Privacy Notice

What is a Privacy Notice?

This Privacy Notice, previously referred to as Fair Processing Notice, allows us to tell you:

  • what information we collect about you
  • why we collect it
  • what we do with it
  • how we will look after it and
  • who we might share it with.

This notice applies to all information held by the ICB relating to individuals, whether you are a current or previous patient / service user. It covers information collected directly from you or receive from other individuals or organisations.

This notice is not exhaustive; however, we are happy to provide any additional information or explanation needed. Any requests for this should be sent to our Data Protection Officer.

We revise the Privacy Notice regularly to ensure that it continually provides transparent information about the use of your data.  This notice was last reviewed in July 2023.  A printable version can be found here.

  • Our Commitment to Data Protection and Confidentiality

    We are committed to protecting your privacy and will only process personal information in accordance with UK GDPR and the Data Protection Act 2018, the common law duty of confidentiality and the Human Rights Act 1998.

    NHS Norfolk and Waveney ICB as a data controller is legally responsible for ensuring that all personal information is processed in accordance with data protection legislation, and that you can exercise your rights in respect of your information.

    All data controllers must register their processing activities with the Information Commissioner’s Office (ICO). Details of our registration can be found at NHS Norfolk and Waveney ICB – ZB345066.

    Everyone working for the NHS has a legal obligation to keep information about you confidential. The NHS Care Record Guarantee and the NHS Constitution provide a commitment that all NHS organisations and those providing care under an NHS contract will use records about you in ways that respect your rights and promote your health and wellbeing.

    All of our staff, contractors and committee members receive appropriate annual training on data protection and confidentiality, to ensure that they are aware of their personal responsibilities and have contractual obligations to uphold confidentiality, enforceable through disciplinary procedures.

    The ICB works with our data processors, to ensure that information is held in secure locations with restricted access to authorised personnel only. We protect any personal information that is held on our systems with encryption so that it cannot be accessed by those who do not have permission to do so.

  • Types of Information We Hold

    The ICB uses and process several different types of information such as:

    • Anonymised information – information about individuals with identifiable details removed, this assists the ICB to understand the use of services in Norfolk and Waveney but cannot identify you personally.
    • Pseudonymised data – replaced identifiable information with a code which does not reveal an individual’s “real world” identity to the ICB but can be used by your health care provider to identify you using a deciphered code.
    • Aggregated data – this does not reveal the identity of a person, but group’s health activity data together to provide the ICB with statistical data on trends or gaps in services.
    • Identifiable information – such as your name, address, date of birth, NHS number, email address.

    Throughout this Notice you will see reference to an organisation called NHS England. They are the national body responsible for data management and information processing in health and social care. NHS England is legally responsible for receiving identifiable information from Primary Care and Secondary Care Providers in a secure manner, so that it can be reformatted into a dataset that can be legally used by the ICB.

  • Who we share your information with and who shares with us

    We work with several other NHS and partner agencies to provide health and social care services to you. We may also share anonymised statistical information with them for the purpose of improving local services, for example understanding how conditions spread across our local area compared against other areas.

    We contract with other organisations to provide a range of services to us such as IT services, Payroll and other support service. In these instances, we ensure that our partner agencies have contracts which outline that your information is processed under strict conditions and in line with the law.

    We ensure our external data processors that support us are legally and contractually bound to operate and prove security arrangements are in place where data that could or does identify a person are processed.

    Current external data processors:

    • NHS Arden and Greater East Midlands CSU – Data Services for Commissioners Regional Offices (DSCRO) this is a regional secure service provided to the ICB by NHS Digital via the CSU, primary care IT Service Provider, risk stratification, invoice validation, commissioning intelligence analysis,
    • Prescribing Services Limited – provider of risk stratification and population health management tools
    • NHS Resolution – management of claims
    • TIAA – Internal Audit
    • Ernst & Young – External Audit
    • Grant Thornton – Counter Fraud Service
    • NHS England
    • NHS Improvement
    • Public Health England
    • NHS Shared Business Services – purchase ledger and invoice validation
    • Optum Health Solutions (UK) Limited – population health management
    • Liaison Group
    • Norfolk Community Health & Care NHS Trust (NCH&C) – IT Service Provider
    • NHS Midlands and Lancashire Commissioning Support Unit – supporting the community deprivation of liberty safeguard applications to the court of protection

    To support the Integrated Care System, the ICB processes data on instruction from other organisations. On those occasions it becomes the data processor on behalf of the organisation who has shared the data (the data controller). An example of this is a dedicated team, reducing health inequalities, who contact vulnerable patients who are at risk, signposting them to further support from relevant organisations, and various health initiatives. You can find out more information on our webpages here.

    Information may be shared with our Health and Social Care partnering organisations, to meet your social and health care needs. Where information sharing is required with third parties, we will not disclose any health information without your explicit consent unless it is to facilitate direct care, if there are exceptional circumstances or a legal obligation such as:

    • There is a risk of harm to someone or the wider community
    • The prevention or detection of a serious crime
    • Where we are required to do so by law
    • Reporting some infectious diseases
    • Prevention and detection of fraud – National Fraud Initiative (NFI)

    If we are obligated to release information as described above, this will be done with the approval of our Caldicott Guardian or Data Protection Officer.

    The ICB is party to several information sharing agreements which are drawn up to ensure information is shared in a way that complies with relevant legislation. These NHS and non-NHS organisations may include, but are not restricted to, social services, education services, local authorities, police, voluntary organisations and public health.

  • Why We Process Information about You

    If you are receiving services from the NHS, we will need to use your information (paper or electronic) to provide treatment, to check the quality of your care, to help you make good decisions about your health and to investigate complaints and claims. We also use your information to:

    • Check the quality of care we provide to everyone (a clinical audit)
    • Protect the health of the general public
    • Monitor how we spend public money
    • Train healthcare workers
    • Carry out research
    • Help the NHS plan for the future

    From time to time the ICB will use patient data to analyse the health of a population. This is required for the commissioning of health services, or to help target preventive care at certain groups of patients.

    If we use your information for the above reasons, we will remove your name and other details which could identify you. However, if we need to use the information in a way that identifies you, we will ensure that we have a fair and lawful basis for doing so, such as:

    • You have given us permission
    • You have made a complaint to us about the healthcare you have received, and we need to investigate
    • We need to provide funding for Continuing Healthcare Services
    • You have asked us to assist in sourcing and funding specialised treatment for a particular condition that is not routinely available via the NHS
    • You have asked us to keep you regularly information about the work of the ICB and would like to be actively involved in our engagement and consultation activities.
    • To protect children and vulnerable adults
    • When a formal court order has been served upon the ICB
    • When we are lawfully required to report certain information to the appropriate authorities i.e., for the prevention or detection of a crime
    • In an emergency situation to assist us to the protect the health and safety of our local population i.e., management of a pandemic
    • When permission is given by the Secretary of State for Health or the Health Research Authority on the advice of the Confidential Advisory Group, i.e., to identify groups of patients who are at risk of an unplanned admission or deterioration in health.

    As a result of the above processing activities, the information held by the ICBs about you make contain information provided by a relative, carer, health professional, social care provider, or those who are / have been directly involved in your health and social care.

  • Overseas Transfers and Marketing

    Your information will not be sent by the ICB outside of the United Kingdom to a country that does not have appropriate legislation to protect your privacy.

    We will never sell any information about you.

    We will never share your information with a third-party organisation for marketing purposes without your prior written consent.

  • Your Rights
  • Exercising an Opt-Out

    There are different opt-outs available to you if you do not wish your data to be shared in an identifiable form.

    Information collected by the ICB from organisations that provide NHS services

    You are able to opt out from the use of your personal data for research and planning purposes. This is known as the National Data Opt Out. See NHS pages for more information. Your choice to opt-out will have no negative impact on your individual care.

    You can check or update your opt-out preference here.

    Information shared with the ICB for secondary use purposes

    To help us manage the local health and social care system, the ICB may use anonymised or pseudonymised data that is shared with us by other health and social care services and ICS partner organisations. As this use of data is not for your direct care this is called secondary use of data. An example of this is Risk Stratification. This use allows us to provide the services that are needed, in the right areas, helping to promote good health and social care and reducing health inequalities.

    Further information on Risk Stratification is available within this notice within the 'What information we have and what we do with it' tab. 

    If you do not wish for your personal data to be used for Risk Stratification, you can choose to exercise a local opt out by contacting the ICB as below:

    NHS Norfolk & Waveney Integrated Care Board
    8th Floor
    County Hall
    Martineau Lane
    NR1 2DH

    Email address:
    Telephone Number: 01603 595857

    Information directly collected by the ICB

    Where we have collected your information with your consent, you can withdraw this at any point, provided there is no overriding legal obligation for us to share your personal information.

    Where we cannot comply with your request, we will provide you with full details of the reason why.

    You can withdraw your consent at any point using the following contact details:

    NHS Norfolk & Waveney Integrated Care Board
    8th Floor
    County Hall
    Martineau Lane
    NR1 2DH

    Email address:
    Telephone Number: 01603 595857

  • Retention and destruction of records

    All records held by the ICBS will only be kept for the duration specified in the Records Management Code of Practice for Health and Social Care.

  • Key Roles in the ICB

    The ICB has a number of key roles which support the protection of your data:

    • Caldicott Guardian - The ICB’s Caldicott Guardian is a senior person responsible for protecting the confidentiality of patient and service-user information and enabling appropriate information sharing. The Caldicott Guardian actively supports work to enable information sharing where it is appropriate to share, and advises on options for lawful and ethical processing of information. The Caldicott Guardian can be contacted at or by using the “Contact Us” section of the website.
    • Senior Information Risk Owner (SIRO) – The ICB’s SIRO is an Executive Director with overall responsibility for an organisation's information risk policy. The SIRO is accountable and responsible for information risk across the organisation. The SIRO ensures that everyone is aware of their personal responsibility to exercise good judgement, and to safeguard and share information appropriately. The SIRO can be contacted at or by using the “Contact Us” section of the website.
    • Data Protection Officer (DPO) – The DPO is responsible for making sure that all information held by the ICBs is collected, stored and used in accordance with the Data Protection Act 2018 and UK GDPR. The DPO is also responsible for the management and investigation of information breaches and incidents and for ensuring that the rights of individuals in respect of their personal data are upheld within the ICB.

    If you wish to contact the ICB’s Data Protection Officer regarding your personal information, you can find the details below:

    Data Protection Officer
    NHS Norfolk & Waveney Integrated Care Board
    8th Floor, County Hall
    Martineau Lane
    Norwich, NR1 2DH

    Email address:

  • What information we have and what we do with it
  • Contacting Us

    For general enquiries or to contact the ICB to exercise a local opt out of your personal data, please use the following contact details:

    NHS Norfolk & Waveney Integrated Care Board
    8th Floor
    County Hall
    Martineau Lane
    NR1 2DH

    Email address:
    Telephone Number: 01603 595857

  • Formal Complaints/Appeals

    If you feel that NHS Norfolk and Waveney ICB has not complied with current data protection legislation, either in responding to a request or in the way we process your personal information, you can raise your concerns in writing to the Data Protection Office, using the contact details here or at the address above.

    We will always endeavour to resolve the matter to your satisfaction. However, if you still remain dissatisfied with our response, you have the right to escalate your concerns to the Information Commissioner by writing to:

    Information Commissioner Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9
    5AF Enquiry Line: 01625 545700

  • Further Information

    This notice does not give a full explanation of the law. If it doesn’t answer your questions or you would like more detailed information, please contact the Data Protection Officer.

    If you wish to know more about any information that is held about you as a patient, please contact your local health care provider.