Skip Navigation
Search site

This is our old website. Most information can now be found on our new NHS Digital website. Let us know what you think.

Fair Processing for CCGs

The release of patient-level data from the HSCIC, unless anonymous, requires a Data Sharing Framework Contract (DSFC) and Data Sharing Agreement (DSA) to be in place. To complete a DSFC, CCGs should email enquiries@nhsdigital.nhs.uk before any data is requested.

To request data, CCGs must complete a Data Access Request Service (DARS) application which can be found at http://digital.nhs.uk/DARS. Once a DARS application has been submitted and reviewed, it progresses to the Data Access Advisory Group (DAAG) - soon to be replaced by the Independent Group Advising upon the Release of Data (IGARD) - and a recommendation is made regarding the approval for the flow of the requested data.

If an application requests data containing an identifier (e.g. NHS number), as opposed to non-identifiable data, it must contain a hyperlink to the CCG's fair processing notice/privacy notice on its website.

The ICO's guidance on Fair Processing Notices is extremely useful and provides details on (a) how to structure the information, (b) what to include in a notice and (c) public 'accessibility' of the fair processing notice. Follow the links below to view the ICO website and advice from DAAG on fair processing:

https://ico.org.uk/for-organisations/guide-to-data-protection/principle-1-fair-and-lawful/

http://digital.nhs.uk/media/16691/Data-Access-Advisory-Group-advice-on-fair-processing/pdf/DAAG_advice_fair_processing_FINAL_20150323.pdf

DAAG reviews the contents of the CCG's fair processing notice/privacy notice to ensure that patients are aware of how the CCG is using their data. DAAG also checks that there are no misleading statements in the fair processing notice about the level of data shared This might include, for example, sharing with non-NHS organisations (i.e. a third party processor), which could be unknown by patients and the public.

If a CCG is applying for data for Commissioning, Risk Stratification and Invoice Validation purposes, the following points should be included in a fair processing notice:

  • The information within the fair processing notice should be up to date, current and reflect the type of data received by the CCG or by others on its behalf and also explains the uses of the data
  • The fair processing notice should specify any third party data processor being used e.g. providing a risk stratification tool (who this is, why this is done, what level of data is being transferred for the purpose etc.)
  • The fair processing notice should specify what level of data the CCG is legally allowed to receive and for what purpose
  • The fair processing notice should specify if the CCG carries out Invoice Validation (what this is, why this is done, where the Controlled Environment for Finance is located etc.)
  • The fair processing notice should include details of linkage with other datasets, explaining which data sets are linked (e.g. GP and SUS) and from whom the other data sets are received
  • The fair processing notice should detail any onward disclosure of the data
  • The CCG should ensure that there are no misleading statements included with regard to the CCG obtaining explicit consent from patients
  • The fair processing notice should be easily found and accessible on the CCG's website and the content should be accurate, as concise as possible and written in plain English
  • The fair processing notice should include details of how a patient can opt out (i.e. what opting out is, any constraints to opting out, how to opt out and any impact on them (or not) of opting out etc.)
Close iCM Form