Data Controller

NHS West Yorkshire Integrated Care Board

Purpose

Invoice validation is an important process in ensuring that organisations providing care are paid correctly for the care and treatment they have delivered to patients.

It may involve using identifiable information, (See “Type of Information used”) to ensure that the correct organisation is being charged for treatment. The identifiable information can also be used to check whether patient care has been funded through specialist commissioning, which NHS England will pay for.

There are situations where your personal information is needed to ensure that the correct service provider is paid.

All information that is collected, with identifiable information to validate invoices, is processed by North of England Commissioning Support (NECS) and is held within a secure, Controlled Environment for Finance (CEfF). NECS then provide the ICB with pseudonymised data for invoice validation.

NHS England has published guidance on how invoices must be processed and Commissioners have a duty to detect, report and investigate any incidents of where a breach of confidentiality has been made.

Lawful basis

The ICB’s legal basis for processing this personal data under the UK GDPR is Article 6(1) e  - processing is necessary for the performance of a task carried out in the exercise of official authority vested in the controller

For special category data the basis is Article 9(2) h  processing is necessary for the purposes of the provision of health or social care or treatment or the management of health or social care systems and services

A section 251 approval (CAG 7-07(a)(c)/2013) from the Secretary of State, through the Health Research Authority’s Confidentiality Advisory Group enables the ICB to process identifiable information for the purpose of invoice validation within a Controlled Environment for Finance.

Type of information used

Personal data: NHS number, Date of Birth, Postcode

Special category Data: Health information

Who we will share the information with (recipients)

This information is not shared outside of the ICB.

Do we use any processors

Liaison Financial.

North of England Commissioning Support Unit who operate the Controlled Environment for Finance.

NHS Shared Business Services - used by the Controlled Environment for Finance as a Data Processor.

How we collect (the source) and use the information

Organisations that provide treatment submit their invoices to us for payment. Our CEfF receives additional information, including your NHS Number, or occasionally date of birth and postcode, from the organisation that provided your treatment.

NHS England sends information into the secure area, including the NHS number and details of the treatment received. The information is then validated, ensuring that any discrepancies are investigated and resolved between the CEfF and the organisation that submitted the invoice. The invoices will be paid when the validation is completed.

The ICB does not receive any identifiable information for purposes of invoice validation; however, we do receive aggregated reports to help us manage our finances.

How long we will keep the information

Invoices are retained for 6 years after the end of the financial year to which they relate.

Your rights

Under the UK General Data Protection Regulation all individuals have certain rights in relation to the information which the ICB holds about them. Not all rights apply equally to all our processing activities as certain rights are not available depending on the lawful basis for the processing.

If you require further detail each link below will take you to the Information Commissioner’s Office website where further detail is provided in the section ‘When does the right apply’.

These rights are:

Under the NHS Constitution you have the right to privacy and to expect the NHS to keep your information confidential and secure.

If you have an enquiry in relation to your data protection rights please contact wyicb.foi@nhs.net