News & Views
- MLCSU-supported finance team win award
- MLCSU director named HSJ100 wildcard for 2022
- Our experts at NHS ConfedExpo: Schedule announced
- MLCSU nominated for three NHS Health and Care Apprenticeship Awards
- We’re exhibiting at NHS ConfedExpo, 15-16 June
- Innovative NHS resource-booking system signs up 20th customer
- Blog: How can digital advances help a greener NHS?
- Blog: Why digital advances are so important to new hospitals
- 2021, our journey alongside ICS partners
- Blog: Treating people on waiting lists: who decides what is fair?
- Kicking off a study on menopause and the NHS workforce
- MLCSU Gender Pay Gap Report 2021
- CQRS Local will reduce admin time for commissioners and primary care providers
- Blog: Decision makers can make much better use of analysis
- PCNs critical in population health management
At NHS Midlands and Lancashire Commissioning Support Unit we’re committed to protecting and respecting your privacy.
As a support organisation Midlands and Lancashire CSU does not generally collect and use the personal information of patients and service users, except in supporting our client organisations to make the right decisions about care services. We are an organisation hosted by NHS England to provide these services on their behalf, to NHS clients.
We may collect your personal details if you contact us directly and use these details to help you with resolving any enquiry you may have.
The information provided below is to inform you of how we use information of a personal nature in our support of our clients and how this information may be shared.
A commissioning support unit is an organisation hosted by NHS England and is not a separate organisation in its own right. However, we operate as if we have all privacy responsibilities to ensure that we manage personal data in a professional, legal and ethical way.
The Commissioning Support Unit (CSU) has various roles and responsibilities, but our work involves supporting clients, who may be care providers, or commissioners of care services, in a number of areas including:
- Complaints are investigated and managed;
- Freedom of Information Act requests are appropriately managed;
- Advice and guidance for access to personal records is provided;
- Communications and engagement services;
- Contract monitoring is undertaken;
- Business intelligence is provided;
- Financial Services;
- IT Services;
- New developments;
- Prevention and detection of fraud.
We may collect personal information about you in a number of ways:
- Information you provide to us, in order to help you resolve and issue or to provide you with guidance;
- Information provided as part of work we do, supporting clients to improve and deliver health services. This information will be collected and used under a defined legal basis and under strict conditions of privacy and confidentiality;
- Information that may be passed to us from care providers in order to resolve questions or queries on your behalf.
We may use your information to do the following:
- To meet our legal, statutory and contractual obligations
- To provide you with information you have requested
- To evaluate and review services on behalf of care providers to ensure quality and efficiency
- Preparing analyses and statistics for use in health management
- Review care that has been commissioned to ensure standards are being met
- With the consent of individuals to carry out surveys and other reviews
- To give you access to training courses and for attendance registers.
Generally, we do not share individual’s identifiable information with any other organisations unless there is a defined legal basis to do so.
We have in place robust mechanisms for considering how personal information is used which includes formal documentation to consider the reasons for sharing and also the involvement of a “Caldicott Guardian”, a senior manager whose role it is to consider whether not sharing and use of personal data is reasonable and that the right controls are in place.
If we share your personal information, it will be with very tight controls on who see the information and the purposes for which it is used.
Your personal data is always kept secure and all NHS organisations are required to provide assurances, every year, that controls are in place to manage personal data. These controls include access controls, encryption and physical controls.
Your personal data will be kept under strict conditions within the UK, being protected by suitable access controls ensuring that only people with an authorised professional need can access your data and encrypting your data, when necessary, to ensure it is protected from inappropriate access. Where exceptions to this process are undertaken you will be informed.
Personal data used for specific purposes will be kept only for as long as it is needed to perform the work required, it will then usually be securely deleted. Your medical records which will always stay with your clinicians will be kept under strict NHS rules to ensure that the information remains available for your care and treatment.
There are documents that are available if you wish to look at how long the NHS retains data for, these documents include all identifiable information and also more general documents such as policies, finance records etc. To find out more please see the Records Management Code of Practice for Health and Social Care 2016.
You have a number of rights under data protection law (The Data Protection Act 2018 and the UK General Data Protection Regulation) and these are listed below.
You have a right to know how your personal information is being used, and this privacy notice is part of this obligation which we must fulfil. You may contact us if you want to know more about how we use your information or if something is unclear.
You have a right to request to see what information we are holding about you (this is known as making a “Subject Access Request” – please see below for more information.
You have a right to have any inaccurate information held about you corrected. You can contact us and request this, if you believe we hold inaccurate information about you.
In certain circumstance you have a right to have your personal information erased. This may only be performed if we have no other legal reasons to keep your information.
You have a right to receive your personal information in a “machine readable form” and to be able to take this information to another person or organisation.
You have a right to object to how personal data about you is processed, in some instances. You have right to object to your data being shared with others or used, for example, in research or statistical processes.
We do not use automated decisions and profiling at this time. However, this right exists and you may exercise this right should you be informed that we are doing, or planning to do this type of work.
You have the right to complain both to us and to the UK regulator (The Information Commissioner) if you believe that your personal information is not being used legally. Please see the complaints section, below.
How do I request what information you hold about me?
Requesting your information from us is known as a Subject Access Request. We must respond and provide you with your information within one month of receiving your request, although we may extend this time in certain circumstances.
If you wish to request your information you may use the details below:
- By telephone – 0151 2967326 (Monday to Friday, 9am-5pm)
- By email – firstname.lastname@example.org
How do I make a complaint?
If you feel that you wish to make a complaint relating to how we use and handle your personal information, you should contact email@example.com.
If you are not satisfied that your complaint has been resolved, you have the right to contact the Information Commissioner to lodge a complaint with them:
Information Commissioner’s Office
Wilmslow SK9 5AF
Tel: 0303 123 1113
We keep our privacy notice under regular review and we will place any updates on this web page. This notice was last updated on 04/12/2018.
Data Protection Notification
Midlands and Lancashire CSU is a ‘data processor’ under the DPA. We are registered to process personal data through the NHS Commissioning Board (NHS England) who have notified the Information Commissioner that we process personal data and the details are publicly available from the:
Information Commissioner’s Office
Wilmslow SK9 5AF
Registration number: Z2950066
How to contact us
Please contact us via our Data Protection Officer if you have any questions about our privacy notice or information we hold about you:
Heron House, 120 Grove Road, Fenton, Stoke-on-Trent, Staffordshire ST4 4LX
Tel No. 01782 872648