Data Controller
NHS West Yorkshire Integrated Care Board
Purpose
Invoice validation is an important process in ensuring that organisations providing care are paid correctly for the care and treatment they have delivered to patients.
It may involve using identifiable information, (See “Type of Information used”) to ensure that the correct organisation is being charged for treatment. The identifiable information can also be used to check whether patient care has been funded through specialist commissioning, which NHS England will pay for.
There are situations where your personal information is needed to ensure that the correct service provider is paid.
All information that is collected, with identifiable information to validate invoices, is processed by North of England Commissioning Support (NECS) and is held within a secure, Controlled Environment for Finance (CEfF). NECS then provide the ICB with pseudonymised data for invoice validation.
NHS England has published guidance on how invoices must be processed and Commissioners have a duty to detect, report and investigate any incidents of where a breach of confidentiality has been made.
Lawful basis
The ICB’s legal basis for processing this personal data under the UK GDPR is Article 6(1) e - processing is necessary for the performance of a task carried out in the exercise of official authority vested in the controller
For special category data the basis is Article 9(2) h processing is necessary for the purposes of the provision of health or social care or treatment or the management of health or social care systems and services
A section 251 approval (CAG 7-07(a)(c)/2013) from the Secretary of State, through the Health Research Authority’s Confidentiality Advisory Group enables the ICB to process identifiable information for the purpose of invoice validation within a Controlled Environment for Finance.
Type of information used
Personal data: NHS number, Date of Birth, Postcode
Special category Data: Health information
Who we will share the information with (recipients)
This information is not shared outside of the ICB.
Do we use any processors
Liaison Financial.
North of England Commissioning Support Unit who operate the Controlled Environment for Finance.
NHS Shared Business Services - used by the Controlled Environment for Finance as a Data Processor.
How we collect (the source) and use the information
Organisations that provide treatment submit their invoices to us for payment. Our CEfF receives additional information, including your NHS Number, or occasionally date of birth and postcode, from the organisation that provided your treatment.
NHS England sends information into the secure area, including the NHS number and details of the treatment received. The information is then validated, ensuring that any discrepancies are investigated and resolved between the CEfF and the organisation that submitted the invoice. The invoices will be paid when the validation is completed.
The ICB does not receive any identifiable information for purposes of invoice validation; however, we do receive aggregated reports to help us manage our finances.
How long we will keep the information
Invoices are retained for 6 years after the end of the financial year to which they relate.
Your rights
Under the UK General Data Protection Regulation all individuals have certain rights in relation to the information which the ICB holds about them. Not all rights apply equally to all our processing activities as certain rights are not available depending on the lawful basis for the processing.
If you require further detail each link below will take you to the Information Commissioner’s Office website where further detail is provided in the section ‘When does the right apply’.
These rights are:
- The right to be informed about the processing of your data
- The right of access to the data held about you
- The right to have that information amended in the event that it is not accurate
- The right to have the information deleted
- The right to restrict processing
- The right to have your data transferred to another organisation (data portability)
- The right to object to processing
- Rights in relation to automated decision making and profiling
Under the NHS Constitution you have the right to privacy and to expect the NHS to keep your information confidential and secure.
If you have an enquiry in relation to your data protection rights please contact wyicb.