Data Controller
NHS West Yorkshire Integrated Care Board
Purpose
Invoice validation is an important process in ensuring that organisations providing care are paid correctly for the care and treatment they have delivered to patients.
It may involve using identifiable information, (See “Type of Information used”) to ensure that the correct organisation is being charged for treatment. The identifiable information can also be used to check whether patient care has been funded through specialist commissioning, which NHS England will pay for.
There are situations where your personal information is needed to ensure that the correct service provider is paid.
All information that is collected, with identifiable information to validate invoices, is processed by North of England Commissioning Support (NECS) and is held within a secure, Controlled Environment for Finance (CEfF). NECS then provide the ICB with pseudonymised data for invoice validation.
NHS England has published guidance on how invoices must be processed and Commissioners have a duty to detect, report and investigate any incidents of where a breach of confidentiality has been made.
Lawful basis
The ICB’s legal basis for processing this personal data under the UK GDPR is Article 6(1) e exercise of official authority.
For special category data the basis is Article 9(2) h management of health or social care systems and services.
A section 251 approval (CAG 7-07(a)(c)/2013) from the Secretary of State, through the Health Research Authority’s Confidentiality Advisory Group enables the ICB to process identifiable information for the purpose of invoice validation within a Controlled Environment for Finance.
Type of information used
Personal data: NHS number, Date of Birth, Postcode
Special category Data: Health information
Who we will share the information with (recipients)
This information is not shared outside of the ICB.
Do we use any processors
Liaison Financial.
North of England Commissioning Support Unit who operate the Controlled Environment for Finance.
NHS Shared Business Services - used by the Controlled Environment for Finance as a Data Processor.
How we collect (the source) and use the information
Organisations that provide treatment submit their invoices to us for payment. Our CEfF receives additional information, including your NHS Number, or occasionally date of birth and postcode, from the organisation that provided your treatment.
NHS England sends information into the secure area, including the NHS number and details of the treatment received. The information is then validated ensuring that any discrepancies are investigated and resolved between the CEfF and the organisation that submitted the invoice. The invoices will be paid when the validation is completed.
The ICB does not receive any identifiable information for purposes of invoice validation; however we do receive aggregated reports to help us manage our finances.
How long we will keep the information
Invoices are retained for 6 years after the end of the financial year to which they relate.
Your Rights
With regards to Assuring Transformation under the UK GDPR you have the following rights:
- The right to be informed about the processing of your data (this notice)
- The right of access to the data held about you
- The right to have that information amended in the event that it is not accurate
- The right to restrict processing
- The right to object to processing
- Right not to be subjected to automated decision making and profiling
- To be notified of data breaches
For more information about these rights, please visit the Information Commissioner's Office website.