At NHS Midlands and Lancashire (NHS ML) we’re committed to protecting and respecting your privacy. This Privacy Policy provides you with the following information:
What are our data protection responsibilities?
Data Services for Commissioners Regional Offices
What is the lawful basis for processing your personal data?
How may we use and share your information?
How is your information stored?
How long is your information kept?
How does the wider NHS collaboratively use your information?
What are your information rights?
How do I exercise my information rights?
If I have a concern regarding how my personal information is being used, who should I contact?
NHS ML as a Commissioning Support Unit is an organisation hosted by NHS England and is not a separate entity in its own right. However, we operate as if we have the same privacy responsibilities to ensure that we manage personal data in a professional, legal, and ethical way.
For the purposes of the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018 (the ‘Act’) the Controller is NHS England which hosts NHS ML. NHS England is registered on the Data Protection Register with the Information Commissioner’s Office (ICO). Their registration number is Z2950066, and a copy of the registration is available through the ICO website. NHS ML is also listed but we only act as a Controller when NHS England asks us to on their behalf.
NHS ML provides services to clients including care providers and Integrated Care Boards (ICB). ICBs are responsible for commissioning healthcare services for the geographical area which they cover and are required to have their own Privacy Notices.
When providing these services to our client organisations we will collect and use the personal information of both patients and service users. In these instances, we will act as a Data Processor on behalf of our clients. Where NHS ML is the Processor for such organisations, you should see us named in their privacy notices for the services we provide.
We may collect personal information about you in several ways:
Our range of services are listed below, and where applicable we have provided a link to further information about that service and how they use your personal data.
The following Units / Services are also part of NHS ML and may process your personal data:
Our PHC team delivers assessment, review, and care planning for people with continuing healthcare and complex healthcare needs on behalf of our client NHS organisations.
This includes the following activities (where applicable, we have provided links to the specific web pages for those activities)
You can find further information on PHC activities.
Support client NHS organisations by providing professional support to carry out communication and engagement activities. This will often include collecting the contact details of members of the public where they have agreed to participate in such activities. This will be on behalf of our client NHS organisations who would be Data Controller.
You can find further information on the Communication and Engagement Service.
Provide economic and analytical expertise to deliver insights to power the future of health and care delivery. You can find further information on the Health Economics Unit.
A specialist NHS team which produces high quality, multi-disciplinary analytical work to allow clients to achieve better evidence, better decisions, and better outcomes. You can find further information on the the Strategy Unit.
NHS team of consultants, working alongside health and care clients to deliver major change programmes to transform care and health outcomes for people and communities, empowering change from within. You can find further information on the Transformation Unit.
NHS Horizons’ purpose is to amplify the efforts of others to deliver transformation and large-scale improvement and to accelerate new change thinking in line with the priorities of the NHS. You can find further information on the Horizons Unit.
Following the 2012 NHS reform (Health and Social Care Act 2012), the legal basis for the Clinical Commissioning Groups (CCGs) (now replaced by Integrated Care Boards (ICBs) under the Health and Care Act 2022) prevented staff from directly handling identifiable personal and confidential information for commissioning purposes.
The Act created the Health and Social Care Information Centre (HSCIC), now known as NHS Digital and granted it powers to collect, analyse, publish and disseminate national health and social care data and statistical information.
Except for a handful of very specific exceptions commissioners are not able to receive identifiable data. They need an intermediary service that specialises in processing, analysing and packaging patient information into a format they can legally use.
This intermediary service is underpinned by NHS Digital’s Data Services for Commissioners team. Using regional processing centres (RPC’s) the Data Services for Commissioners Regional Offices (DSCROs) de-identify the data before it is passed to NHS ML who act as the data processer for our client organisation ICB’s.
Whilst staff within the DSCROs are employed by NHS ML they are seconded to NHS Digital and must have appropriate approvals in place to allow them to access, handle and process identifiable data. They adhere to the same strict data security policies and controls as permanent NHS Digital staff.
You can find further information about this service and the Data Services for Commissioners team.
Where we provide services to our client organisations, we are not responsible for determining the legal basis for that processing activity. This is the responsibility of our client organisations who are the Data Controller. To establish the legal basis, you may visit their Privacy Notice, or you may wish to contact them instead.
Please see the links below to our main client’s Privacy Notices:
Where NHS ML is acting as a Data Controller we process data under the following legal basis:
Article 6(1)(a) – The data subject has given consent to the processing of his or her personal data for one or more specific purposes.
We would rarely rely on Consent as a legal basis.
Article 6(1)(e) – Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
This would be by virtue of legislation such as the NHS Act 2006, or the Health and Social Care Act 2012.
Article 9(2)(g) – Processing is necessary for reasons of substantial public interest, which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject.
Where we rely on Article 9(2)(g) the substantial public interest would be determined by provisions in the Data Protection Act 2018. This would include matters such as for Safeguarding.
Article 9(2)(h) – Processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services.
This would be by virtue of legislation such as the Data Protection Act 2018, NHS Act 2006, or the Health and Social Care Act 2012.
We also have a Common Law Duty of Confidentiality to protect your information. This means that where a legal basis for using your personal or confidential information does not exist, we will not do so.
We have in place robust mechanisms for considering how personal information is used which includes formal documentation to consider the reasons for sharing and also the involvement of a “Caldicott Guardian”, a senior member of staff whose role it is to consider whether or not sharing and use of personal data is reasonable and that the right controls are in place.
Generally, we do not share individual’s identifiable information with any other organisations unless there is a defined legal basis to do so. Where required, we will seek your consent.
If we share your personal information, it will be with very tight controls on who sees the information and the purposes for which it is used.
We record any instances where we transfer personal information to a third country or international organisation. This is very limited, and we check and record the safeguards in place to protect the information to be transferred.
We do share anonymised statistical information with client organisations for the purpose of improving local services, for example understanding how conditions spread across our local area compared against other areas. This is used to help our client organisations support their commissioning, management, and planning decisions for healthcare services.
Your personal data is always kept secure, and all NHS organisations are required to provide assurances, every year, that controls are in place to manage personal data. These controls include access controls, encryption, and physical controls.
Your personal data will be kept under strict conditions within the UK, being protected by suitable access controls ensuring that only people with an authorised professional need can access your data and encrypting your data, when necessary, to ensure it is protected from inappropriate access. Where exceptions to this process are undertaken you will be informed.
Where we provide an invoice validation service for our client organisations the processing activity is within a Controlled Environment for Finance.
All organisations that have access to NHS patient data and systems must use the Data Security and Protection Toolkit to provide assurance that they are practising good data security and that personal information is handled correctly. This is to measure their performance against the National Data Guardian’s 10 data security standards.
You can view our publication history on the Data Security and Protection Toolkit.
We retain personal information in accordance with data protection legislation and in line with the NHS Records Management Code of Practice 2021. We may sometimes retain information longer than the minimum retention periods but only where there is a business requirement to do so. You can view details regarding how long specific records are kept.
NHS ML (as part of NHS England) is one of many organisations working in the health and care system to improve care for patients and the public.
Whenever you use a health or care service, such as attending Accident & Emergency or using Community Care services, important information about you is collected in a patient record for that service. Collecting this information helps to ensure you get the best possible care and treatment.
The information collected about you when you use these services can also be used and provided to other organisations for purposes beyond your individual care, for instance to help with:
This may only take place when there is a clear legal basis to use this information. All these uses help to provide better health and care for you, your family and future generations. Confidential patient information about your health and care is only used like this were allowed by law.
Most of the time, anonymised data is used for research and planning so that you cannot be identified in which case your confidential patient information isn’t needed.
You have a choice about whether you want your confidential patient information to be used in this way. If you are happy with this use of information you do not need to do anything. If you do choose to opt out your confidential patient information will still be used to support your individual care.
To find out more or to register your choice to opt out, please visit www.nhs.uk/your-nhs-data-matters.
On this web page you will:
You can also find out more about how patient information and healthcare research on the NHS Health Research Authority website.
To understand how and why patient information is used (including what safeguards are in place and how decisions are made) you may wish to visit the NHS Confederation website.
You can change your mind about your choice at any time.
Data being used or shared for purposes beyond individual care does not include your data being shared with insurance companies or used for marketing purposes and data would only be used in this way with your specific agreement.
NHS England is required to protect the public funds it administers. It may share information provided to it with other bodies responsible for; auditing, or administering public funds, or were undertaking a public function, in order to prevent and detect fraud.
We participate in the Cabinet Office’s National Fraud Initiative: a data matching exercise to assist in the prevention and detection of fraud. We are required to provide particular sets of data to the Minister for the Cabinet Office for matching for each exercise.
The use of data by the Cabinet Office in a data matching exercise is carried out with statutory authority under Part 6 of the Local Audit and Accountability Act 2014.
For more information on this please visit the following page: https://www.england.nhs.uk/contact-us/privacy-notice/how-we-use-your-information/public-and-partners/the-national-fraud-initiative/
Under the UK GDPR and the Data Protection Act 2018 you have several rights, and these are listed below. Some rights are not absolute rights, whether they apply is dependent upon the legal basis used to process your data.
Right to Be Informed
You have a right to know how your personal information is being used, and this privacy notice is part of this obligation which we must fulfil. You may contact us if you want to know more about how we use your information or if something is unclear.
Right of Access
You have a right to request to see what information we are holding about you (this is known as making a “Subject Access Request”).
Right of Rectification
You have a right to have any inaccurate information held about you corrected. You can contact us and request this if you believe we hold inaccurate information about you. We can also refuse a request for rectification in certain circumstances.
Right of Erasure
Dependent upon the legal basis, you have a right to have your personal information erased. This may only be performed if we have no other legal reasons to keep your information.
Right of Portability
Dependent upon the legal basis, you may have a right to receive your personal information in a “machine readable form” and to be able to take this information to another person or organisation.
Right to Object
Dependent upon the legal basis, you have a right to object to how personal data about you is processed, in some instances. You have right to object to your data being shared with others or used, for example, in research or statistical processes.
Withdraw Consent
Where we are relying on the lawful basis of consent, you can withdraw your consent by contacting us and we will act on such requests as soon as we can.
There are also rights around the use of Automated Decision Making and Profiling. We do not use automated decisions and profiling at this time. However, where NHS ML or its client organisations plan to undertake this activity, you will be informed by our privacy notice and that of our client organisations.
Requesting your information from us is known as a Subject Access Request.
We must respond and provide you with your information within one month of receiving your request, although we may extend this time in certain circumstances.
If you wish to request your information you may use the details below:
Where you choose to exercise the above rights NHS ML must respond to your request (and provide you with your information where you submit a Subject Access Request) within one month, although we may extend this time in certain circumstances.
You can do so by contacting us on either of the following methods.
Email: mlcsusars@nhs.net
Telephone: 01782 916875 (Monday to Friday, 9am-5pm)
Post: Heron House, 120 Grove Road, Fenton, Stoke-on-Trent, Staffordshire ST4 4LX
Where NHS ML are acting on behalf of our client organisations, those organisations are the Data Controllers and so you will need to contact them to exercise your rights. Please see the links below to our main client’s Privacy Notices where you can find their contact details:
For further details on how to contact us, including telephone numbers for specific services or locations, then please visit our Help and Contact page. Alternatively:
Our Data Protection Officer is Hayley Gidman. Should you wish to contact them you can do so by:
NHS ML also has a senior member of staff responsible for protecting the confidentiality of patient information. This person is called the Caldicott Guardian. Our Caldicott Guardian is Elizabeth Miller.
A further senior member of staff is responsible for information risk and information security and is accountable to the Managing Director; this person is called the Senior Information Risk Owner (SIRO). Our SIRO is John Uttley.
Further information on NHS England may be found on their website:
https://www.england.nhs.uk/contact-us/privacy-notice/
For independent advice about data protection, privacy, data sharing issues and your rights you can contact:
Information Commissioner’s Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF
Telephone: 0303 123 1113 (local rate) or 01625 545 745
Email: casework@ico.org.uk or visit the ICO website.
We keep our privacy notice under regular review, and we will place any updates on this web page. This notice was last updated on 09/09/2023.
Registration open for NHS-R Community annual conference
We are incredibly excited to announce that ticket registration for NHS-R/NHS.pycom Open-Source Conference (RPySOC) 2024 is open! The…
NHS ML secures place on Transforming Organisations, Partnerships and Systems Framework
NHS Midlands and Lancashire (ML) has been successful in its bid for an important national procurement framework. The Transforming…
New podcast: Lessons from the Clive Treacey Review
In this three-segment podcast sequence, part of our Inside MLCSU series, we discuss the lessons learnt from the…
Acting as an independent and trusted partner within the system to facilitate working across stakeholders and integrate elements of the provider system…
Learn more about Developing health systems
Supporting systems to build a sustainable and integrated workforce, transforming systems, organisations and the workforce experience to improve resilience.
Learn more about Workforce resilience and transformation
Supporting ICSs with approaches to design and deliver effective communication, engagement and behavioural insights as a key enabler for system change and…
Learn more about Communications and engagement
Digitising care and partnering with systems for the transformation of digitally enabled service delivery (and other supporting processes) across vision, planning and…
Learn more about Digitally enabled transformation and IT
Applying intelligence-led understanding of the health of the population to support the redesign of care and improve patient and financial outcomes across…
Learn more about PHM analytics and decision support
Supporting providers to work together at a place and neighbourhood level to manage common resources, integrate community teams, improve health and reduce…
Learn more about Place and primary care transformation
Redesigning how health and care works across England - placing people at the centre of their own health and care and utilising…
Learn more about Clinical redesign and provider collaboration
Providing end-to-end funded care services, including patients as active partners in identifying their healthcare needs and then commissioning care to meet these.…
Learn more about Personalised healthcare commissioning services
Delivering a wide range of support functions through transactional services, business partnering and transformation that drives efficiencies and releases value and time…
Learn more about Business enabling services
Share on X