Staff information

The ICB, as an NHS Employer, need to process information in relation to staff. This information is used in a variety of ways to ensure staff are paid, that the ICB complies with employment law and to provide other services related to staff employment.

Sharing information

There are certain circumstances where we may be legally required to share your information, this includes information requested under a court order, information requested for safeguarding purposes, information requested for the prevention or detection of crime and for the notification of infectious diseases.

If we are asked to share information with a non-NHS organisation and the purpose does not directly relate to your care, we will always ask for your agreement prior to any information being shared. If you choose not to agree to this when asked, we will record your decision to ensure that we do not share your information with that organisation.

If information is shared, we will only share the minimum amount of information necessary for them to provide the service or comply with their legal duty and only where pseudonymised / anonymised data cannot be used.

We will also, in the course of our business, work with third party suppliers who process information on our behalf. The ICB will work with partner organisations to ensure that appropriate data processing agreements and contracts are in place, setting out the security standards and legal obligations required to protect your information.

Data Privacy and confidentiality

We are committed to protecting your privacy and will only process personal confidential data in accordance with the UK General Data Protection Regulation, the Common Law Duty of Confidentiality, Professional Codes of Practice and the Human Rights Act 1998.

In the circumstances where we are required to use personal identifiable information we will only do this if:

  • The information is necessary for your direct healthcare, or
  • We have received explicit consent from you to use your information for a specific purpose, or
  • There is an overriding public interest in using the information:
  • In order to safeguard an individual,
  • To prevent a serious crime or in the case of Public Health or other emergencies, to protect the health and safety of others, or
  • There is a legal requirement that allows or compels us to use or provide information (e.g. a formal court order or legislation), or
  • We have permission from the Secretary of State for Health and Social Care to use certain confidential patient identifiable information when it is necessary for our work.

Everyone working for the NHS has a legal and contractual duty to keep information about you confidential.

All identifiable information that we hold about you will be held securely and confidentially. We use administrative and technical controls to do this.

Our staff, contractors and committee members receive appropriate and ongoing training to ensure that they are aware of their personal responsibilities and have contractual obligations to uphold confidentiality, enforceable through disciplinary procedures.

Your information will not be sent outside of the United Kingdom where the laws do not protect your privacy to the same extent as the law in the UK. We will never sell any information about you.

The ICB maintains a set of regularly updated policies and procedures covering all aspects of information governance.

How we keep your personal information safe

We have a legal duty to protect any personal information we collect from you. We use cyber security technology and encryption software to protect your information and keep strict security standards to prevent any unauthorised access to it.

We take steps to make sure that the information we hold about you is secure – such as storing information in secure locations, only allowing information to be accessed by authorised personnel, using encryption on laptops and mobile phones and making sure information is sent safely and securely.

Your rights

Under the UK General Data Protection Regulation all individuals have certain rights in relation to the information which the ICB holds about them. Not all rights apply equally to all our processing activities as certain rights are not available depending on the lawful basis for the processing.

Examples of where some rights may not apply – where our lawful basis is:

  • Processing is necessary for the performance of a task carried out in the exercise of official authority vested in the controller – then rights of erasure, portability do not apply.
  • Legal Obligation – then rights of erasure, portability, objection, automated decision making, and profiling do not apply.

If you require further detail each link below will take you to the Information Commissioner’s Office website where further detail is provided in section ‘When does the right apply’.

These rights are:

Under the NHS Constitution you have the right to privacy and to expect the NHS to keep your information confidential and secure.

National Data Opt-Out

The national opt-out allows people to opt out of their confidential patient information being used for reasons other than their individual care and treatment. The system offers patients and the public the opportunity to make an informed choice about whether they wish their personally identifiable data to be used just for their individual care and treatment or also used for research and planning purposes. Details of the national patient opt out can be found here:

To find out more about the wider use of confidential personal information and to register your choice to opt out if you do not want your information to be used in this way, visit If you do choose to opt out you can still consent to your information being used for specific purposes.

If you are happy with this use of information you do not need to do anything. You can change your choice at any time. The ICB is currently compliant with the national data opt-out requirements.

How long will we keep your information

All records are retained in line with the ICB Retention and Disposal Schedules and the Records Management Code of Practice 2021 – see link: Code of Practice.



Information which is about you but from which you cannot be personally identified.


Grouped information about individuals that has been combined to show general trends or values without identifying individuals

Caldicott Guardian

A senior person responsible for protecting the confidentiality of patient and service-user information and enabling appropriate information sharing. Each NHS and Social Care organisation is required to have a Caldicott Guardian.


The consent of the ‘data subject' means any freely given, specific, informed and unambiguous indication of his or her wishes by which the data subject, either by a statement or by a clear affirmative action, signifies agreement to personal data relating to them being processed.

Data Controller

Data Controller means the natural or legal person, public authority, agency or any other body which alone or jointly with others determines the purposes and means of the processing of personal data.

Data Processor

Processor means a natural or legal person, public authority, agency or any other body which processes personal data on behalf of the controller.

Data Protection Officer

The Data Protection Officer (DPO) is responsible for the provision of advice on data protection compliance obligations, data protection impact assessment and monitoring of data protection compliance which includes conducting assurance audits.

Data Subject

An identified or identifiable ‘living individual’ whose personal data is processed by a controller or processor. Otherwise known within data protection legislation as a ‘natural person’.


The process of transforming information (referred to as plain text) using an algorithm (called ‘cipher’) to make it unreadable to anyone except those possessing the encryption ‘key’.

Health Record

Information relating to the physical or mental health or condition of an individual and has been made by or on behalf of a health professional in connection with the care of that individual.


Information which contains personal details that identify individuals such as name, address, email address, NHS Number, full postcode, date of birth.

Personal Data

Personal data means any information relating to an identified or identifiable natural person ("data subject"); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identifier, including (but not limited to);

  • Name
  • Date of Birth
  • Post Code
  • Address
  • National Insurance Number
  • Photographs, digital images etc.
  • NHS or Hospital/Practice Number
  • Location data

Personal data that has been pseudonymised e.g. key coded, can fall within the scope of data protection legislation depending on how difficult it is to attribute the pseudonym to a particular individual.


Processing means any operation or set of operations performed upon personal data or sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.


Information relating to individuals which is distinguished by using a coded reference, which does not reveal their ‘real world’ identity.


Information created, received and maintained as evidence and information by an organisation or person, in pursuance of legal obligations or in the transaction of business (the ISO standard, ISO 15489-1:2016 Information and documentation - records management).

Records Management

The process by which an organisation manages all the aspects of records whether internally or externally generated and in any format or media type, from their creation, all the way through their lifecycle to their eventual disposal.

Senior Information Risk Owner (SIRO)

The SIRO is a senior officer of the ICB. The SIRO acts as an advocate for information risk across the ICB and leads and implements the information risk assessment programme.

Special Category Data

Special Category Data (or sensitive personal data) are personal data, revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership; data concerning health or sex life and sexual orientation; genetic data or biometric data.

Subject Access Right

Entitles the data subject to have access to and information about the personal data that a controller has concerning them.  Also known as the Right of Access.