processors are not directly subject to the General Data Protection Regulation but the Information Commissioner, who is statutorily responsible for ensuring organisations comply with the Regulation, recommends that organisations should choose data processors carefully and have in place effective means of monitoring, reviewing and auditing their processing with a written contract in place. Please see our sharing information page for further information about the controls we ensure are in place before making agreements with any data processors and a list of data processors contracted by NHS Warwickshire North CCG in our capacity as Data Controller. There is further information detailing the use of data processors in the section informing you of the details of information collected and used for specific purposes.
Consent describes the informed agreement for something to happen after consideration by you. For consent to be legally valid, you must be informed, must have the capacity to make the decision in question and must give consent voluntarily. In the context of consent to share information, this means you should know and understand how your information is to be used and shared (there should be ‘no surprises’) and you should understand the implications of your decision, particular where your refusal to allow information to be shared is likely to affect the care you receive. This applies to both explicit and implicit consent.
Explicit consent is unmistakeable. It can be given in writing or verbally, or conveyed through another form of communication such as signing. You may have the capacity to give consent, but may not be able to write or speak. Explicit consent is required when sharing information with staff who are not part of the team caring for you. It may also be required for a use other that than for which the information was originally collected, or when sharing is not related to your direct health and social care.
Implied consent is applicable only within the context of direct care of individuals. It refers to instances where your consent can be implied without having to make any positive action, such as giving your verbal agreement for a specific aspect of sharing information to proceed. Examples of the use of implied consent would include where a referral is being made by a GP to a community or hospital service we would consider your consent as implied when discussing the referral with you, another example would be within the hospital setting where there are ward handovers, the consent to share your identifiable in this situation is required for your care and you would not expect to be asked to provide explicit consent at each ward handover.
Within the NHS and in social care organisations the term Personal Confidential Data is used to describe identifiable information which you have provided in confidence, for example, in discussion with your GP or hospital specialist. This information should be kept private or secure. For the purposes of this Privacy Notice ‘identifiable information’ includes the General Data Protection Regulation definition of personal data, but it is adapted to include dead as well as living people and ‘confidential’ includes both information ‘given in confidence’ and ‘that which is owed a duty of confidence’ and is adapted to include ‘sensitive information’ as defined in the General Data Protection Regulation.
A senior person responsible for protecting the confidentiality of patient and service-user information and enabling appropriate information sharing. Each NHS organisation is required to have a Caldicott Guardian which was mandated for the NHS in 1999.
Data Protection Officer (DPO)
The DPO is a natural, identifiable person that informs and advises the CCG and its data processors, monitors their compliance, and is a primary contact for data subjects and the Information Commissioner’s Office (ICO). The DPO works with staff in Information Governance. CCG staff consult the DPO when, for example, conducting a Data Protection Impact Assessment (DPIA) and when serious personal data breaches need to be reported to the ICO.
The DPO for the CCG is Judith Jordan, the Arden & GEM Head of Integrated Governance. Contact her on firstname.lastname@example.org or (0121) 611 0730.
Data Security and Protection Toolkit
An online system which allows NHS and social care organisations to assess themselves or be assessed against Information Governance policies and standards. It also allows members of the public to view participating organisations’ IG Toolkit assessments.
The set of multi-disciplinary structure, policies, procedures, processes and controls implemented to manage information at a senior level, supporting an organisation’s immediate and future regulatory, legal, risk, environmental and operational requirements.