Privacy Notice – Your Rights

NHS Norfolk and Waveney ICB observes your rights, as detailed below. To enable the ICB to observe your rights it will be necessary to process your information to administer with your request.

To be informedThis notice informs you how the ICB will use your information for the purposes of managing the local healthcare system.
To access your informationYou have the general right to see or be given a copy of personal data an organisation holds about you. This is known as a Subject Access Request. Full details of how to raise a request can be found in the ICB’s Subject Access Request & Information Rights Policy, which is available on our website.  

Further information on Subject Access Requests can be found via the Information Commissioners Office (ICO): For the public | ICO
To limit you your information is processedThe NHS Constitution states, “you have a right to request that your confidential information is not used beyond your own care and treatment, and to have your objections considered”. These are known as opt-outs and available at different levels.  

Further details of how to opt-out is contained within this Notice.
To have your data correctedUnder UK GDPR you have the right to have inaccurate (i.e. incorrect or misleading) personal data rectified or completed, if you feel that there are omissions (subject to the original purpose for the processing). You can make this request either in writing or verbally, however the ICB has a duty to ensure that we have taken all reasonable steps to check that the information is incorrect.
To have your data deletedThis is also known as the “right to be forgotten”. You can request that your information is erased if:
Your personal data is no longer necessary for the purpose it was originally collected and/or processed by the ICB.
You wish to withdraw your consent for the ICB to hold your data and there is no overriding legitimate interest or legal obligation for the ICB to continue to process your data.
You consider that the ICB has processed your information unlawfully; or
You have to exercise your right to erasure in order to comply with a legal obligation. 

We will communicate any erasure of information to anyone to whom it has been disclosed unless this is not possible or involves disproportionate effort. We will tell you who those recipients are if you ask us. We will also ensure that your information is erased from any backup systems as well as live systems.  

The right to erasure is not an absolute right and so there maybe situations where your request cannot be satisfied, such as:
The ICB must retain your data in order to comply with a legal obligation.
The ICB is required to process your data to carry out a task in the public interest or in the exercise of an official authority.
The ICB must retain your information for archiving purposes in the public interest, such as scientific research, historical research or statistical purposes where erasure is likely to render impossible or seriously hinder our ability to process information for commissioning purposes.
Where the ICB needs to retain your data for the purposes of a defence or legal claim; or
In the case of special category data;
where we need to process data to protect the public’s health such as protecting against cross-border health threats and pandemics; and/or
where a health professional processes data for the purposes of preventative or occupational medicine.  

The ICB can also refuse to comply with your request if it is manifestly unfounded or excessive, taking into account whether the request is repetitive in nature. In these circumstances we can:
request a “reasonable fee” to deal with your request, based on the administrative costs we may incur; or
inform you within one calendar month that we must refuse your request.  

If we are unable to satisfy your request, we will justify our decision.
Data PortabilityYou have the right to get your personal data from an organisation in a way that is accessible and machine-readable, for example as a csv file.  

You also have the right to ask an organisation to transfer your data to another organisation. They must do this if the transfer is, as the regulation says, “technically feasible”.  

As ICBs are not health care providers, we are unable to arrange the transfer of your medical files. However, we can arrange to transfer any information you have provided to us with your consent. You can make this request in writing using the contact details below, stating what information you would like transferred and to whom.
To object to the use of your dataThe ICB will not publish any information that identifies you or routinely disclose any information about you without your express permission.  

You have the right to consent / refuse / withdraw consent to information sharing at any moment in time. There are possible consequences to not sharing but these will be fully explained to you to help you with making your decision. Please note that you can only raise an objection if your information is being processed to:  
Carry out a task in the public interest
Fulfil the ICB’s legitimate interests
Conduct scientific or historical research of for statistical purposes; or
Conduct direct marketing.
To control how decisions are made about you without human involvementWhen decisions are made about you without people being involved, this is called ‘automated individual decision-making and profiling’ or ‘automated processing’, for short.  

In many circumstances, you have a right to prevent automated processing.  

The ICB uses an automated decision-making tool for recruitment purposes, to enable us to short list candidates for interview without revealing the identity of the applicant during the application process. This is to ensure that our selection process is only based on the individual’s suitability for the job, rather than prior knowledge of who the applicant is.  

In addition, an automated decision-making tool is used to identify whether a group of patients is at risk of a deterioration in their health. By exercising an opt-out, your data will be excluded from an automated decision-making tool.
To request information from a public bodyThis is known as a Freedom of Information Request, under the Freedom of Information Act 2000. This request only relates to information that does not identify a living individual. Further details of how to raise a request can be found in the ICB’s Publication Scheme.
To raise a concernYou have the right to be confident that organisations handle your personal information responsibly and in line with good practice. You can raise a concern about the way the ICB is handling your information if you feel:  
We are not keeping your information secure;
We are holding inaccurate information about you;
We have disclosed information about you;
We are keeping information about you for longer than is necessary; or
We have collected information for one reason and are using it for something else.

Details of our complaints procedure is contained within this Notice.