Privacy Notice

NHS Cheshire and Merseyside - an Integrated Care Board - has various roles and responsibilities, but a major part of our work involves making sure that:

  • Contracts are in place with local health service providers
  • Routine and emergency NHS services are available to patients
  • Those services provide high quality care and value for money
  • Services are paid for the care and treatment they have provided 

This is called “commissioning”. Accurate, timely and relevant information is essential for our work to help us to design and plan current and future health and care services, evidence and review our decisions and manage budgets.

As a commissioning organisation, our purpose is not to provide direct care and so we do not routinely hold or receive information about patients and service users in relation to your care. We do however sometimes hold information from which people can be identified to enable us to fulfil our responsibilities as outlined above and this is explained in this notice.

  • What information do we collect?

    Find out what information we collect about you, what types of personal data we handle and what we do with that information.

  • Your Rights

    UK data protection laws give you several rights in relation to the information that the ICB holds about you.

What is a Privacy Notice?

A privacy notice is a statement that describes how NHS Cheshire and Merseyside collects, uses, retains and discloses personal information. Different organisations sometimes use different terms and it can be referred to as a privacy statement, a fair processing notice or a privacy policy.

To ensure that we process your personal data fairly and lawfully we are required to inform you:

  • Why we need your data
  • How it will be used and
  • Who it will be shared with

This information also explains what rights you have to control how we use your information.

The law determines how organisations can use personal information. The key laws are: The Data Protection Act 2018 (DPA18), the Human Rights Act 1998 (HRA), and the common law duty of confidentiality.

Within these pages we describe instances where NHS Cheshire and Merseyside is the “Data Controller”, for the purposes of the Data Protection Act 2018, and where we direct or commission the processing of patient data to help deliver better healthcare, or to assist the management of healthcare services.

NHS Cheshire and Merseyside recognises the importance of protecting personal and confidential information in all that we do, all we direct or commission and takes care to meet its legal duties.

This part of the fair processing notice outlines the management of the notice, contact details and other access to information legislation.

Complaints about how we process your personal information

In the first instance, you should contact;

NHS Cheshire and Merseyside’s Data Protection Officer Hayley Gidman:

If, however, you are not satisfied that your complaint has been resolved, you have the right to contact the Information Commissioner to lodge a complaint:

Information Commissioner’s Office
Wycliffe House
Water Lane,
Wilmslow SK9 5AF
ico.org.uk

Tel: 0303 123 1113

Data Protection Notification

NHS Cheshire and Merseyside is a ‘data controller’ under the Data Protection Act 2018 (DPA18). We have notified the Information Commissioner that we process personal data and the details are publicly available from the:

Information Commissioner’s Office
Wycliffe House
Water Lane,
Wilmslow SK9 5AF
ico.org.uk

What information do we collect about you?

We only collect and use your information for the lawful purposes of administering the business of NHS Cheshire and Merseyside.

We process personal information to enable us to support the provision of healthcare services to patients, maintain our own accounts and records, promote our services and to support and manage our employees. To enable us to do this effectively we are often required to process personal data i.e. that which identifies a living individual.

We also process special category data. This is personal data which the DPA18 says is more sensitive, and so needs more protection:

  • Racial and ethnic origin
  • Offences (including alleged offences), criminal proceedings, outcomes and sentences
  • Trade union membership
  • Religious or similar beliefs
  • Employment tribunal applications, complaints, accidents, and incident details

This information will generally relate to our staff, covered by the Privacy Notice for Staff.

In terms of patient information, the special category data we process includes:

  • Physical or mental health details
  • Racial and ethnic origin
  • Sexual orientation
How NHS and care services use your information

Whenever you use a health or care service, such as attending Accident & Emergency or using Community Care services, important information about you is collected to help ensure you get the best possible care and treatment.

The information collected about you when you use these services can also be provided to other approved organisations, where there is a legal basis, to help with planning services, improving care provided, research into developing new treatments and preventing illness. All of these help to provide better health and care for you, your family and future generations. Confidential personal information about your health and care is only used in this way where allowed by law and would never be used for insurance or marketing purposes without your explicit consent.

You have a choice about whether you want your confidential patient information to be used in this way.

To find out more about the wider use of confidential personal information and to register your choice to opt out if you do not want your data to be used in this way, visit www.nhs.uk/my-data-choice. If you do choose to opt out you can still consent to your data being used for specific purposes.

If you are happy with this use of information you do not need to do anything. You can change your choice at any time.

NHS Continuing Healthcare

NHS Continuing Health Care (CHC) is explained by NHS Choices here.

To determine if someone is eligible for CHC and to then arrange a care and support package that meets their assessed needs, information about the individual will need to be collected, reviewed and shared with care providers, such as care homes.

As NHS Cheshire and Merseyside has a duty to provide CHC services, this allows for the collection of information about individuals for this purpose, the use of that information and the sharing of it with third parties who need to be involved in the process; we will make sure that we keep the individual concerned informed at all times of who will be providing or receiving data about them and why.

Sources of the data

The personal data is submitted by NHS Cheshire and Merseyside and the applicant for review.

Categories of personal data

The information Integrated Care Boards use to assess eligibility, and which may be submitted to an Independent Review Panel, fall under the following headings:

  • Behaviour
  • Cognition (understanding)
  • Communication
  • Psychological/emotional needs
  • Mobility
  • Nutrition (food and drink)
  • Continence
  • Skin (including wounds and ulcers)
  • Breathing
  • Symptom control through drug therapies and medication
  • Altered states of consciousness
  • Other significant needs

The obtained records that relate to these areas may include Care Home records, Health Records (for example GP, Hospital, Mental Health, District Nursing) and Social Care Records.

Recipients of personal data

Categories of recipient’s Personal data relating to the application is received by Continuing Health Care (CHC) teams and the members of the review panel. An Independent Review Panel is made up of:

  • An independent chair
  • A representative nominated by a Clinical Commissioning Group (not involved in the case);
  • A representative nominated by a Local Authority (not involved in the case); and
  • At times, a clinical advisor may also be in attendance
Communications and engagement

NHS Cheshire and Merseyside offers various services to the public giving them the opportunity to engage with us. This could be providing people with the latest news and information from NHS Cheshire and Merseyside, opportunities, events and details on how to get involved.

We must hold the details of the people who have requested the service to provide it to them. However, we only use these details to provide the service the person has requested and for other closely related purposes. For example, we might use information about people who have requested a publication to carry out a survey to find out if they are happy with the level of service they received or if the information is useful to them. We will never ask you to provide any personal data in response to a survey. Any personal data received in responses is removed before responses are collated, analysed or disseminated.

When people do subscribe to our services, they can cancel their subscription at any time and are given an easy way of doing this. Personal data collected for the above purposes is only processed with the explicit consent of the data subject unless it becomes apparent that we are required to process the personal data due to statutory obligations such as investigating a complaint.

Sources of the data

The personal data is provided by data subjects when signing up to receive one of our newsletters either via our website or by completing one of our sign-up forms at one of our stakeholder events we hold from time to time.

Categories of Personal data

We only require you to provide us with your name and email address so that we can send you our publications. Information regarding your gender, sexual orientation, marital status and disabilities is collected so that we can ensure that our patient involvement groups are representative of our population we serve. We may also use it to send you targeted information or news. However, it is not mandatory to provide this information.

Recipients of personal data

The information you provide as a member of one of our patient involvement groups is never shared outside of NHS Cheshire and Merseyside.

Invoice validation

Invoice validation is an important process. It involves using your NHS number to check that we are NHS Cheshire and Merseyside that is responsible for paying for your treatment.

There are situations where identifiable patient personal data is required to ensure that the correct service provider is paid.

In such cases service providers are required to send identifiable patient personal data such as the NHS Number to a Controlled Environment for Finance (CEfF).

We will also use your NHS number to check whether your care has been funded through specialist commissioning, which NHS England will pay for. The process makes sure that the organisations providing your care are paid correctly.

NHS England has published guidance on how invoices must be processed, and commissioners have a duty to detect report and investigate any incidents of where a breach of confidentiality has been made.

Sources of the data

The sources of data are providers who submit invoices to NHS Shared Business Services for payment.

Categories of Personal data

The data required for effective invoice validations can be found in appendix B. of “Who Pays? Information Governance Advice for Invoice Validation” which you can find here:

https://www.england.nhs.uk/wp-content/uploads/2013/12/who-pays-advice.pdf

Recipients of personal data

Midlands and Lancashire Commissioning Support Unit is the only organisation that will have receive personal data relating to invoice validation as an accredited Controlled Environment for Finance.

Risk stratification

Health care commissioners need information about the treatment of patients to review and plan current and future health care services. To do this they need to be able to see information about the health care provided to patients which can include patient level data. GP practices also need to see a full view of care across all health settings to plan how to best manage the care of their patients. Part of this process is known as risk stratification. Risk stratification takes data and gives a score for each patient. This score says how likely you are to be admitted to hospital and is done using an algorithm that decides on your score. An algorithm is a form of profiling.  Profiling takes data and gives a range of summaries, allowing GPs to identify who might be at greatest risk. There is no automated decision making made on the basis of any grouping or profiling as any decisions made based on the data are made following review by your GP.

Risk stratification aims to identify those patients who are at risk of certain outcomes, such as being admitted to hospital. It is the role of data processors to obtain data from the health services you use and ‘link’ this data together. This is a very important process to increase our understanding of how health care is connected. In order to flow this information, we have agreements in place with each of the practices to allow us to extract data from the practice data systems (EMIS) on their behalf. This is done via a Data Processing Agreement to allow us to act as a data processor on behalf of the practices who own the data. At this point practices are known as the data controllers. There are very strict rules for how the data can be handled, stored and processed.  Practices can opt out at any point and any patients that have opted out of sharing their information are excluded from the data extraction process.

We then send the data to the Data Services for Commissioners Regional Office (DSRCO), who securely process the information into a format we can legally use. This ‘pseudonymisation’ process means any identifying details (such as NHS number) are replaced with a unique code. No other patient identifiable data such as name or address is received for data linkage.  We also receive data from hospitals (via a portal called the Secondary Uses Service - SUS) and GP records (EMIS) to enable this analysis to take place. Once we receive this data we become the data controllers and the DSCRO are the data processors.

Your GP can provide more information about any risk stratification programme they are using. If you are worried about how your information is managed please contact the Practice Manager at your surgery. They can discuss how to reduce what information is shared.   You can also find more information about the responsibilities of the Data Services for Commissioners Regional Office (DSCRO) on the NHS Digital website.

Data is always stored securely and only shared with those who need it. We also sign a separate Data Sharing Agreement with NHS Digital to confirm what we do with your data.

GPs are able to identify individual patients from the risk stratified data when it is necessary for patient care. We can never identify an individual from the data that we see. Where the risk stratification process has linked GP data to health data obtained from other sources, like NHS Digital or a hospital, the GP will ask for your permission to access the details of that information.   

Automated decision making is when a computer makes a decision. This does NOT happen here and decisions are only made by your GP practice.

Data Protection Law

We collect personal information from you when you communicate with us as a patient. Before processing your personal data for any purpose, we make sure that the law allows us to do so.

We process your personal data in accordance with the General Data Protection Regulation (GDPR), Data Protection Act 2018 (DPA), or for other lawful reasons.

Data Protection law says that the personal information we hold about you must be:

  1. Used lawfully, fairly and in a transparent way.
  2. Collected only for valid purposes that we have clearly explained to you and not used in any way that is incompatible with those purposes.
  3. Relevant to the purposes we have told you about and limited only to those purposes.
  4. Accurate and kept up to date.
  5. Kept only as long as necessary for the purposes we have told you about.
  6. Kept securely.

Legal basis for processing

We will take all possible care to protect your privacy and will only use information collected where the law allows, including:

  • General Data Protection Regulation (GDPR)
  • Data Protection Act 2018
  • Common Law Duty of Confidentiality
  • Human Rights Act 1998
  • NHS Act 2006
  • Health and Social Care Act 2012

Codes of Practice for Confidentiality, Information Security and Records Management.

Categories and sources of personal data

Risk stratification tools use historic information about patients, such as age, gender and health conditions collected by NHS Digital from NHS hospitals and community care services, called Secondary Uses Service (SUS) data. This is linked to GP practice data and analysed to produce a risk score. SUS is a large dataset we analyse to support delivery of healthcare. Information on care provided for all NHS patients) must be submitted to this dataset.

Data from the GP Practice system is obtained by the ICB Business Intelligence Team under a signed Data Processing Agreement. This is sent onto the DSCRO for further processing.

The data extract EXCLUDES patients who have expressed a wish not to share information. Reports produced from the system including identifiable data is only provided back to your GP or member of your care team.

Commissioning - Assuring Transformation

Purpose and Legal Basis for Processing

The Department of Health published 'Transforming Care: A national response to Winterbourne View Hospital and the Concordat: Programme of Action' in December 2012. The purpose of this data collection is to ensure that the public awareness of the NHS commitments in the Winterbourne View Concordat is transparent and robust. By collecting this data, NHS Cheshire and Merseyside is able to achieve the most appropriate outcomes for ‘people with a learning disability or autism, who may also have mental health needs or behaviour that challenges’.

Under the NHS Act 2006, provision is made for the sharing of patient information that is in the interests of improving patient care or deemed to be in the public interest. This is also referred to as a Section 251 exemption. A Section 251 exemption has been granted for the delivery of Assuring Transformation work programmes. Therefore, our lawful basis for processing is Article 6(1)(e) ‘…exercise of official authority…’. For special categories (health) data the basis is Article 9(2)(h) ‘…health or social care…’

Source of Data

Data is received by NHS Cheshire and Merseyside from local providers who are providing care to any patient who has ‘any status under the Mental Health Act (informal or detained).’

Categories of Personal Data

The Assuring Transformation Programme relies upon collecting healthcare information such as NHS number and information relating to a patient’s current treatment; such as how long they have been in hospital for, when their care and treatment is assessed and what kind of hospital they are in. Additional information such as any levels of security assigned to an individual (general/low/medium/high) currently in care as well as their status under the Mental Health Act (informal or detained) is also collected.

Recipients of Personal Data

Data collected for this purpose is then shared with NHS Digital.

Complaints and enquiries

Most NHS care and treatment goes well but sometimes things can go wrong. If you are unhappy with your care or the service you have received, it is important to let us know so we can improve.  When NHS Cheshire and Merseyside receive a complaint, to allow it to be fairly and thoroughly managed, in most cases personal information will be required.

Sources of the data

NHS Cheshire and Merseyside will generally collect/receive information when members of the public, their representatives, or Members of Parliament, contact us with concerns or enquiries.  To enable us to process a complaint NHS Cheshire and Merseyside will collect the relevant information at the point of contact to enable the team to provide a sufficient response to the request.

Categories of personal data

Information relating to complaints would generally include the following categories of personal data:

  • Patient’s name
  • Patient’s address
  • Patient’s contact number
  • GP Surgery
  • Patient’s NHS number
  • Patient’s date of birth
  • Representative details (if applicable)
  • Representative address (if applicable)
  • The nature of the complaint

Recipients of personal data

The recipients of personal data relating to complaints include:

  • Any team within NHS Cheshire and Merseyside that may receive an enquiry or complaint
  • Relevant providers (with the consent of the data subject) to enable them to fully investigate the complaint being made
Individual Funding Requests

The NHS has a duty to spend the money it receives from the Government in a fair way, taking into consideration the health needs of the whole community. The ICB’s role is to ensure it gets best value for this money by spending it wisely on behalf of the public.

The ICB pay for local NHS health services and NHS England pays for highly specialised health services. The ICB has a legal duty to provide health services for patients in the county with the fixed amount of money they have received from the Government. They have a legal duty not to spend more than this. This means that some hard choices have to be made. Not all treatments can be provided by the NHS.

However, the ICB know that there will always be times when a patient would benefit from a particular treatment not usually given by the NHS. To apply for this treatment, an Individual Funding Request can be made. To allow the ICB to consider these requests, access to both personal and health information regarding the individual to whom the request relates is required.  

Sources of the data

The information may be provided by a clinician who submits an IFR application form on behalf of a patient.  

Categories of recipients

Applications are considered by an independent panel who have not been involved in your treatment. The panel is made up of doctors, nurses, public health experts, pharmacists, NHS England representatives and lay members and is led by a lay chair.

The IFR application form includes NHS number, name and address, date of birth, GP details, diagnosis, requested intervention and other information relevant to the request. Gender and ethnicity are also collected and held in anonymous form for equality monitoring.

Categories of recipients

Applications are considered by an independent panel who have not been involved in your treatment. The panel is made up of doctors, nurses, public health experts, pharmacists, NHS England representatives and lay members and is led by a lay chair.

Safeguarding

Purposes for processing

NHS Cheshire and Merseyside is dedicated in ensuring that the principles and duties of safeguarding adults and children are holistically, consistently and conscientiously applied with the wellbeing of all, at the heart of what we do.

Categories of personal data

The data collected by NHS Cheshire and Merseyside staff including its hosted bodies in the event of a safeguarding situation will be as much personal information as is necessary or possible to obtain, in order to handle the situation. In addition to some basic demographics and contact details, this is likely to be special category information (such as health information).

Sources of the data

NHS Cheshire and Merseyside will either receive or collect information when someone contacts the organisation with safeguarding concerns or we believe there may be safeguarding concerns.

Recipients of personal data

The information is used by NHS Cheshire and Merseyside when handling a safeguarding incident or concern. We may share information accordingly to ensure duty of care and investigation as required with other partners such as Local Authorities, the Police, healthcare professional (i.e. their GP or mental health team).

The legal basis for processing for the General Data Protection Regulation (GDPR) purposes is Article 6(1)(e) ‘…exercise of official authority…’. For the processing of special categories data, the basis is Article 9(2)(b) – ‘processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment and social security and social protection law.

Quality

Purpose and basis for processing

The ICB has a duty to the improvement of quality and delivery of services and uses incident events, investigation, evidence and reports relating to incidents under various policy and procedural structures. The legal basis we rely on under GDPR is Article 6(1)(e) “processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.” For the special categories of data, we rely on Article 9(2)(h) “processing is necessary for the purposes of…the provision of health or social care or treatment”

An incident requiring investigation is defined as an incident that occurred in relation to NHS funded services and care resulting in unexpected or avoidable death, harm or injury to patient, carer, staff or visitor. To enable us to promote quality and compliance, Cheshire has several reporting protocols for incidents and provides investigation and learning to improve systems and services they commission.

Categories of personal data

NHS Number and other personal details, including relevant healthcare records and information about the incident, including others involved or impacted by the event are used by the ICB to facilitate incident investigations.

Sources of the data

Data received to fulfil the duties relating to incident investigation will be received directly from the reporting organisation, such as a GP practice or provider.

Recipient of personal data

Information relating to outcomes will be sent back to the relevant providers.

How we use information provided by NHS Digital

We use information collected by NHS Digital from healthcare providers such as hospitals, community services and GPs, which includes information about the patients who have received care and treatment from the services that we fund. 

The data we receive does not include patients’ names or home addresses, but it will usually include information such as your NHS number, postcode, date of birth, ethnicity and gender as well as coded information about your visits to clinics, Emergency Department, hospital admissions and other NHS services. 

The Secretary of State for Health has given limited permission for us (and other NHS commissioners) to use certain confidential patient information when it is necessary for our work and unless we have a legal basis to use identifiable data, de-identified information is used for all purposes other than direct care. This approval is given under Regulations made under Section 251 of the NHS Act 2006 and is based on the advice of the Health Research Authority’s Confidentiality and Advisory Group.

In order to use this data, we have to meet strict conditions that we are legally required to follow, which includes making a written commitment to NHS Digital that we will not use information in any way that would reveal your identity.

Children’s Information

We do not provide services directly to children or proactively collect their personal information. However, we are sometimes given information about children while handling a complaint or conducting an investigation. The information in the relevant parts of this notice applies to children as well as adults.

Automated Decision Making

NHS Cheshire and Merseyside does not use automated individual decision-making (making a decision solely by automated means without any human involvement).

Retaining information

Information in NHS Cheshire and Merseyside is held for a specific length of time depending on the type of information it is.  The length of time we retain your information for is defined by the NHS retention schedule which can be viewed online here: NHS Digital Records Management Code of Practice for Health and Social Care 2021

Once information has been reviewed and is no longer required to be kept by a retention period the information will be securely destroyed. 

Security of your information

NHS Cheshire and Merseyside take our duty to protect your personal information and confidentiality seriously. We are committed to taking all reasonable measures to ensure the confidentiality and security of personal data for which we are responsible, whether computerised or on paper.

Alongside the Data Protection Officer (DPO), we have appointed a Senior Information Risk Owner (SIRO) who is accountable for the management of all information assets and any associated risks and incidents, and a ‘Caldicott Guardian’ who is responsible for the management of patient information and patient confidentiality and acts as the ‘conscience’ of the organisation.

All staff are required to undertake annual information governance training and are provided with an information governance handbook that they are required to read and agree to adhere to. The handbook ensures that staff are aware of their information governance responsibilities and follow best practice guidelines ensuring the necessary safeguards and appropriate use of person-identifiable and confidential information.

Under the NHS Confidentiality Code of Conduct, all our staff are also required to protect your information and inform you of how your information will be used. This includes, in most circumstances, allowing you to decide if and how your information can be shared.

Everyone working for the NHS is subject to the common law duty of confidentiality.  Information provided in confidence will only be used for the purposes advised and consented to by the service user, unless it is required or permitted by the law.

Flu vaccines and the COVID-19 response

Data is being used to help ensure that those who are entitled to a flu vaccine receive one. This includes data relating to both health and care staff and patients.

I’m a patient/service user – what do I need to know?

I work in a health and care organisation – what do I need to know?

The right to be informed

You have the right to be informed about the collection and use of your personal data. This privacy notice is one of NHS Cheshire and Merseyside’s key methods for providing you with this information. In addition to this notice, we will provide you with more specific information at the time we collect personal data from you, such as when you apply for Continuing Healthcare or make a complaint to us.

The right of access

You have the right to ask us for confirmation of whether we process data about you and if we do, to have access to that data so you are aware and can verify the lawfulness of the processing.

You can make your own application to see the information we hold about you, or you can authorise someone else to make an application on your behalf.  A child’s parent or guardian, a patient representative, or a person appointed by the Court may also apply.

Your rights

The right to be informed

You have the right to be informed about the collection and use of your personal data. This privacy notice is one of NHS Cheshire and Merseyside’s key methods for providing you with this information. In addition to this notice, we will provide you with more specific information at the time we collect personal data from you, such as when you apply for Continuing Healthcare or make a complaint to us.

The right of access

You have the right to ask us for confirmation of whether we process data about you and if we do, to have access to that data so you are aware and can verify the lawfulness of the processing.

You can make your own application to see the information we hold about you, or you can authorise someone else to make an application on your behalf.  A child’s parent or guardian, a patient representative, or a person appointed by the Court may also apply.

The right to rectification

You are entitled to have personal data that we hold about you rectified if it is inaccurate or incomplete. If we have passed the data concerned on to others, we will contact each recipient and inform them of the rectification - unless this proves impossible or involves disproportionate effort. If this is the case, we will explain to you why.

The right to erasure

You have the right to have personal data we hold about you erased and to prevent processing in specific circumstances:

  • Where the personal data is no longer necessary in relation to the purpose for which it was originally collected/processed.
  • If you withdraw your consent for us to process your data (if this was the basis on which it was collected).
  • The personal data was unlawfully processed (i.e. a breach of UK data protection laws).
  • The personal data has to be erased in order to comply with a legal obligation.

However, if we have collected and are processing data about you to comply with a legal obligation for the performance of a public interest task or exercise of official authority, i.e. because we have a legal duty to do so in our functioning as an Integrated Care Board, then the right to erasure does not apply.

The right to restrict processing

You have the right to ‘block’ or suppress processing of your personal data which means that if you exercise this right, we can still store your data but not to further process it and will retain just enough information about you to ensure that the restriction is respected in future.

You can ask us to restrict the processing of your personal data in the following circumstances:

  • If you contest the accuracy of the data, we hold about you we will restrict the processing until the accuracy of the data has been verified
  • If we are processing your data as it is necessary for the performance of a public interest task and you have objected to the processing, we will restrict processing while we consider whether our legitimate grounds for processing are overriding
  • If the processing of your personal data is found to be unlawful but you oppose erasure and request restriction instead
  • If we no longer need the data we hold about you, but you require the data to establish, exercise or defend a legal claim

If we have disclosed the personal data in question to others, we will contact each recipient and inform them of the restriction on the processing of the personal data - unless this proves impossible or involves disproportionate effort. If asked to, we will also inform you about these recipients.

We will inform you if we decide to lift a restriction on processing.

The right to data portability

The right to data portability allows you to obtain and reuse your personal data for your own purposes across different services. It allows you to move, copy or transfer personal data easily from one IT environment to another in a safe and secure way, without hindrance to usability although it only applies where we are processing your personal data based on your consent for us to do so or for the performance of a contract and where the processing is carried out by automated means. This means that currently, the ICB does not hold any data which would be subject to the right to data portability.

The right to object

Where NHS Cheshire and Merseyside processes personal data about you on the basis of being required to do so for the performance of a task in the public interest/exercise of official authority, you have a right to object to the processing.

You must have an objection on grounds relating to your particular situation.

If you raise an objection, we will no longer process the personal data we can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms or the processing is for the establishment, exercise or defence of legal claims.

Rights in relation to automated decision-making and profiling

As NHS Cheshire and Merseyside does not make any decisions based solely on automated processing, individuals’ rights in relation to personal data processed in this way are no applicable.

The right to withdraw consent

If NHS Cheshire and Merseyside processes data about you on the basis that you have given your consent for us to do so, you have the right to withdraw that consent at any time. Where possible, we will make sure that you are able to withdraw your consent using the same method as when you gave it.

If you withdraw your consent, we will stop the processing as soon as possible.

National opt out

The NHS Constitution states, “You have the right to request that your confidential information is not used beyond your own care and treatment and to have your objections considered”. There may be occasions when it is not possible to exercise your right to object or “Opt Out”, such as when we have an obligation by law or for the purposes of safeguarding adults and children.

The right to object or opt-out includes information not directly collected by NHS Cheshire and Merseyside, but collected by organisations that provide NHS services.

Type 1 opt-out

If you do not want personal confidential data that identifies you to be shared outside your GP practice, for purposes beyond your individual care, you can register a ‘Type 1 opt-out’ with your GP practice. This prevents your personal confidential information from being used for anything except your care, except when it is required by law, such as a public health emergency like an outbreak of a pandemic disease.

Patients are only able to register this opt-out at their GP practice. If you would like to opt-out or discuss further, then please talk to your GP or the healthcare professional supporting you.

The national data opt-out

Whenever you use a health or care service, such as attending Accident and Emergency or using Community Care services, important information about you is collected in a patient record for that service. Collecting this information helps to ensure you get the best possible care and treatment.

The information collected about you when you use these services can also be used and provided to other organisations for purposes beyond your individual care, for instance to help with:

  • Improving the quality and standards of care provided
  • Research into the development of new treatments
  • Preventing illness and diseases
  • Monitoring safety
  • Planning services

This may only take place when there is a clear legal basis to use this information. All these uses help to provide better health and care for you, your family and future generations. Confidential patient information about your health and care is only used like this where allowed by law.

Most of the time, anonymised data is used for research and planning so that you cannot be identified in which case your confidential patient information isn’t needed.

You have a choice about whether you want your confidential patient information to be used in this way. If you are happy with this use of information you do not need to do anything. If you do choose to opt-out your confidential patient information will still be used to support your individual care.

To find out more or to register your choice to opt out, please visit Your NHS Data Matters

Public Privacy Notice
Employee Privacy Notice