Fair Processing Notice (Privacy Notice)

Who we are and what we do

Brighton and Hove Federation is responsible for delivering some NHS services in Primary Medical Care (i.e., General Practice). These include both locally-commissioned services and the Enhanced Access service. We also have a performance monitoring role for these services, which includes ensuring that the highest quality of healthcare is provided, and responding to any patient concerns about the services offered.

Our Commitment to Data Privacy and Confidentiality Issues

We are committed to protecting your privacy and will only process data in accordance with the Data Protection Legislation. This includes:

• the General Data Protection Regulation (EU) 2016/679 (GDPR);
• the Data Protection Act (DPA) 2018;
• the Law Enforcement Directive (Directive (EU) 2016/680) (LED); and
• any applicable national Laws (including implementing any amendments).

The legislation requires us to process personal data only if there is a legitimate basis for doing so, and any processing must be fair and lawful.

In addition, consideration will also be given to all applicable Law concerning privacy, confidentiality, and the processing and sharing of personal data, including: the Human Rights Act 1998; the Health and Social Care Act 2012, as amended by the Health and Social Care (Safety and Quality) Act 2015; the common law duty of confidentiality; and the Privacy and Electronic Communications (EC Directive) Regulations.

Using your information

In undertaking our role, Brighton and Hove Federation needs to hold some information about our Practices’ registered patients, service users and local populations. This page outlines how that information is used, who we may share that information with, how we keep it secure (confidential) and what your rights are in relation to this.

We need to use information about our patients and population to enable us to provide and support the direct care of individuals, and to ensure we commission services which meet the needs of our patients and population. Within the health sector, we follow the common law duty of confidence, which means that where identifiable information about you has been given in confidence, it should be treated as confidential and only shared for the purpose of providing direct healthcare.

Brighton and Hove Federation has a senior member of staff responsible for protecting the confidentiality of patient information. This person is called the Caldicott Guardian. Our Caldicott Guardian is Dr Rowan Brown, who is also a Director

The Caldicott Guardian is supported by our Data Protection Officer, who is responsible for:

• monitoring compliance with Data Protection legislations (General Data Protection Regulation (EU) 2016/679 (GDPR) and the Data Protection Act (DPA) 2018);
• our Information Governance Policies;
• providing advice and guidance;
• raising awareness;
• training; and
• audits.

The Data Protection Officer acts as a contact point for the Information Commissioner’s Office, employees and the public. They co-operate with the Information Commissioner’s Office, and will consult on any other matter relevant to Data Protection. Our Data Protection Officer is Laura Taw.

Brighton and Hove Federation is a Data Controller and is registered with the Information Commissioner’s Office to collect data for a variety of purposes. Our registration number is ZB338906 and a copy of the registration is available through the Information Commissioner’s Office website

What kind of information do we use?

As a commissioned service provider, we hold or have access to your medical records and we hold personal information about you. We use the following types of information/data:

We use the following types of information/data:

• Personal Data – This means any information relating to an identified or identifiable person. This includes information that would enable someone to be identified, directly or indirectly, if revealed. For example: a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that person.
• Special Categories of Personal Data – This includes data about someone’s racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership. It also includes processing genetic data, biometric data for the purpose of uniquely identifying someone, and data concerning someone’s health, sex life or sexual orientation.
• Confidential Patient Information – This term describes information or data relating to, for example, someone’s health (or other matters) which is disclosed in circumstances where it is reasonable to expect that the information will be held in confidence (e.g., by a patient to a clinician). It includes both information ‘given in confidence’ and ‘that which is owed a duty of confidence’. As described in the Confidentiality: NHS code of Practice: Department of Health guidance on confidentiality 2003.
• Pseudonymised - The process of distinguishing individuals in a dataset by using a unique identifier which does not reveal their ‘real world’ identity (e.g., by assigning a number to each person’s data in a list).
• Anonymised – Data in a form that does not identify individuals and where identification through its combination with other data is not likely to take place.
• Aggregated - Statistical data about several individuals that has been combined to show general trends or values, without identifying individuals within the data.

What do we use your Personal and Special categories of Personal Data for?

Staff at Brighton and Hove Federation who help with your medical care maintain records about your health and about any treatment or care you have or have received previously. These records help to provide you with the best possible healthcare.

The information we hold is on secure, NHS-approved systems and part of your records. This may include:

• Details about you, such as your address, carer, legal representative, and/or emergency contact details
• We also record:
  • Any contact Brighton and Hove Federation has had with you;
  • Notes and reports about your health;
  • Details about your treatment, medication and care;
  • Relevant information from other health professionals; and
  • Information from relatives or those who care for you.

Information held about you may be used to help protect the health of the public and to help us manage NHS services. Information may be used within Brighton and Hove Federation for clinical audit to monitor the quality of the service provided.

Some of this information will be held centrally and used for statistical purposes. Where we do this, we take strict measures to ensure that individual patients cannot be identified.

What do we use non-identifiable data for?

We use pseudonymised, anonymised and aggregated data to plan healthcare services and help support NHS Clinical Commissioning Groups for commissioned services. Specifically, we use it to:

• check the quality and efficiency of the health services we provide or commission;
• prepare performance reports on the services we provide or commission;
• review the care being provided to make sure it is of the highest standard;
• Evaluate the services we provide or commission, or those commissioned on our behalf; and
• Support the regional and national initiatives through the Integrated Care Systems.

Do we share your information with other organisations?

We may share anonymised statistical information for the purpose of improving local services. For example, understanding how our population’s health and the services provided compare with similar services in other geographical areas, so we can share good practice. We do not share information outside of the European Economic Area (EEA).

We would not share information that identifies you unless we have a fair and lawful basis such as:

• It is for direct care;
• You have given us permission;
• We need to act to protect children and/or vulnerable adults;
• When a formal court order has been served upon us;
• When we are lawfully required to report certain information to the appropriate authorities (e.g., to prevent fraud or a serious crime);
• Emergency Planning reasons, such as for protecting the health and safety of others; or
• When permission is given by the Secretary of State or the Health Research Authority on the advice of the Confidentiality Advisory Group to process confidential information without the explicit consent of individuals.

How we process information

Data may be anonymised and combined with other data sets so that it can be used to improve healthcare and development and monitor NHS performance. Where data is used for these statistical purposes, stringent measures are taken to ensure that individuals cannot be identified.

We may also contract with other organisations to process data, some of which could identify a person. These organisations are known as Data Processors. We ensure external Data Processors that support us are legally and contractually bound to operate, and they are required to prove that robust security arrangements are in place.

Some examples of the ways we use data are listed below, including for reporting purposes and with other organisation, in line with the reasons stated above. The following list includes the purpose and legal basis for sharing this information, and whether the organisation in question also acts as the Data Processor.

Primary Care Network

• Purpose: Supporting and building on Primary Care services and enabling greater provision of proactive, personalised, coordinated, and more integrated health and social care. More integrated working will enable the provision of better care for patients, more proactive care for people and communities, and savings for the NHS.
• Legal Basis: the General Data Protection Regulation (EU) 2016/679 (GDPR) article 6(1)e Statutory Function under the Primary Care Network Direct Enhanced Service agreement, article 9(2)h Direct Care.
• Data Processor: We process this information on behalf of the Primary Care Network and the Lead Controller within the PCN

Quality monitoring, concerns and serious incidents

• Purpose: We need to ensure that the health services you receive are safe, effective and of excellent quality. Sometimes concerns are raised about the care provided, or an incident has happened that we need to investigate. You may not have made a complaint to us directly, but the healthcare professional looking after you may decide that we need to know about an incident that involved you, to help us make improvements.
• Legal Basis: We have a statutory duty under the Health and Social Care Act 2012, Part 1, Section 26 to secure continuous improvement in the quality of services provided. We will rely on your explicit consent as the basis to undertake such activities.
• Data Processor: We process this information ourselves.

Freedom of Information (FOI) requests

• Purpose: We sometimes need to process personal information to respond to someone’s Freedom of Information (FOI) request.
• Legal Basis: The Freedom of Information Act.
• Data Processor: We process this information ourselves.

Safeguarding

• Purpose: Safeguarding means protecting peoples' health, wellbeing and human rights, and enabling them to live free from harm, abuse and neglect. It is a key part of providing high-quality health and social care. Brighton and Hove Federation will participate in Serious Case Reviews undertaken by the local Children’s and Adult’s Safeguarding Boards to support continued learning, minimise risk and improve services.
• Legal Basis: We have a statutory responsibility under the Children Act 2004, Care Act 2014 and Safeguarding provision within the Data Protection Act 2018 – Schedule 1, Part 2, subsections 18 and 19  to ensure the safety of all children, and the safety of adults at risk of abuse and neglect.
• Data Processors: We may undertake this ourselves, or refer you to the relevant local commissioner.

Patient and Public Involvement

• Purpose: If you have asked us to keep you regularly informed and up to date about the work of Brighton and Hove Federation, or if you are actively involved in our engagement and consultation activities or Patient Participation Groups, we will collect and process data which you have agreed to share with us. Where you submit your details to us for involvement purposes, we will only use your information for this purpose. You can contact us at any time to opt out of this.
• Legal Basis: We will ask for your explicit consent for this purpose.
• Data Processor: We process this information ourselves.

Commissioning, planning and contract monitoring

• Purpose: To collect NHS data about services we have commissioned to provide care for you. We also work with local Clinical Commissioning Groups and other local GP Federations, and often hold joint contracts and commission joint services to make best use of the money available to us. We set our reporting requirements as part of our contracts with NHS service providers and do not ask them to give us identifiable data about you.
• Legal Basis: Our legal basis for collecting and processing information for this purpose is statutory under the Health & Social Care Act 2012 chapter A2 establishment and duties
• Data Processor: We process this information ourselves

Infection Control

• Purpose: Brighton and Hove Federation has an obligation for carrying out Infection Control surveillances. This work is undertaken by a clinician with support from Practices and acute NHS Trusts, to provide the relevant information for the investigation to be undertaken and outcomes derived. The surveillance reports produce actions and lessons learnt that contribute to continuously improving patients’ care and safety, as well as clinical learning
• Legal Basis: The Health Service (Control of Patient Information) Regulations 2002 Paragraph 3 enables the lawful processing of patient information in relation to diagnosing, recognising trends, controlling, preventing, monitoring and managing communicable diseases and other risks to public health.Mandatory Health Care Associated Infection Surveillance: Data Quality Statement April 2016 (PHE)
• Data Processor: We process this information ourselves.

Cabinet Office

• Purpose: We participate in the Cabinet Office’s National Fraud Initiative: a data matching exercise to assist in the prevention and detection of fraud. The Cabinet Office is responsible for carrying out data matching exercises, which involve comparing the computer records held by one or more organisations against each other to see how far they match. These records usually contain personal information. Computerised data matching allows potentially fraudulent claims and payments to be identified. Where a match is found, it may indicate that there is an inconsistency which requires further investigation. No assumption can be made as to whether there is fraud, error or other explanation until an investigation is carried out. We are required to provide particular sets of data to the Minister for the Cabinet Office for matching for each exercise, as detailed here.
• Legal Basis: The use of data by the Cabinet Office in a data matching exercise is carried out with statutory authority under Part 6 of the Local Audit and Accountability Act 2014. It does not require the consent of the individuals concerned under the General Data Protection Regulation (EU) 2016/679 (GDPR). Data matching by the Cabinet Office is subject to a Code of Practice. View further information on the Cabinet Office’s legal powers and the reasons why it matches particular information
• Data Processor: We process this information ourselves

Research

• Purpose: Anonymised data (that does not identify you) may be collected for research purposes. The law does not require your consent to be obtained in this case, but notifications will be made available to you (e.g., in waiting rooms, leaflets, on notice boards or waiting room screens) where your anonymised data is used for the purposes of research. Where identifiable data is needed for research, you may be approached by an organisation who has provided you with care and asked if you wish to participate in a research study. Where identifiable data is required, an organisation must obtain explicit consent. A member of the research team will discuss the research study with you and provide you with information on what the study is about, what information they wish to collect, how to opt out and who to contact for more information. If you do not wish for your information to be used for research, whether identifiable or non-identifiable, please let your GP Practice know. They will add a code to your records that will stop your information from being used for research.
• Legal Basis: Your consent will be obtained by the organisation holding your records before identifiable information about you is disclosed for any research. If this is not possible, then the organisation wishing to use your information will need to seek formal approval from the Confidentiality Advisory Group (CAG). For further information please visit the NHS Health Research Authority website

Commissioners

• Purpose: Contract monitoring and commissioning of services.
• Legal Basis: NHS Act 2006 & Health and Social Care Act 2012
• Data Processor: We process this information ourselves.

Surveys and asking for your feedback

• Purpose: Sometimes we may invite you to take part in a survey and provide feedback about our services. We will not generally ask you to give us any personal confidential information as part of any survey.
• Legal Basis: You are under no obligation to take part. If you choose to do so, we consider your participation as consent to hold and use the responses you give us.
• Data Processor: We process this information ourselves

Enhanced Access Service (also known as “Extended hours”)

• Purpose: To provide additional clinical appointment to the population with the geographical area. This is for provision of routine appointments outside of normal surgery hours (weekdays 6:30-8pm, Saturdays 9:00-17:00, Sundays 9:00-16:00). This will not usually be with a patient’s regular GP and so patients will need to consent to their records being shared with the Federation.
• Legal Basis: Direct Care - Data Protection Legislation, Article 6 1(3) & 9 2(h)
• Data Processor: We process this information ourselves

Acute and Community Providers

• Purpose: We receive data and information from various (Data?) Controllers in acute and community environments, and Clinical Partners (our Practices) to improve the health outcomes of patients.
• Legal Basis: Direct Care - Data Protection Legislation, Article 6 1(3) & 9 2(h)
• Data Processor: We process this information ourselves.

Pharmacists

• Purpose: Anonymous data is collected by Brighton and Hove Federation to provide monitoring and advice to GP Practices in line with the National Directive For Prescribing
• Legal Basis: Direct Care - Data Protection Legislation, Article 6 1(3) & 9 2(h)
• Data Processor: We process this information ourselves using GP Practice systems.

National Registries

• Purpose: to collect data about the health status of patients and the health care they receive over varying periods of time to support the improvement and development of services
• Legal Basis: National Registries (such as the Learning Disabilities Register) have statutory permission under Section 251 of the NHS Act 2006, to collect and hold service user identifiable information without the need to seek informed consent from each individual service user.
• Data Processor: We process this information ourselves

Public Health England

• Purpose: National objective to improve health outcomes of patients in the UK and to communicatecommunicable diseases.
• Legal Basis: Direct Care - Data Protection Legislation, Article 6 1(3) & 9 2(g & h)
• Data Processor: Public Health England.

Other organisations who provide support services for us

• Purpose: Brighton and Hove Federation uses the services of other organisations (besides those listed above) to provide additional expertise to support the work of our local commissioners
• Legal Basis: We hold contracts with other organisations to provide some services for us or on our behalf. These organisations may data and could be identified as Data Processor
• Data Processor: The relevant organisation will process the information on our behalf

What safeguards are in place to ensure data that identifies me is secure?

The NHS Digital Code of Practice on Confidential Information applies to all staff and anyone acting on behalf of Brighton and Hove Federation. They, and we, are required to protect your information, inform you of how your information will be used, and allow you to decide if and how your information can be shared. We expect them to make sure information is kept confidential and undertake annual training on how to do this. This is monitored by Brighton and Hove Federation and can be enforced through disciplinary procedures.

We also ensure the information we hold is kept in secure locations, restrict access to information to authorised personnel only, and protect personal and confidential information held on equipment such as laptops with encryption (which codes data so that unauthorised users cannot see or make sense of it).

How long do we hold information for?

All records held by Brighton and Hove Federation will be kept for the duration specified by national guidance from NHS Digital, Records Management Code of Practice 2021, and we keep a record of retention schedules within our Information Asset Registers, in line with the Code. Information that is identified for destruction is disposed of in the most appropriate way. Personal, confidential and commercially sensitive information will be disposed of by approved and secure confidential waste procedures.

Your right to opt out of data sharing and processing

The NHS Constitution states: ‘You have a right to request that your personal and confidential information is not used beyond your own care and treatment and to have your objections considered’ For further information please visit: The NHS Constitution

National Data opt out

The National Data Opt-Out was introduced on 25 May 2018 to enable patients to opt out from the use of their data for research or planning purposes, in line with the recommendations of the National Data Guardian in her Review of Data Security, Consent and Opt-Outs

The National Data Opt-Out replaces the previous ‘type 2’ opt-out, which required NHS Digital not to share a patient’s confidential patient information for purposes beyond their individual care. All type 2 opt-outs recorded on or before 11 October 2018 have been automatically converted to a National Data Opt-Out. Those aged 13 or over were sent a letter giving them more information and a leaflet explaining the National Data Opt-Out. For more information go to National data opt out programme

Accessing data we hold about you

Brighton and Hove Federation does not directly provide healthcare services. If you wish to have sight of, or obtain copies of, your personal healthcare records you will need to apply to your GP Practice, the hospital or the NHS organisation which provided your healthcare.

For information from which you can be identified, you have the right to:

• View this, or request copies, of the records by making a Right of Access Request under the General Data Protection Regulation (GDPR);
• Request information is corrected/rectified;
• Have inaccurate information updated;
• Request information is erased (where applicable);
• Request for your data to be made portable (where applicable); and
• ask us to stop processing information about you where we are not required to do so by law (where applicable).

Everybody has the right to see, or have a copy of, the data we hold that can identify them, with some exceptions. You do not need to give a reason to see your data. If you want to access your data, you must make the request in writing, using our contact form or verbally with a member of staff. Under special circumstances, some information may be withheld.

Automated Decision Making

Brighton and Hove Federation will not make decisions based solely on automated processing.

What is the right to know?

The Freedom of Information Act 2000 (FOIA) gives people a general right of access to information held by, or on behalf of, public authorities; promoting a culture of openness and accountability across the public sector. You can request any information that we hold that does not fall under an exemption. You may not ask for information that is covered by the Data Protection Legislation under the Freedom of Information Act 2000. However, you can request this under a Right of Access Request (see ‘Accessing data we hold about you’ above).

MAKE A FREEDOM OF INFORMATION REQUEST

For independent advice about data protection, privacy, data sharing issues and your rights you can contact the Information Commissioner’s Office

Complaints or questions

We try to meet the highest standards when collecting and using personal information. We therefore take any complaints we receive about this very seriously. We encourage people to bring concerns to our attention if they think that our collection or use of information is unfair, misleading, or inappropriate. You can contact us:

• By telephone: 01273 003330;
• By post: Comments & Complaints Team; Preston Park House, South Road, Brighton, East Sussex, England, BN1 6SB
• In person: By speaking with a member of staff;
• Via our online form

Links to other websites

This Privacy Notice does not cover the links within this site linking to other websites. We encourage you to read the Privacy Statements on the other websites you visit.

Changes to this privacy notice

We keep our Privacy Notice under regular review. This Fair Processing Notice was last updated in February 2023.