From 1 April 2026 two new organisations are now responsible for planning and overseeing NHS services for local people. The last day of operation for Hertfordshire and West Essex ICB was 31 March 2026. Find out more

Privacy

This Privacy Notice tells you about information we collect and hold about you, what we do with it, how we will look after it and who we might share it with.

Who we are

Hertfordshire and West Essex Integrated Care Board (ICB) will secure the provision of health services by taking on the commissioning functions of the previous 3 CCGs (now abolished), develop and maintain a plan to meet the health needs of our population, set out the strategic direction for our Integrated Care System (ICS) and agree an annual capital resource use plan.

The (ICB) has various roles and responsibilities, a major part of our work involves making sure that: 

  • contracts are in place with local health service providers; 
  • routine and emergency NHS services are available to patients; 
  • those services provide high quality care and value for money; and 
  • paying those services for the care and treatment they have provided. 

This is called “commissioning”. For further information please refer to the ‘About us’ section of the website

Accurate, timely and relevant information is essential for our work to help us to design and plan current and future health and care services, evidence and review our decisions and manage budgets.

What is a privacy notice?

This Privacy Notice tells you about information we collect and hold about you, what we do with it, how we will look after it and who we might share it with.

It covers information we collect directly from you or receive from other individuals or organisations.

This notice is not exhaustive. However, we are happy to provide any additional information or explanation needed. Any requests for this should be sent to:

Hertfordshire and West Essex ICB
The Forum
Marlowes
Hemel Hempstead
Hertfordshire 
HP1 1DN

Our Commitment to data privacy and confidentiality issues

We are committed to protecting your privacy and will only process personal confidential data in accordance with the UK GDPR and Data Protection Act 2018 (DPA 2018), the Common Law Duty of Confidentiality and the Human Rights Act 1998. The various laws and rules about using and sharing confidential information, with which the ICB will comply, are available in “A guide to confidentiality in health and social care” which is published on the NHS Digital (now merged with NHS England) website. 

Hertfordshire and West Essex ICB is a Data Controller under the terms of the UK GDPR/DPA 2018 we are legally responsible for ensuring that whenever we collect, use, hold, obtain, record or share personal confidential data about you, we do it in compliance with data protection legislation. 

All data controllers must notify the Information Commissioner’s Office (ICO). Our ICO Data Protection Register number is ZB340513 and our entry can be found in the Data Protection Register on the Information Commissioner’s Office website.

Everyone working for the NHS has a legal duty to keep information about you confidential. The NHS Care Record Guarantee and NHS Constitution provide a commitment that all NHS organisations and those providing care on behalf of the NHS will use records about you in ways that respect your rights and promote your health and wellbeing. 

All identifiable information that we hold about you will be held securely and confidentially. We use administrative and technical controls to do this. We use strict controls to ensure that only authorised staff are able to see information that identifies you. A limited number of authorised staff have access to information that identifies you, but only where it is appropriate to their role and strictly on a need-to-know basis. 

All health and social care organisations are required to provide annual evidence of compliance with applicable laws, regulations and standards through the Data Security and Protection Toolkit (DSPT). Hertfordshire and West Essex ICB can confirm that a successful DSPT has been submitted and accepted. Further information regarding Information Governance and the Data Security and Protection Toolkit  can be found in Further Definitions and Terms. 

All of our staff, contractors and committee members receive appropriate and on-going training to ensure they are aware of their personal responsibilities and have contractual obligations to uphold confidentiality, enforceable through disciplinary procedures. All staff are trained to ensure they understand how to recognise and report an incident and the organisation has procedures for investigating, managing and learning lessons from any incidents that occur. 

We will only retain information in accordance with the schedules set out in the Records Management Code of Practice Care 2021. The ICB’s Records Management Policies include guidance around the secure destruction of information in line with the Code of Practice. 

The ICB has a Caldicott Guardian, who is a senior person responsible for protecting the confidentiality of a patient information and enabling appropriate information-sharing. Further information about the role of the Caldicott Guardian can be found in Further Definitions and Terms.

The Caldicott Guardian for Hertfordshire and West Essex ICB is Natalie Hammond, Director of Nursing and Quality, please see the Contact Us section for contact details. 

The GDPR requires an organisation to appoint a data protection officer (DPO) if they are a public authority or body, or if they carry out certain types of processing activities.

DPOs assist organisations to monitor internal compliance, inform and advise on data protection obligations, and act as a contact point for data subjects and the supervisory authority. The DPO for the ICB is Redouane Serroukh.

Your information will not be sent outside of the United Kingdom where the laws do not protect your privacy to the same extent as the law in the UK. We will never sell any information about you. 

How the ICB uses your information

There may be times when we need to hold and use certain information about you, for example:

  • if we are involved in helping you to resolve a complaint with your GP or other NHS service provider.
  • if we fund specialised treatment for you for a particular health condition that is not covered in our local contracts.
  • if you are a member of our patient participation group, or have asked us to keep you up to date about our work and involved in our engagement and public consultations.

The information we hold about you personally will therefore be with your knowledge and consent.

There may be times when we need to hold and use certain information for purposes such as:

  • determining the general health needs of the population.
  • ensuring that our services meet future patient needs.
  • teaching and training healthcare professionals.
  • investigating complaints, legal claims, etc.
  • conducting health research and development.
  • preparing statistics on NHS performance.
  • auditing NHS accounts and service.
  • paying your health care provider.

If you do have any concerns about us holding your personal information, then please tell us and we can explain the way this may affect our ability to help and discuss alternative arrangements available to you.

In the circumstances where we are required to use personal identifiable information we will only do this if:

  • The information is necessary for your direct healthcare, or
  • We have received explicit consent from you to use your information for a specific purpose, or 
  • There is an overriding public interest in using the information:
    • in order to safeguard an individual,
    • to prevent a serious crime
    •  in the case of Public Health or other emergencies, to protect the health and safety of others, or
  • There is a legal requirement that allows or compels us to use or provide information (e.g. a formal court order or legislation), or
  • We have permission from the Secretary of State for Health to use certain confidential patient identifiable information when it is necessary for our work.

Types of Information we collect and hold about you

We need to use information in various forms about you and will only use the minimum amount of information necessary for the purpose. Where possible, we will use information that does not identify you. Details of Information collected and used for specific purposes is available.

All records held by the ICB will be kept and destroyed in line with our Records Management and Lifecycle policy.

Your personal information will only be shared in accordance with your rights under the UK General Data Protection Regulation, Data Protection Act 2018, the Common Law duty of confidentiality, the NHS Constitution and in keeping with professional and NHS Codes of Practice.

NHS England has published a guide to confidentiality in health and social care that explains the various laws and rules about the use and sharing of confidential information.

Safe and effective care is dependent upon relevant information being shared between all those involved in caring for a patient. When an individual agrees to being treated by the wider care team, it creates a direct care relationship between the individual patient and the health and social care professional and their team. All health and adult social care providers are subject to the statutory duty under section 251B of the Health and Social Care Act 2012 to share information about a patient for their direct care. This duty is subject to both the common law duty of confidence and the UK GDPR and Data Protection Act 2018.

For common law purposes, sharing information for direct care is on the basis of “implied consent”, which may also cover administrative purposes where the patient has been informed or it is otherwise within their reasonable expectations.  This means that information is shared without the individual having to give verbal or written agreement each time and only applies within the context of direct care. 

Under UK GDPR the lawful basis for the processing of personal data in the delivery of direct care, and for providers’ administrative purposes, will be undertaken using Article 6(1)(e), “processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority”. Personal data in relation to health are special categories of personal data and the processing of this data for direct care or administrative purposes is undertaken using Article 9(2)(h), “…medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems…”

In some circumstances other duties or obligations to share information outweigh confidentiality, and personal information is shared without consent, for example to ensure the safety of a child or vulnerable adult or to report a notifiable disease. 

Your information will be used in a de-identified or anonymised form for purposes other than direct care, such as statistical and analytical information needed to assist the ICB, the NHS, Department of Health and health care partners. 

Unless your information is being used for direct care or there is a legal requirement to share your information, you have the choice to opt-out. This opt-out is managed through the National Data Opt-Out programme.

You have the right to withhold consent or object to your information being shared, but in some circumstances this may delay or affect the care you receive. Always consult your GP or relevant health professional before deciding to withhold consent to sharing your information, as they will be able to advise you on the possible outcomes of this decision.

Your rights

You have certain legal rights, including a right to have your information processed fairly, lawfully and in a transparent manner, and a right to access any personal information we hold about you. These are just some of the rights provided to you under the UK GDPR and DPA 2018. Below is a list of further rights.

You have the right to privacy and to expect the NHS to keep your information confidential and secure.

If we do hold identifiable information about you, you can ask us to correct any mistakes by contacting us at the address detailed in the Contact Us section below.

You have the right to ask us to stop processing information about you where we are not required to do so by law – although we will first need to explain how this may affect the care you receive.

In some instances, you are allowed to request that your confidential information is not used beyond your own care and treatment and to have your objections considered. If your wishes cannot be followed, you will be told the reason (including the legal basis) for that decision.

If you wish to exercise your right to opt-out, or to speak to somebody to understand the impact this may haveif any, please contact us.

If you wish to know what personal information the ICB holds about you, or to request access to that information, then please contact us.

To protect your confidentiality, you will have to provide proof of who you are.

All information held by the ICB is governed by the ICB’s information lifecycle management policy and is held, retained and destroyed in line with the Records Management Code of Practice for Health and Social Care (see link under further information below).

These are commitments set out in the NHS Constitution.

Exercising an opt-out

The national data opt-out was introduced on 25 May 2018, enabling patients to opt out from the use of their data for research or planning purposes, in line with the recommendations of the National Data Guardian in her Review of Data Security, Consent and Opt-Outs.

You can choose to stop your confidential patient information being used for research and planning. You can also make a choice for someone else like your children under the age of 13.

Your choice will only apply to the health and care system in England. This does not apply to health or care services accessed in Scotland, Wales or Northern Ireland. 

Get further information and to apply your choice to opt-out.

Uses of Information

Although this is not an exhaustive detailed listing, the following are key examples of the purposes and rationale for why we collect and process information:

Commissioning

Hospitals and community setting organisations that provide NHS-funded care must by law submit certain information to NHS England about services provided to you and the population we serve. This information is known as commissioning datasets. The ICB obtains these datasets from NHS England which relate to patients registered with our GP practices. This enables us to plan, design, purchase and pay for the best possible care available for you.

The datasets we receive from NHS Digital have been linked and are in a format that does not directly identify you. Information such as your age, ethnicity and gender as well as coded information about any clinic or accident and emergency attendances, hospital admissions and treatment will be included.

We also receive similar information from the GP Practices within our ICB membership that also does not identify you.

We use these datasets for a number of purposes such as:

  • Performance managing contracts;
  • Reviewing the care delivered by providers to ensure service users are receiving quality and cost effective care;
  • To prepare statistics on NHS performance to understand health needs and support service re-design, modernisation and improvement;
  • To help us plan future services to ensure they continue to meet our local population needs;
  • To reconcile claims for payments for services received in your GP Practice;
  • To audit NHS accounts and services;

Within the ICB Groups work collaboratively to assess the need for services, and to work together in procuring, negotiating and managing contracts with Hospitals, Mental Health Providers and Community Health Providers. This collaboration is known locally as a Host and Associate Agreement and requires the ICB to receive Pseudonymised data (see definitions further on in this document). The information that is shared is governed by a written agreement and a commitment that we will not re-identify it.

The specific terms and conditions and security controls that we are obliged to follow when using those commissioning datasets can also be found on the NHS Digital website.

More information about how this data is collected and used by NHS Digital is available on their website.

Type of information used

Different types of commissioning data are legally allowed to be used by different organisations within, or contracted to, the NHS.

Legal basis

Statutory requirement for NHS England to collect identifiable information.

A Section 251 approval from the Secretary of Stage, through the Confidentiality Advisory Group of the Health Research Authority, enables the use of pseudonymised information about patients included in the datasets, by the organisations who submitted the information.

There is no requirement for a legal basis for use of the aggregated information which is available to the ICB as this does not identify individuals.

Data processing activities

The ICB processes this data internally. Data is also processed by MedeAnalytics and Arden & Gem on behalf of the ICB.

Opt out details

You are able to opt-out of the use of your personal data for research or planning purposes at a national level. 

Get further information or exercise your right to opt-out online.

Alternatively, speak to your GP practice, they can apply a code to your records which will stop your identifiable information being used for this purpose, and be shared with the national register of opt-outs.

How we use information provided by NHS England

We use information collected by NHS England from healthcare providers such as hospitals, community services and GPs, which includes information about the patients who have received care and treatment from the services that we fund. 

The data we receive does not include any direct identifiable information about patients such as names, home addresses, NHS number, postcode, and date of birth but is pseudonymised using a system called Pseudonymisation at Source, for further information please refer to the separate section within this privacy notice. This data includes information on age, ethnicity and gender as well as coded information about your visits to clinics, Emergency Department, hospital admissions and other NHS services.

The Secretary of State for Health has given limited permission for us (and other NHS commissioners) to use certain confidential patient information when it is necessary for our work and whilst changes are made to our systems that ensure de-identified information is used for purposes other than direct care. This approval is given under Regulations made under Section 251 of the NHS Act 2006 and is based on the advice of the Health Research Authority’s Confidentiality and Advisory Group.

In order to use this data, we have to meet strict conditions that we are legally required to follow, which includes making a written commitment to NHS England that we will not use information in any way that would reveal your identity. These terms and conditions can be found on the NHS England website.

Sharing information with other organisations

We commission a number of organisations (both within and outside the NHS) to provide healthcare services to you. We may also share anonymised statistical information with them for the purpose of improving local services, for example understanding how health conditions spread across our local area compared against other areas.

In order to perform our commissioning functions, information may be shared between various organisations including: acute and mental health hospitals, GP practices, community services, other ICBs, commissioning support units (CSU), ambulance services, local councils (social services and public health), voluntary sector and other health organisations.

The law provides some NHS bodies, particularly NHS England ways of collecting and using patient data that cannot identify a person. This information helps commissioners to design and procure the combination of services that best suit the population they serve.

We may also share information with NHS England. If you do not want your information to be used for purposes beyond providing your care you can choose to opt-out. If you wish to do so, please inform your GP practice who will advise you of how to opt out. You can opt out of your data being used for some purposes. You can withdraw your opt-out choice at any time by information your GP Practice. More information is available on NHS Digital Your personal information choices and in the section ‘Your Rights’ below.

NHS England recognises the importance of protecting personal and confidential information in all that they do, directly or through commissioning and takes care to meet its legal duties. Follow the links on the How NHS England uses your information page for more details.

Data may be de-identified and linked so that it can be used to improve health care and development and monitor NHS performance. Where data is used for these statistical purposes, stringent measures are taken to ensure individual patients cannot be identified.

When analysing current health services and proposals for developing future services it is sometimes necessary to link separate individual datasets to be able to produce a comprehensive evaluation. This may involve linking primary care GP data with other data such as secondary uses service (SUS) data (hospital inpatient, outpatient and A&E data). In some cases there may also be a need to link local datasets which could include a range of acute-based (hospital) services such as radiology, physiotherapy, audiology etc, as well as mental health and community-based services such as Improving Access to Psychological Therapies (IAPT), district nursing, podiatry etc. When carrying out this analysis, the linkage of these datasets is always done using a unique identifier that does not reveal a person’s identity as the ICB does not have any access to patient identifiable data for this purpose.

We may also contract with other organisations to process data. These organisations are known as data processors. We ensure external data processors that support us are legally and contractually bound to operate and prove security arrangements are in place where data that could or does identify a person are processed. Currently, the external data processors we work with are listed below:

Arden and Greater East Midlands (AGEM) Data Services for Commissioners Regional Office (DSCRO), who provide appropriate data for Secondary Use Services (SUS).

AGEM are approved by NHS England as a Data Services for Commissioning Regional Office (DSCRO). They provide a secure and compliant data processing function of health and social care data sets. This type of processing is to support commissioning and planning. The output data from this process will be anonymised or pseudonymised. The ICB does not receive any personal identifiable information from this service.

AGEM CSU also provide services for the ICB, This includes holding and processing data including patient information on our behalf.

The ICB has engaged the services of NHS Arden and Greater East Midlands Commissioning Support Unit (AGEM CSU) to assist in the processing and analysis of data received from NHS England  (that does not identify individuals) to support the ICB in fulfilling its commissioning responsibilities.

The ICB has entered into a contract with AGEM CSU to ensure there are strong controls in place to ensure that the data remains confidential and secure at all times.

The ICB has also engaged the services of AGEM CSU to support the processing of data for the Population Health Management and Risk Stratification Programme – which analyses data that that does not identify individuals.

MedeAnalytics provide a technical system that uses Pseudonymised data from GP and other health care systems to allow linkage of data in a way that does not involve either MedeAnalytics or the ICB to identify individual patients. The system uses data that is Pseudonymised at Source, for further information please see section below.

Complaints

To process your personal information if it relates to a complaint where you have asked for our help or involvement.

Legal Basis

We will need to rely on your explicit consent to undertake such activities.

Complaint Processing Activities 

When we receive a complaint from a person we make up a file containing the details of the complaint. This normally contains the identity of the complainant and any other individuals involved in the complaint. 

We will only use the personal information we collect to process the complaint and to check on the level of service we provide.

We usually have to disclose the complainant’s identity to whoever the complaint is about. This is inevitable where, for example, the accuracy of a person’s record is in dispute.

If a complainant doesn’t want information identifying him or her to be disclosed, we will try to respect that. However, it may not be possible to handle a complaint on an anonymous basis.

We will keep personal information contained in complaint files in line with NHS retention policy. It will be retained in a secure environment and access to it will be restricted according to the ‘need to know’ principle.

We will publish service user stories, following upheld complaints, anonymously via our governing body.  The service user stories will provide a summary of the concern, service improvements identified and how well the complaints procedure has been applied.  Consent will always be sought from the service user and carer or both before we publish the service user story.

Risk Stratification

Risk stratification is a process GPs use to help them to identify and support patients with long-term conditions and to help prevent un-planned hospital admissions or reduce the risk of certain diseases developing such as type 2 diabetes. This is called risk stratification for case-finding.  
 

Risk stratification tools use historic information about patients, such as age, gender, diagnoses and patterns of hospital attendance and admission collected by NHS England from NHS hospitals and community care services. This is linked to data collected in GP practices and analysed to produce a risk score.

There is currently s251 support in place (23/CAG/0117) for the ICB to be able to receive data with the NHS Number as an identifier from both NHS England and your GP Practice to enable this work to take place.  The Data is sent directly into a risk stratification tool from NHS England /GP Practices to enable the data to be linked and processed as described above.  Once the data is within the tool ICB staff only have access to anonymised or aggregated data. 

GPs are able to identify individual patients from the risk stratified data when it is necessary discuss the outcome and consider preventative care.

Type of information used

Different types of commissioning data are legally allowed to be used by different organisations within, or contracted to, the NHS.

Information put into the risk stratification tools used by the ICB: 

  • Age
  • Gender
  • GP Practice and Hospital attendances and admissions
  • Medications prescribed
  • Medical conditions (in code form) and other things that affect your health.

Legal basis

Statutory requirement for NHS England to collect identifiable information.

A Section 251 approval from the Secretary of Stage, through the Confidentiality Advisory Group of the Health Research Authority, enables the use of pseudonymised information about patients included in the datasets.

There is no requirement for a legal basis for use of the aggregated information which is available to the ICB as this does not identify individuals.

Data processing activities

The ICB processes this data internally. Data is also processed by Arden & GEM Commissioning Support Unit and Prescribing Services Ltd on behalf of the ICB.

Opt out details

You have a choice about whether you want your confidential patient information to be used in this way. If you are happy with this use of information you do not need to do anything. If you do not wish your data to be included in the risk stratification service (even though it is in a format which does not directly identify you) you can choose to opt-out. 

In this case, because pseudonymised data is being used, the National Data Opt-Out does not apply. Instead, please inform your GP practice who will apply an opt-out code to your record to ensure that your information is not included in the programme.

Invoice Validation

Where we pay for care, particularly where different providers are caring for the same person, we may ask for evidence before paying, or we may commission a service where the payment is all or partly based on the providers ensuring the service user has a healthy outcome. We need to ensure that we are paying the right amount of money for the right services to the right people.

These invoices are validated within a special secure area known as a Controlled Environment for Finance (CEfF) to ensure that the right amount of money is paid, by the right organisation, for the treatment provided.

A small amount of information that could identify an individual is used within this secure area (such as NHS number or date of birth and postcode). The process followed ensures that only the minimum amount of information about individuals is used by a very limited number of people. The process is designed to protect confidentiality.

Organisations that provide treatment submit their invoices to the ICB for payment. The secure area (Controlled Environment for Finance, within the ICB) receives additional information, including the NHS Number, or occasionally the date of birth and postcode, from the organisation that provided treatment.

Our Providers send information into our secure area, which includes the NHS number and details of the treatment received. The information is then validated ensuring that any discrepancies are investigated and resolved between the Controlled Environment for Finance and the organisation that submitted the invoices. The invoices will be paid when the validation is completed.

Type of information used

Identifiable – (name, DOB, GP, NHS number) within the Controlled Environment for Finance, for invoice validation.

Pseudonymised, anonymised or aggregated – within the ICB, for commissioning purposes such as financial planning, management and contract monitoring.

Legal basis

A Section 251 approval from the Secretary of State, through the Confidentiality Advisory Group of the Health Research Authority enables the ICB to process identifiable information without consent for the purposes of invoice validation within a Controlled Environment for Finance – CAG 7-07(a)(b)(c)/2013.

Data processing activities

This data is processed in house by Hertfordhire & West Essex ICB. Only authorised staff are able to access this information.

Opt out details

National data opt-out does not apply

Additionally, your GP practice can apply a code which will stop your identifiable information being used for this purpose.

Additional information is also available from the NHS England website.

Funding Treatments

We will collect and process your personal information where we are required to fund specific treatment for you for a particular condition that is not already covered in our contracts. 

This may be called an “Individual Funding Request” (IFR). 

Type of Information Used

Identifiable – such as NHS number, DOB, Name, registered GP to make payments 
Anonymous – to provide reports for analysis of payments made 

Legal Basis 

Direct Care and Administration UK GDPR/DPA 2018

  • Article 6 1 (e)
  • Article 9 2 (h)

And common law duty of confidence

How We Collect and Use Information in relation to Funding Treatments

Information required to make payments in relation to Funding Treatments is provided by you, along with relevant information from primary and secondary care with regard to the referral for specialist treatment.

Continuing Healthcare

We will collect and process your identifiable information where you have asked us to undertake assessments for Continuing Healthcare (a package of care for those with complex medical needs) and commission resulting care packages.

Type of Information Used

Identifiable – such as name, address, DOB, NHS number

Legal Basis

Direct Care and Administration GDPR/DPA 2018

  • Article 6 1 (e)
  • Article 9 2 (h)

And common law duty of confidence

How We Collect and Use Information in relation to Continuing Healthcare

The assessment team will collect, use, share and securely store information from / with the Local Authority (Social Services) and other organisations or individuals that are either directly or indirectly involved in the assessment, decision-making process, the arranging of care, the funding and payment of care and appropriate monitoring of and audit of the safety and quality of care.

Safeguarding

We will collect and process identifiable information where we need to assess and evaluate any safeguarding concerns.

Legal Basis

Because of our duty to protect the safety and welfare of vulnerable children and adults, we will rely on a statutory basis rather than consent to process information for this use.

Patient and Public Involvement

If you have asked us to keep you regularly informed and up to date about the work of the ICB or if you are actively involved in our engagement and consultation activities or patient participation groups, we will collect and process personal confidential data which you share with us.

Legal Basis

We will rely on your consent for this purpose

Benefits

Where you submit your details to us for involvement purposes, we will only use your information for this purpose. You can opt out at any time by contacting us using our contact details at the end of this document.

Fraud Prevention

The ICB is required by law to protect the public funds it administers. It may share information provided to it with other bodies responsible for auditing or administering public funds, in order to prevent and detect fraud.

The Cabinet Office conducts data matching exercises to assist in the prevention and detection of fraud. This is one of the ways in which the Minister for the Cabinet Office takes responsibility within government for public sector efficiency and reform. The Minister for the Cabinet Office is also the Chair of the Fraud, Error and Debt Taskforce, the strategic decision-making body for all fraud and error, debt and grant efficiency initiatives across government.

Data matching involves comparing sets of data, such as the payroll or benefits records of a body, against other records held by the same or another body to see how far they match. The data is usually personal information. The data matching allows potentially fraudulent claims and payments to be identified. Where a match is found it may indicate that there is an inconsistency that requires further investigation. No assumption can be made as to whether there is fraud, error or other explanation until an investigation is carried out.

The processing of data by the Cabinet Office in a data matching exercise is carried out with statutory authority under its powers in Part 6 of the Local Audit and Accountability Act 2014. It does not require the consent of the individuals concerned under the UK GDPR / Data Protection Act 2018.

All bodies participating in the Cabinet Office’s data matching exercises receive a report of matches that they should investigate, so as to detect instances of fraud, over- or under-payments and other errors, to take remedial action and update their records accordingly.

Serious Incident Reports

The ICB collects and uses information from Serious Incident Reports from Primary and Secondary Care Providers to ensure incidents are dealt with appropriately and lessons learnt. 

Legal Basis 

Explicit consent 

How We Collect and Use Information in relation to Serious Incident Reports

We are statutorily required to fully investigate and review incidents. Where there is a requirement to provide incident reports externally the information will be anonymised unless there is a legal requirement to provide your details. You will be kept informed of the requirements we are required to meet and asked for consent where information is to be shared externally

Pseudonymisation at source

The ICB has been working closely with Oracle to develop systems that provide the data we and the GPs need to do our work, but in ways that do not involve Oracle or the ICB using information that can identify individual patients.

Pseudonymisation is a technical process that replaces identifiable information such as NHS number, postcode, date of birth with a unique identifier, which obscures the ‘real world’ identify of the individual patient to those working with the data. It allows records for the same patient from different sources to be linked to create a complete longitudinal record of the patient’s condition, history and care.

Linkage of data from different health and social care data sources is undertaken enabling the processing of data and provision of appropriate analytical support for GPs and ICBs whilst protecting the privacy and confidentiality of the patient(s). Technical and organisation measures are in place to ensure the security and protection of information. Robust access controls are in place to ensure only GPs are able to re-identify information about their individual patients when it is necessary for the provision of care.

Oracle’s Pseudonymisation at Source system has been confirmed by the Information Commissions Office as sufficiently de-identifying patient identifiers before it leaves the originating source to make it impossible to re-identify the individual concerned, as well as receiving approval from the Confidentiality Advisory Group (24/CAG/0047) which provide guidance to the Secretary of State for Health

Primary and Secondary Care Data

The NHS provides a wide range of services which involve the collection and use of information. Different care settings are considered as either ‘primary care’ or ‘secondary care’. 

Primary care settings include GP practices, pharmacists, dentists and some specialised services such as military health services. Secondary care settings include local hospitals, rehabilitative care, urgent and emergency care (including out of hours and NHS 111), community and mental health services. 

Throughout this Privacy Notice you will see reference to an organisation called NHS England. They are the national provider of information, data and IT systems for commissioners (such as the ICB), analysts and clinicians in health and social care. NHS England provides information based on identifiable information passed securely to them by Primary and Secondary Care Providers who are legally obliged to provide this information. 

Get more information on the way NHS England collects and uses your information.

Complaints

The ICB aims to meet the highest standards when collecting and using personal information. For this reason, we take any complaints we receive on this subject very seriously. We encourage people to bring concerns to our attention if they think that our collection or use of information is unfair, misleading or inappropriate. We would also welcome any suggestions for improving our procedures. Contact details for complaints to either ourselves or the ICO can be found at the end of this notice.

Information Commissioner

Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF

Phone: 08456 306060 or 01625 545745

Or visit the ICO website.

Contact Us

If you have any questions or concerns regarding how we use your information, please contact us at: 

Hertfordshire and West Essex ICB
The Forum
Marlowes
Hemel Hempstead
Hertfordshire 
HP1 1DN

You can contact our patient experience teams as follows

By email to [email protected]. Or by telephone:

  • If you live in east and north Hertfordshire, call 01707 685356.  
  • If you live in the south and west Hertfordshire, call 01442 898865.  
  • If you live in west Essex, call the team on 01992 566122. 

Please use the contact details above for our Caldicott Guardian:

  • Fiona Head, Executive Clinical Director
  • Natalie Hammond, Director of Safeguarding & Complex Care (Deputy Caldicott Guardian)

The contact details for our Data Protection Officer are:

Further information

Below are links to more information about your rights and the ways that the NHS uses personal information:

Page last reviewed