Privacy Notice – Commissioning and Reporting

  • Commissioning Services


    To use pseudonymised (Not identifiable) Commissioning Datasets to provide intelligence to support the commissioning of health services. The data (containing both clinical and financial information) is analysed so that health care provision can be planned to

    support the needs of the population within the ICB area. The data is used to:

    • Performance management and monitoring of services;
    • Ensure patients are receiving quality and cost-effective care;
    • Prepare statistics on NHS performance for NHS England, and to support service redesign, modernisation and improvement;
    • Plan future services;
    • ·Validate activity/costs and service delivery to ensure the service commissioned is the one you experience. This could include challenging other NHS organisation about care being delivered and the associated costs.
    • Thoroughly investigating the needs of the population, to inform the commissioning or appropriate services for that Population’s health needs.
    • Stratify patients and activity based on risk and conditions.
    • Audit NHS accounts.

    Legal Basis

    Section 251 NHS Act 2006, Health and Social Care Act 2012

    Processing Activities

    As described by NHS England - NHS England » Data services for commissioners. Hospitals and community organisations that provide NHS-funded care must submit certain information to NHS Digital about services provided to our local population. We receive a range of data as listed in our contract with health care providers, this is called ‘local data’ and is received in addition to National data that all NHS organisations are required to submit. Both are used to support decision making for commissioning.

    This information is generally known as commissioning datasets. The ICB obtains these datasets from NHS Digital. These datasets are used in a format that does not directly identify you. The purpose of receiving this data is to support and monitor activity to inform the way we plan and commission services, and to gain evidence on how we can improve health and care services.

    The level of information provided is not sufficient to re-identify you but we can look at usage of services via a unique reference that helps us understand what parts of the system an individual accesses, however we are never aware of who that individual is and the reference is unique to our organisation.

    ICBs are required to adopt strict security controls when using these commissioning datasets under a Data Processing Contract with NHS Digital that is reviewed and refreshed on an annual basis.

    We also receive similar information from our GP Practices, however we cannot identify individual patients from this data but can link this information to the ‘Commissioning’ datasets we also receive.

    If you do not wish to your information to be captured in these datasets, you can raise an opt-out. Further details of how you can do this is contained within this Notice.

  • CHC Data Extractions


    The national CHC Strategic Improvement Programme extract data from our patient administration system, Broadcare, for the purposes of analysing the cost of CHC packages. The aim is to further understand the variation in content and value of care packages.

    Legal Basis

    NHS England’s Statutory Functions – NHS Act 2006 and Health and Social Care Act 2012

    Processing Activities

    The data extraction process is conducted between the CHC SIP Team and Broadcare. The extraction will involve pseudonymised data fields to protect the confidentiality of individual service users.

  • CHC Patient Level Data Set


    From 26th April 2022 the ICB was required, under the NHS Continuing Healthcare Directions 2022, enforced by NHS England, to submit a monthly CHC Patient Level Data Set to NHS Digital.

    The data will be used by NHS Digital to understand:

    • Where patients are being placed out of area
    • Where care packages are changing frequently
    • Other evidence which may indicate poor outcomes for patients, so that they can be identified and addressed

    The data will be used to support better outcomes, better patient experience and better use of resources.

    Legal Basis

    Section 254(1) and 254(6) of the Health and Social Care Act 2012

    Processing Activities

    The CHC Team will extract data currently held in Broadcare, which is collected, stored and processed by the ICBs for the purposes of assessment and administering CHC packages of care. The extraction will include an end-to-end data set (from referral to end of service provision) for each patient who has been assessed for CHC funded care. This data set will include patient who are eligible, as well as those who have been assessed and are not eligible.

    Explicit consent to flow data to NHS Digital under Directions issued by NHS England is not required. As a result, individuals may not opt out or object to use of their data used in this way.

  • Collaborative Care Market


    To combine data relating to the commissioning of nursing care across:

    • Norfolk County Council
    • ICB
    • Suffolk County Council

    to support the development of a sustainable care market that provides high quality care to people across Norfolk and Waveney, increasing cost efficiencies by delivering closer alignment across the commissioning functions.

    There is the need to share data containing NHS numbers so that we can generate accurate joint costings

    Legal Basis

    Exercising its functions effectively, efficiently and economically Section 14Z33 of the NHS Act 2006

    Processing Activities

    Linking the data from the two systems that are used to support the funding of Continuing Healthcare (CHC) /Funded Nursing Care (FNC) including people who use Personal Health Budgets (PHB) and use Personal assistants (PAs) (over 18 years of age and includes LD&A).

    The data will be analysed to deliver efficiencies.

  • Invoice Validation


    To ensure that the ICB is paying appropriately for the care given to its residence/population.

    As we are responsible for paying for care, we may need to ask for evidence of the care provided, to ensure that it was appropriate, provided by the right organisation and to ensure it was the best use of public funding.

    Legal Basis

    Section 251 NHS Act 2006, Health and Social Care Act 2012

    Processing Activities

    The use of limited information about individual patients is required when validating invoices received for healthcare provided, in most cases limited data such as the practice code is used to make such payments.

    In some instances, information to confirm that you are registered at a GP Practice within our area is needed to make such payments to ensure the invoice is accurate and genuine.

    This will be performed in a secure environment and will be carried out by a limited number of authorised staff

    The Norfolk and Waveney ICB has an accredited Controlled Environment for Finance (CEfF) under a Section 251 exemption, which enables us to process patient identifiable information without consent for the purposes of invoice validation – CAG 7- 07(a)(b)(c)/2013

    The ICB has entered into a CEfF contract with Arden GEM Commissioning Support Unit, which is authorised by NHS England. In addition, we have commissioned the services of NHS Shared Business Service to work with AGEM CSU to collect, process and validate invoices.

    The process involves a limited number of authorised staff using your NHS number, postcode and/or date of birth to establish whether we are responsible for paying for your care. The minimum information necessary is always used for this purpose.

  • Invoice Validation for CHC Care


    If you are in receipt of CHC, we will still need to make sure that the care you receive is in accordance with your care plan, and that it is chargeable to our ICB. To do this we will use the records already available to us in our CHC administration system, Broadcare.

    Legal Basis

    NHS Act 2006, Health and Social Care Act 2012, National Framework for NHS continuing Healthcare and NHS funded Nursing Care July 2022

    Processing Activities

    When we receive an invoice for your care, we will check that it meets the needs of your care plan. This will be done using a unique identifier. Wherever possible we will not use your person identifiable information to validate invoices.

    However, if there is a discrepancy, i.e., we have received an invoice for care not mentioned in your care plan, we may review our records and your personal information to assess whether you care needs have changed and your package needs to be  reviewed.                                                   

    We will of course contact you if there any changes are required to your care plan.

  • Risk Stratification


    NHS England encourages ICBs and GPs to use risk stratification tools to develop strategies to support patients with long term conditions and to help prevent avoidable admissions, by predicting when a deterioration in health is likely to occur. Risk stratification is part of overall Population Health Management activities which bring together health related data for identifying and managing patients who should be classified as:

    • “at risk of an emergency hospital admission or deterioration in health” or
    • identify a specific population that health services may then prioritise.

    The Purpose is to:

    • Reduce health inequalities and improve overall outcomes.
    • Help decide if a patient is at greater risk of suffering a particular condition
    • Prevent an emergency admission to hospital
    • Identify if a patient needs medical help to prevent a health condition from getting worse.
    • Help the ICB to commission appropriate preventative services and promote quality improvements in existing services.

    Legal Basis

    GDPR Article 6(1)(e) - processing is necessary for the performance of a task carried out in the exercise of official authority vested in the controller.

    GDPR Article 9(2)(h) - processing is necessary for the purposes of the provision of health or social care or treatment or the management of health or social care systems and services.

    Section 251 (NHS Act 2006) approval (CAG 7-04(a)/2013) from the Secretary of State, through the Confidentiality Advisory Group of the Health Research Authority, sets aside the Common Law Duty of Confidentiality. This enables pseudonymised information to be sent to the ICB via NHS England ( services-for-commissioners/data-services-for-commissioners- regional-offices) in order to help us plan the most appropriate health services for our population.

    Processing Activities

    Risk stratification tools use various combinations of data about patients such as age, gender, diagnoses, hospital attendance, admission and primary care data collected by your GP in practice systems. This data could be pseudonymised, anonymised or aggregated.

    Risk Stratification is a process which applies algorithms, or calculations to identify those patients who are most at risk from certain medical conditions and who will benefit from clinical care to help prevent or better treat their condition.

    The ICB has commissioned the services of two authorised Risk Stratification Providers to provide risks stratification tools that have been approved by NHS England:

    • Prescribing Services Limited (PSL); and
    • Arden & GEM Commissioning Support Unit (AGEM CSU)
    • Data processing takes place under a contract to ensure that contractual obligations on the providers are enforceable.
    • The ICB has a data sharing contract in place with NHS England which enables PSL to have access to secondary care data (Inpatient, Outpatient, Accident and Emergency, Out of Hours, Urgent Care, Community Nursing, Community Mental Health) at an identifiable level (via the NHS Number) which it can link to primary care data. Subsequent use of data is then
    • AGEM CSU uses a process that converts identifiable data at source and then removes NHS This is then handled by the ICB as a commissioning data set. This enables linkage to other data sets provided to the ICB where permitted. (This processing does not require Section 251 approval).
    • Our GP Practices also have a data sharing contract in place with PSL and AGEM CSU to flow primary care data into their risk stratification They act as data processor under very specific instructions from the GP practice.

    The ICB complies with national opt out processes.

    Your details will only be processed if there is a legal basis to do so such as direct health or social care need. This means the data is not identifiable and remains that way until a request is made by a clinician or support team (who already has a direct relationship with you) to re-identify with the intention of offering direct care and support.

    If you do not wish for your personal data to be used for Risk Stratification, you can choose to exercise a local opt out by contacting the ICB using the contact details within this Notice. See Contacting Us section at the end of this Notice.

    In order for us to comply with your opt-out request, a level of identifiable data will need to be retained by us as a record of your request and our subsequent processing of this. The data retained will be the minimum required for the processing undertaken.

  • Population Health Management


    Population Health Management (PHM) is aimed at improving the health of an entire population. PHM is about improving the physical and mental health outcomes and wellbeing of people and making sure that access to services is fair, timely and equal. It helps to reduce the occurrence of ill-health and looks at all the wider factors that affect health and care. The PHM approach requires health care organisations to work together with communities and partner agencies, for example, GP practices, community service providers, hospitals and other health and social care providers. These organisations will share and combine information with each other in order to get a view of health and services for the population in a particular area.

    Examples of how data could be used for a number of healthcare related activities include:

    • improving the quality and standards of care provide
    • research into the development of new treatments
    • preventing illness and diseases
    • monitoring safety
    • planning services

    Legal Basis

    GDPR Article 6(1)(e) – processing is necessary for the performance of a task carried out in the exercise of official authority vested in the controller

    GDPR Article 9(2)(h) processing is necessary for the purposes of the provision of health or social care or treatment or the management of health or social care systems and services.

    In the majority of cases, anonymised data is used so that you cannot be identified. Where identifiable data is used, this is done under contract with the relevant healthcare providers.

    Processing Activities

    The ICB has commissioned the services of two providers who conduct Risk Stratification to support PHM:

    • Prescribing Services Limited (PSL); and
    • Arden & GEM Commissioning Support Unit (AGEM CSU)

    For information on this processing activity, please refer to the Risk Stratification section above.

    As part of the ICB’s PHM work, local health and social care providers may direct the ICB’s Protect NoW Team, to contact patients in relation to population heath initiatives.

    The Protect NoW call handlers signpost patients to additional services commissioned by the ICB, if requested by the patient. They will not have access to medical records. The provider will extract the relevant cohort of patients from their treatment list with the minimum information required for the Protect NoW call handlers to contact the patient.

    Further information regarding the work of Protect NoW can be found on the ICB’s website - Protect Now and Health Improvement and Population Health Management Projects - Norfolk & Waveney ICS.

  • Sub Licensing


    To bring together care organisations across N&W to collectively plan health and care services to meet the needs of the Population. To allow ICB to share data received from NHS England via our commissioning agreement, with members of N&W ICS. This will be limited to pseudonymised commissioning data. The data will only be shared for the purpose of commissioning.

    Legal Basis

    Health and Social Care Act 2012 - s261(5)(d)

    Processing Activities

    The Sublicensee will be required to meet certain criteria and then sign up to the standards of use in the data sharing agreement before they will be granted access.

    Sub licensee requests will be vetted by an ICB hosted approvals group and will require senior sign off by ICB Senior Information Risk Officers.

    The pseudonymised data sets provided by NHS Digital are maintained in a data warehouse and will populate and Business Intelligence dashboards and routine reports which sublicensees will be granted access to. The ICB can also share this data direct to a sub licensee upon request, all data shared under these terms is logged by the ICB.

    They Sub-licensee will become a data controller and are not able to share the data outside their organisation.


    The list of sub-licensees will be updated quarterly and can be found here. - List of Sub-licensees

  • Service Redesign & Evaluation


    Norfolk & Waveney ICB is a statutory NHS organisation responsible for developing a plan for meeting the health needs of the population, managing the NHS budget and arranging for the provision of health services in a geographical area.

    As part of its function, the ICB works with partners to design, deliver and evaluate cross-sector, multi-agency projects and services to drive the integration agenda. This includes working alongside system partners to develop and transform pathways and services.

    Legal Basis

    NHS ACT 2006 and Health and Social Care Act 2012

    Processing Activities

    Service redesign and evaluation may involve ICB staff shadowing and working with colleagues from system partners to understand pathways, patient flows and patient experiences. As a result, access to or sight of personal identifiable data, where this is relevant to the patient journey and to help improve processes and services/pathways, may occur.

    Where complex pathways or services are evaluated, it may be necessary to bring providers together to find a solution. The ICB may act as facilitators in multi-disciplinary meetings to ensure a coordinated approach in ensuring the best possible outcomes for patients. As part of this work, an element of personal identifiable data may need to be shared.

    In all cases, only the minimum amount of personal identifiable information will be shared, necessary for the purpose and only where anonymised themes and trends are insufficient to allow accurate evaluation.