Home > Publications > Privacy notice – risk stratification

Privacy notice – risk stratification

We commission services on your behalf and provide clinical data about you to GP surgeries relating to risk stratification.

NHS South West London Integrated Care Board (ICB) commissions services on your behalf and provides clinical data about you relating to risk stratification in order to support your GP in assessing the provision and use of services where you have applied for these services.

This data is used to assess whether you meet the criteria for funding for these services and to enable provision of services thereafter.

People who have access to your information will only have access to that which they need to fulfil their roles.

You have the right to object to our sharing your data in these circumstances but we have an overriding responsibility to comply with our legal obligations. Please see below.

We are required by Articles in the General Data Protection Regulations to provide you with the information in the following 9 subsections.

Controller contact details

NHS South West London ICB

120 the Broadway

Wimbledon

London SW19 1RH

020 3880 0308
[email protected]

Data protection officer contact details

Data protection officer

[email protected]

Purpose of the processing

Risk stratification

Your healthcare provider uses your data to provide the best care they can for you.  As part of this process, your healthcare provider will use your personal and health data to undertake risk stratification, also known as case finding.

Risk stratification involves applying computer based algorithms, or calculations, to identify those patients registered with the healthcare organisation who are most at risk from certain medical conditions and who will benefit from clinical care to help prevent or better treat their condition.

To identify those patients individually from the patient community registered with your healthcare provider would be a lengthy and time-consuming process, which would by its nature potentially not identify individuals quickly and increase the time to improve care.

Your healthcare organisation uses the services of a health partner, NHS NEL Integrated Care Board (ICB), to identify those most in need of preventative or improved care.  This contract is arranged by us.

Neither we nor NHS NEL ICB will at any time have access to your personal or confidential data. They act on behalf of your healthcare provider to organise this service with appropriate contractual and security measures only.

NHS NEL ICB will process your personal and confidential data without any staff being able to view the data, the data is in a pseudonymised format, this means that the data can be re-identified by your healthcare provider but it cannot be re-identified by organisations processing your data. Typically, they will process your data using indicators such as your age, gender, NHS number and codes for your medical health to identify those who will benefit from clinical intervention. 

Data is extracted from your healthcare providers computer system, automatically processed, and only your healthcare provider is able to view the outcome, matching results against patients on their system, this is completed through a dashboard held on the Health Insights system.

The Health Insights system is a system where NHS NEL ICB provide all information to your healthcare provider in dashboard format with the ability for your healthcare provider to reidentify your information.

We have implemented strict security controls to protect your confidentiality and recommend this as a secure and beneficial service to you. At all times, your healthcare provider remains accountable for how your data is processed. However, if you wish, you can ask your healthcare provider for your data not to be processed for this purpose and your healthcare provider will mark your record as not to be extracted so it is not sent to NHS NEL ICB for risk stratification purposes.

Lawful basis for  processing

The processing of personal data in the delivery of risk stratification and for providers’ administrative purposes in this surgery and in support of direct care elsewhere  is supported under the following Article 6 and 9 conditions of the GDPR:

Article 6(1)(e) ‘…necessary for the performance of a task carried out in the public interest or in the exercise of official authority…’.

Article 9(2)(h) ‘necessary for the purposes of preventative or occupational medicine for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services…” 

Common law duty of confidentiality

We recognise the requirement to comply with the common law duty of confidentiality*, the processing of this information is supported by the Secretary of State under section 251 of the NHS Act 2006.

Recipient or categories of recipients of the processed data

The data will be shared with health and care professionals and support staff in this surgery and at hospitals, diagnostic and treatment centres who contribute to your personal care. 

  • SWL GP practice
  • London Ambulance Service
  • Practice Plus Group (PPG) 111 service provider
  • SWL Acute Trusts
  • Local Authority for Adult Social Care data
  • Mental Health Trusts

Rights to object and national data opt out

You have the right to object to some or all the information being processed under Article 21. Please contact the Controller. You should be aware that this is a right to raise an objection, which is not the same as having an absolute right to have your wishes granted in every circumstance.

National data opt out for secondary purposes, the national data opt out is a service that allows patients to opt out of their confidential patient information being used for research and planning.

Under the national data opt-out, everyone who uses publicly-funded health and/or care services can stop health and care organisations from sharing their “confidential patient information” with other organisations if it is not about managing or delivering their own care.

Right to access and correct

You have the right to access the data that is being shared and have any inaccuracies corrected. There is no right to have accurate medical records deleted except when ordered by a court of law.

Retention period

The data will be retained in line with the law and national guidance.

Right to complain

You have the right to complain to the Information Commissioner’s Office (ICO).

Contact the ICO online or call their helpline on 0303 123 1113 (local rate) or 01625 545 745 (national rate).

There are National Offices for Scotland, Northern Ireland and Wales.

Visit the ICO

References

* “Common Law Duty of Confidentiality”, common law is not written out in one document like an Act of Parliament. It is a form of law based on previous court cases decided by judges; hence, it is also referred to as ‘judge-made’ or case law. The law is applied by reference to those previous cases, so common law is also said to be based on precedent.

The general position is that if information is given in circumstances where it is expected that a duty of confidence applies, that information cannot normally be disclosed without the information provider’s consent.

In practice, this means that all patient information, whether held on paper, computer, visually or audio recorded, or held in the memory of the professional, must not normally be disclosed without the consent of the patient. It is irrelevant how old the patient is or what the state of their mental health is; the duty still applies.

Three circumstances making disclosure of confidential information lawful are:

  • There is a reasonable expectation from the data subject that the data will be shared with organisations for the specific purpose of their direct care.
  • where the individual to whom the information relates has consented;
  • where disclosure is in the public interest; and
  • where there is a legal duty to do so, for example a court order.