Privacy notice

Pharmacy, Opticians and Dental (POD), General Practice Transformation Programme (GPTP) and Complaints

What we do – POD and GPTP complaints

From 1 April 2023, the ICB has taken on delegated responsibility for POD, GPTP and Complaints from NHS England. In carrying out these responsibilities we will process personal information about contractors, clinicians and in certain cases patients (e.g. complaints).  This information is also commercial.

We require this information to perform a number of activities including Contract management, recruitment, complaints handling and financial management.

Up until 1st April 2024 we will be working with NHS England (our Data Processor) to provide services on our behalf.  NHS Somerset Integrated Care Board are also working with NHSE England as a sub-processor to support the delivery of these functions.

What we use

Data Type: Personal Confidential Data – may include Primary Care Data.

Legal Basis

We will rely on our public duty to process your personal data for the purpose of delegated responsibility for POD, GPTP and Complaints.

UK General Data Protection Regulations

The UK General Data Protection Regulations (UKGDPR) allows information sharing for purposes of individual care, planning and research when health and care information is shared for either individual care or to help tackle disease through research and planning. Article 6 and Article 9 of UKGDPR make allowances for this.

How we use your data

What we do

NHS Cornwall and the Isles of Scilly Integrated Care Board (ICB) is responsible for planning, buying and monitoring (also known as commissioning) health services from healthcare providers, such as hospitals and GP practices. We also have a performance monitoring role of these services to ensure the highest quality of healthcare, which includes responding to any concerns from our patients on services offered.

The purpose of this notice is to inform you of the type of information (including personal information) that the ICB holds, how that information is used, who the information may be shared with, how it is held securely and confidentially and what your rights are in relation to this.

Person identifiable information or data, relates to living individuals who can be identified from that data and/or other information. This information may already be in our possession or may be likely to come into our possession in the future. It includes any expression of opinion about the individual and any indication of our intentions.

In line with the requirements of the first principle of the NHS Constitution, the requirements of the Equality Act 2010 including the public sector equality duty, and the integrated care board improvement and assessment framework, the ICB collects and monitors equality and diversity information about members of the public and staff.

Identifiable information may be collected with the consent of staff or patients. Identifiable and non-identifiable information may be collected for purposes listed below:

  • working fairly, to ensure that no one is discriminated against
  • treating people with respect
  • operating honestly
  • ensuring people can access services when they need them

To assist with meeting the above values and responsibilities, the ICB also gathers information from members of the public, partner organisations and contractors which may be in the form of anonymised information or statistical analysis.

Why we hold information about you

The purpose of gathering information is to make sure funding for health and care services is made available where it is needed the most, to ensure appropriate care and treatment is provided where and when it is needed. To make sure health and care services are of the highest standards and people can lead longer, healthier lives. For example, services are commissioned or provided from hospitals, community health services, GPs and dentists.

You can read more about each of these roles by visiting the websites for those organisations or selecting the internet links which are contained within this privacy notice.

The collection of accurate information about you is vital in assisting your GP, primary care team and ICB to provide you with the right services and health care for your needs. This enables you to be given appropriate information about your care, to make informed choices and where possible improve the services you receive.

Records may be electronic, paper or a mixture of both and may be used in combination or separately, with working practices and technology to ensure that your information is held securely and kept confidential.

All health and social care organisations and their staff are committed to protecting your privacy and will only use information collected lawfully in accordance with the Data Protection Act 2018. Health and social care organisations will not use any information held about you for any purpose other than that described when it was collected unless your consent has been obtained first.

Keeping information secure and confidential

All staff have contractual obligations of confidentiality, enforceable through disciplinary procedures. Staff with access to patient identifiable information have received appropriate ongoing data security and protection training to ensure they are aware of their responsibilities. ICB staff are given access to personal data only on a need-to-know basis only.

The ICB honour any duty of confidence attached to information and apply Common Law Duty of Confidentiality requirements. This will mean where a legal basis does not exist to use your personal or confidential information we will not do so.

The ICB abides by the UKGDPR which enables the sharing of personal information, where appropriate, with other European Union countries. Information collected will not be sent to any other countries where the laws do not protect your privacy to the same extent as that required by UKGDPR. Unless required to do so by law, your information will not be shared, sold or distributed to any third party without your consent.

The care record guarantee is the commitment that all NHS organisations and those providing care on behalf of the NHS will use records and information about you in ways that respect your rights and promote your health and wellbeing. Everyone who works for the NHS or for organisations delivering services under contract to the NHS must comply with this guarantee.

We make sure the information we hold is secure and access to it is only given to authorised personnel. We have organisational and technical security in place to protect personal and confidential information. For example, using encrypted laptops and being especially careful with disposal of items, like paperwork, computer disks and memory sticks.

How information is used

We use the following types of information and data:

  • identifiable (containing details that identify individuals)
  • Pseudonymised which is about individuals but with identifying details (such as name or NHS number) replaced with a unique code; linked data sets may be used in this way:
    • to gain an understanding of local population health and care needs and will be used to support the co-production of a range of different scenarios of service configuration across the local community to meet these needs
    • health and care service modelling to support an understanding of the impact different configurations of providing health and care services could have on patient outcomes, the numbers, types and skill sets of practitioners, the types of activity per setting of care and the cost implications, supporting the sustainability of the health and care system
  • anonymised (about individuals but with identifying details removed)
  • aggregated (information grouped together so that it does not identify individuals)

Definition of data types

This section provides definitions for key terms which are used throughout this text to describe different data types.

Anonymised data is data about you but from which you cannot be identified.

De-identified data with pseudonym identifier, is data about you, but tracking is possible through the patient pathway without using your personal information, and you cannot be identified.

De-identified data with weak pseudonym identifier such as the NHS number. We use this to link two or more types of datasets together using your NHS number. For example, using your NHS number to link and analyse datasets such as acute data with community data to see the full picture of your patient care pathway. No other personal information is used during this process, and you will not be identified. There may be times when it may be appropriate to re-identified you such as in the event of patient safety requirements or for direct care purposes when we would pass on information to your GP to treat you.

Anonymised in context data (for commissioning purposes), which is de-identified data about you but you cannot be identified within the ICB commissioning environment. You may be identified if this data was available to a hospital or your GP. Like the above, we replace the NHS number with a locally generated pseudonym like an information system number.

Anonymised statistical information may also be passed to organisations with a legitimate interest, including universities, community safety units, and research institutions to help with future development of services.

Examples of how this information is used:

  • working out what illnesses people will have in the future so we can all work with the local primary care services, community services and hospital services to ensure that patient needs are met now and, in the future
  • planned hospital care
  • rehabilitation care
  • mental health and learning disability services
  • responding to patient concerns about services
  • checking accounts and services
  • audit and public health services

We use anonymised data to plan health care services. Specifically, we use it to:

  • Check the quality and efficiency of the health services we commission
  • Prepare performance reports on the services we commission

An example of the areas where personal information will be used are:

  • to provide direct patient care
  • referral management processes to ensure you are referred to the right service when requested by your GP
  • individual funding requests (a process where patients and their GPs or consultants can request special treatments not routinely funded by the NHS)
  • continuing healthcare assessments (a package of care for those with complex medical needs)
  • responding to your queries, concerns or complaints
  • assessment and evaluation of safeguarding concerns for individuals
  • incident investigations
  • where there is an overriding public interest
  • where we have gathered your consent
  • when there is a legal requirement for us to do so

The ICB also processes personal information in relation to the staff it employs (and contractors it works with). Collecting equality and diversity information helps the ICB to know whether it is:

  • recruiting employees who may be disadvantaged or under-represented
  • broadly representative of our local population
  • promoting people fairly, whatever their background
  • checking that men and women’s pay is comparable
  • making progress towards the aims set out in our equality work

Further information regarding the confidentiality of staff information is at the end of this privacy notice.

What is primary care data and secondary care data?

Around 90% of public contact with the NHS is with primary care services. Primary care includes services such as those provided by GP practices, dental practices, community pharmacies and high street optometrists. Primary care data relates to information which has taken from these types of services.

Secondary care covers the treatment and care provided by specialised medical services. These services include specialist doctors and nurses, within a health facility or hospital that you may have seen following a referral from your primary care clinician (for example your GP). Secondary care data relates to information which has been taken from these types of services.

Data linking

When reviewing current health services and proposals for developing future services it is sometimes necessary to link separate individual datasets to be able to produce a comprehensive report. This may involve linking primary care GP data with other data such as secondary use service data which covers attendances at a secondary care provider. For example an emergency department outpatient attendance, an emergency or planned inpatient stay.

There may also be a need to link local datasets which could include a range of acute hospital services such as radiology, physiotherapy, audiology, as well as mental health and community-based services. This linked data may be used to improve access to psychological therapies (IAPT), district nursing, podiatry.

When carrying out this type of review the linkage of these datasets is always done using a unique identifier that does not reveal a person’s identity.

NHS Digital

The law allows some NHS bodies, particularly NHS Digital, to collect sensitive personal data directly from care providers for secondary purposes, such as assessing care provided at population level.

The dataset collected by NHS Digital from secondary care providers, for example hospitals, is called the secondary uses service. This is the single, comprehensive storage place for healthcare data in England which enables a range of reporting and analyses to support the NHS in the delivery of healthcare services.

When a patient or service user is treated or cared for, information is collected which supports their treatment.

Data may be de-identified and linked by these special NHS bodies so that it can be used to improve health care and development and monitor how the NHS is performing. When data is used for these statistical purposes, very strong security measures are taken to ensure individual patients cannot be identified.

The Data Services for Commissioners Regional Offices (DSCRO) is a specialist data processor acting on behalf of commissioners such as the ICB and have a legal basis to receive data from NHS Digital.

The following types of organisations send data to NHS Digital. Data from NHS Digital is sent to DSCRO in an anonymised format or a de-identified format with NHS number to link and analyse the data.

Acute trust hospitals

For example, Royal Cornwall Hospital NHS Trust and University Hospitals Plymouth NHS Trust. NHS Digital receive anonymised acute data such as emergency department attendances, waiting times, diagnosis, treatments, and follow-ups, length of stay, discharge information and next steps.

Community trusts or community organisations

For example, Cornwall Partnership NHS Foundation Trust. NHS Digital receive anonymised community data such as outpatient information, waiting times, diagnosis and treatments, referrals and next steps, domiciliary and district nursing (which includes home visits) and community rehabilitation units.

Mental health trusts or mental health organisations

For example, Cornwall Partnership NHS Foundation Trust for Cornwall. NHS Digital receive anonymised mental health data such as rehabilitation and outpatient attendances, waiting times, diagnosis, treatment, length of stay, discharge, referrals and next steps.

Primary care organisations

For example, your local GP practice. NHS Digital receive anonymised primary care data such as attendances, diagnosis, treatment, GP or GP practice visits, referrals, medication and prescriptions information and follow-ups.

As a commissioner, the ICB must report certain information to the appropriate authorities such as NHS Digital by law. The information may include basic details about you, such as your name and address, NHS number and date of birth but in may also contain more sensitive information about your health and information such as outcomes of needs assessments. There may be a performance monitoring role of services, which includes responding to any concerns from patients and/or the public on the services offered and which are dealt with through, for example, complaints department.

Sensitive personal data is personal data consisting of:

  • racial or ethnic origin of the individual.
  • political opinions
  • religious or philosophical beliefs or other beliefs of a similar nature
  • trade union membership (within the meaning of the Trade Union and Labour Relations (Consolidation) Act 1992)
  • genetic data for example those aspects relating to the inherited or acquired genetic characteristics
  • biometric data when used for identification purposes, for example fingerprint scanning or facial recognition
  • physical or mental health condition(s)
  • sexual life
  • commission or alleged commission of any offence
  • any proceedings for any offence committed or alleged to have been committed, the disposal of such proceedings or the sentence of any court in such proceedings

Data processors

The ICB may contract with other organisations to process data on our behalf. These organisations are known as data processors. We ensure external data processors that support us are legally and contractually bound to operate and prove security arrangements are in place where data that could or does identify a person are processed/used.

The ICB also uses the following data processors:

  • Royal Cornwall Hospital NHS Trust for purposes of staff payment, pensions, recruitment, occupational health and IT support services
  • Cornwall Partnership Foundation NHS Trust for records management and archiving services
  • DSCRO for data linkage purposes (for the ICB this is the NHS South, Central and West Commissioning Support Unit)
  • Prescribing Services Ltd for risk stratification for case finding in some GP practices

This is how all the above processing works.

Invoice validation

There may be times when a one healthcare organisation will need to invoice another healthcare organisation for treatment given to a patient. This can occur, for example, when a patient needs hospital treatment while away from home on holiday. The hospital which provides health care to a patient may need to invoice the patient’s own integrated care board (ICB) for the treatment they received.

Before paying, the ICB will need to be sure that they are responsible for the patient and that the amount they are being needing to pay is correct. This process is known as invoice validation. For invoice validation to occur, a limited amount of information about the patient needs to be shared between the organisations concerned.

The use of your information for this purpose has been allowed under section 251 of the NHS Act 2006, for more information please visit the Health Research Authority website.

Risk stratification

Your GP uses your data to provide the best care they can for you. As part of this process your GP will use your sensitive personal data to undertake risk stratification, also known as case finding.

Risk stratification is a process that uses personal data from health care services to determine which people are at high risk of experiencing certain outcomes, such as unplanned hospital admissions.

Risk stratification tools can be useful in analysing the overall health of a population (known as risk stratification for commissioning) and for identifying which patients should be offered targeted preventative support to reduce those risks (known as risk stratification for case finding). These tools use a mix of limited historical information about patients (such as age, gender, diagnoses, and hospital attendance) as well as data collected in GP practices.

Your GP surgery uses the services of the DSCRO, NHS South, Central and West Commissioning Support Unit and Prescribing Services Ltd to identify those most in need of preventative or improved care. The ICB arranges this contract.

Neither the ICB nor the DSCRO will at any time have access to your personal or confidential data. They act on behalf of your GP to organise this service with appropriate contractual and security measures only.

The DSCRO will process your personal and confidential data without any staff being able to view the data. Typically, they will process your data using indicators such as your age, gender, NHS number and codes for your medical health to identify those patients who will benefit from clinical intervention. Processing takes place automatically and without human or manual handling. Data is taken from your GP computer system, automatically processed and only your GP can view the outcome, matching results against patients on their system.

The ICB have implemented strict security controls to protect your confidentiality and recommend this as a secure and beneficial service to you. At all times, your GP remains accountable for how your data is processed. However, if you wish, you can ask your GP for your data not to be processed for this purpose and your GP will mark your record as not to be shared so it is not sent to the DSCRO for risk stratification purposes.

Your GP will provide information about any risk stratification programmes they are planning to use. The GPs can use their data to identity which of their patients would benefit from a certain preventative service. Risk stratification is a helpful tool to support GPs in identifying patients at risk.

The lawful basis to use this information for risk stratification has been allowed by section 251 NHS Act 2006 and is processed by the DSCRO or other approved providers only.

Information sharing with non-NHS organisations

Information may need to be shared for your benefit with non-NHS organisations, from which you are also receiving care. These organisations would include social services, out- of-hours-service, NHS 111, or other providers from whom services bought. Where information sharing with third parties is necessary, health information will not be disclosed without your explicit consent. However, there could be exceptional circumstances such as when the health or safety of others is at risk or to help resolving critical incidents. There could be a need to share information with the local authority and care providers to provide co-ordinated packages of care. This is very important when information is needed to facilitate patient discharge in the event of acute hospital bed shortage; or where the law requires it.

We may be asked by other organisations to share basic information about you, such as your name and address which does not include sensitive information. This would normally be to assist other organisations perform their statutory duties. In these circumstances, where it is not practical to obtain your explicit consent, we are informing you through this privacy notice under the Data Protection Act (2018).

Non-NHS organisations may include (though there may be others):

  • education services
  • local authorities
  • police
  • voluntary and private sector providers

We will not share information about you for any reason unless:

  • you have consented for us to do so
  • where a formal court order has been served on us
  • to assist the police in the prevention and detection of crime
  • to protect children and vulnerable adults
  • we have special permission for health and research purposes (granted by the Health Research Authority)
  • for the health and safety of others, for example to report an infectious disease such as meningitis or measles

Patient rights

If the ICB is processing individual personal data, those individuals have the following rights to:

  • be informed
  • gain access
  • request rectification
  • request erasure
  • restrict processing
  • request data portability
  • object to processing
  • be informed about automated decision-making and profiling

These rights are set out in the Data Protection Act 2018, the Common Law Duty of Confidentiality and the NHS Constitution. For more information visit the Information Commissioners website

Your right to withhold consent to share your information is not absolute. In exceptional circumstances where you are unable to do this the ICB will always explain the reason and any sharing will be carried out in accordance with duties and responsibilities laid out within the Data Protection Act 2018.

When your request to withhold consent is respected please be aware this may adversely affect the care you currently receive or may receive in the future. Always consult your GP or relevant health professional before deciding to withhold consent to sharing your information, as they will be able to advise you on the possible outcomes of this decision.

The national data opt out

You can choose whether your confidential patient information is used for research and planning. Overview – Choose if data from your health records is shared for research and planning – NHS (

Patients have a right under the NHS Constitution to request that their personal confidential data is not used beyond their direct care and the national data opt-out provides an easy and accessible way for patients to exercise this right.

You do not need to do anything if you are happy about how your confidential patient information is used. You can change your choice at any time.

National data opt-outs are not recorded at the GP practice and instead you can change your national data opt-out using the link to the webpage above.

All health and care organisations in England are required to apply your national data opt-out by March 2020, including hospitals and GP practices.

Young adults from the age of thirteen can set and change their own national data opt-out.

The ICB, as a data controller, must take note and apply national data opt-outs whenever confidential patient information is shared either internally or outside the organisation. The national data opt-out does not apply to information that is anonymised or is aggregate or count type data.

How can you access your records?

Under the Data Protection Act 2018 (and for relatives of deceased patients, the Access to Health Records Act 1990), you have the right to receive copies of all personal information held about you. Each organisation has 30 days to provide the requested information. If the request is complex, the ICB can add a further two month extension and will inform the requester if this is the case.

Any requests made will be dealt with by the organisation to which you apply. You do not need to give a reason. If you want to access your records you should make a written request to (or contact by phone) the NHS organisation(s) where you are being or have been, treated or have been in contact with. You should also be aware that in certain circumstances your right to see details in your health records may be limited in your own interest or for other reasons.

For information held by the ICB please complete a subject access request.

The following websites may also provide useful information:

Facilities may be available to allow you to view parts of your health record via computer and whilst there is no charge for the first copy of your record, the ICB may be allowed to charge a reasonable amount for any further copies requested.

Caldicott guardian and senior information risk owner

The ICB have assigned a Caldicott guardian and senior information risk owner who have oversight of the handling of personal and confidential information within the ICB as well as offering support to the organisations we may buy services from.

The Caldicott guardian is a clinical director with responsibility for protecting the confidentiality of patient information and enabling appropriate information sharing. The senior information risk owner is the director accountable for information risk. These roles are supported by the head of information governance and the information governance sub-committee which meets regularly to discuss issues related to information governance. The sub-committee members are senior representatives from teams within the ICB and the committee is chaired by the deputy director of finance. The head of information governance also fulfils the data protection officer role for the organisation.

Contact details for the ICB Caldicott guardian, senior information risk owner and data protection officer can be seen at the end of this document.

Employee information

We collect information about individuals who work for us for the following purposes:

  • administration of prospective, current and past employees including self-employed, contract personnel, temporary staff or voluntary workers
  • recruitment and selection process
  • administration of non-ICB staff contracted to provide services on our behalf
  • planning and management of our workload or business activity
  • occupational health service
  • administration of agents or other intermediaries
  • payment or pensions administration
  • declarations of interest including gifts and hospitality received or refused
  • appraisal, sickness, grievance, disciplinary matters, staff disputes, employment tribunals
  • staff training and development
  • ensuring staff are supported in their roles
  • vetting checks and security purposes such as photo identity of staff
  • assessing our performance against equality objectives as set out by the Equality Act 2010
  • staff and workforce information is used for scenario modelling to support planning of future service provision

Members of staff can apply for a copy of the records the ICB hold about them by following the same processes outlined above in how you can get access to your records.

How long we will keep your information and how we will destroy information

There are different retention schedules for different types of information and types of record. In the NHS, all commissioners and providers apply retention schedules in accordance with the Records Management Code of Practice – NHS Transformation Directorate ( The retention schedules start on page 47.

When destroying personal data the ICB ensures that destruction of data meets guidelines set out within principle 5 (storage limitation) of the Data Protection Act 2018, the European Standard EN 15713 for paper copies and CESG standards for secure destructions of electronic data CESG – GOV.UK (

Managing conflicts of interest

The ICB manages conflicts of interest as part of day-to-day activities. Effective handling of conflicts of interest is crucial to give confidence to patients, taxpayers, healthcare providers and parliament that ICB commissioning decisions are robust, fair, transparent and offer value for money. It is essential to protect healthcare professionals and maintain public trust in the NHS. Failure to manage conflicts of interest could lead to legal challenge and even criminal action in the event of fraud, bribery and corruption.

Section 14O of the National Health Service Act 2006 (as amended by the Health and Social Care Act 2012) (the Act) sets out the minimum requirements of what both NHS England and CCGs must do in terms of managing conflicts of interest.

The ICB is required to publish its registers of interests detailing the declarations of all staff and others working with the ICB. There is a process for exempting publication of individual declarations in certain exceptional and approved circumstances.

Questions or concerns

If you have any questions or concerns about the information held about you or how it is processed by us, you can get in touch by post, e-mail or via online feedback forms.

Further information can also be obtained from the Data Protection Act 2018, the General Data Protection Regulations and the Information Commissioners Office. The following links may be useful:

Changes to this privacy notice

We keep our privacy notice under regular review. This notice was updated in June 2022.


You can write to or call us about our privacy notice.

Head of information governance
NHS Cornwall and Isles of Scilly Integrated Care Board
Part 25, Chy Trevail
Beacon Technology Park
Dunmere Road
PL31 2FR

Call us on 01726 627800

Page last reviewed: 20 May 2024

Text Size

Change font