Data Controller

NHS West Yorkshire Integrated Care Board

Purpose

Invoice validation is an important process in ensuring that organisations providing care are paid correctly for the care and treatment they have delivered to patients.

It may involve using identifiable information, (See “Type of Information used”) to ensure that the correct organisation is being charged for treatment. The identifiable information can also be used to check whether patient care has been funded through specialist commissioning, which NHS England will pay for.

There are situations where your personal information is needed to ensure that the correct service provider is paid.

All information that is collected, with identifiable information to validate invoices, is processed by North of England Commissioning Support (NECS) and is held within a secure, Controlled Environment for Finance (CEfF). NECS then provide the ICB with pseudonymised data for invoice validation.

NHS England has published guidance on how invoices must be processed and Commissioners have a duty to detect, report and investigate any incidents of where a breach of confidentiality has been made.

Lawful basis

The ICB’s legal basis for processing this personal data under the UK GDPR is Article 6(1) e exercise of official authority.

For special category data the basis is Article 9(2) h management of health or social care systems and services.

A section 251 approval (CAG 7-07(a)(c)/2013) from the Secretary of State, through the Health Research Authority’s Confidentiality Advisory Group enables the ICB to process identifiable information for the purpose of invoice validation within a Controlled Environment for Finance.

Type of information used

Personal data: NHS number, Date of Birth, Postcode

Special category Data: Health information

Who we will share the information with (recipients)

This information is not shared outside of the ICB.

Do we use any processors

North of England Commissioning Support Unit who operate the Controlled Environment for Finance.

NHS Shared Business Services - used by the Controlled Environment for Finance as a Data Processor.

How we collect (the source) and use the information

Organisations that provide treatment submit their invoices to us for payment. Our CEfF receives additional information, including your NHS Number, or occasionally date of birth and postcode, from the organisation that provided your treatment.

NHS Digital sends information into the secure area, including the NHS number and details of the treatment received. The information is then validated ensuring that any discrepancies are investigated and resolved between the CEfF and the organisation that submitted the invoice. The invoices will be paid when the validation is completed.

The ICB does not receive any identifiable information for purposes of invoice validation; however we do receive aggregated reports to help us manage our finances.

How long we will keep the information

Invoices are retained for 6 years after the end of the financial year to which they relate.

Your Rights

With regards to invoice validation under the UK GDPR you have the following rights: