Wigan Borough Clinical Commissioning Group is the statutory body responsible for commissioning local health services in Ashton, Leigh and Wigan.

Contact us on 01942 482711 or public@wiganboroughccg.nhs.uk

Article Index

Secondary use of data

Secondary use of data in the NHS is when patient data is not used for direct care but for other secondary purposes such as commissioning, risk stratification, financial and national clinical audit, healthcare management and planning, research and public health surveillance.

Disclosure of anonymised, pseudonymised or aggregated data will often satisfy a number of secondary uses and must be used in preference to patient / personal confidential data. Consent for disclosure of effectively de-identified data is not required. De-identification / pseudonymisation processes must occur before data leaves the source organisation. If a request is for identifiable data and the source organisation feels that de-identified data would suffice clarification should be obtained as to why identifiable data is required other than, exceptionally, where mandated by law such as under a Section 251 approval as per the NHS Act 2006 (see section below) or patient consent is obtained. Patients have the right to dissent from the disclosure of their personal confidential data for secondary purposes unless the law compels disclosure.

Section 251 of the NHS Act 2006

Section 251 of the NHS Act 2006 provides a mechanism which can enable the use of confidential information for certain purposes where it is unreasonable for consent to be obtained or that would otherwise be unlawful (e.g. information from NHS Digital on Commissioning, Risk Stratification and Invoice Validation) through an application made to the Confidentiality Advisory Group (CAG).

The CAG assesses applications against the Health Service (Control of Patient Information) Regulations 2002 and provides independent expert advice to the Health Research Authority (HRA) and the Secretary of State for Health on whether an application to process patient information without consent should be approved.

The use of data for which an application is made must be for a medical purpose as defined in section 251 (12) of the NHS Act 2006. This includes medical research and the management of health and social care services. Further information can be found on the Health Research Authority website – see the Links section below.

NHS Digital / Data Services for Commissioners Regional Office (DSCRO)

The law provides some NHS bodies, particularly NHS Digital, ways of collecting sensitive personal data directly from care providers for secondary purposes, such as evaluating care provided at population level.

NHS Digital is the national information and technology partner for the health and care system. The NHS Digital systems and information help doctors, nurses and other health care professionals improve efficiency and make care safer. We:

  • provide information and data to the health service so that it can plan effectively and monitor progress
  • create and maintain the technological infrastructure that keeps the health service running and links systems together to provide seamless care
  • develop information standards that improve the way different parts of the system communicate

They are able to disseminate data to commissioners under the Health and Social Care Act (2012). The act provides the powers for NHS Digital to collect, analyse and disseminate national data and statistical information. To access this data, organisations must submit an application and demonstrate that they meet the appropriate governance and security requirements which the CCG has completed.

NHS Digital, through its Data Services for Commissioners Regional Offices (DSCROs), is permitted to collect, hold and process Personal Confidential Data (PCD). This is for purposes beyond direct patient care (secondary use) to support NHS commissioning organisations and the commissioning functions within local authorities

Data regarding health care treatment can only be shared with commissioning organisations where a formal Data Sharing Framework Contract (DSFC) is in place alongside a Data Sharing Agreement (DSA).  These place a clear obligation on the receiving organisation to only use the supplied information for the agreed purposes. This data cannot be shared with others unless specified within the DSA.

Data may be linked by these special bodies so that it can be used to improve health care and development, and monitor NHS performance. In some cases there may also be a need to link local datasets, which could include a range of acute-based services such as radiology, physiotherapy and audiology, as well as mental health and community-based services such as IAPT, district nursing and podiatry.

There is a data sharing agreement with DSCRO & the following CCG’s to provide assurance regarding the security processes for pseudonymisation and for sharing such data as part of collaborative working with the following CCG’s in Greater Manchester.

  • NHS Bury Clinical Commissioning Group
  • NHS Oldham Clinical Commissioning Group
  • NHS Manchester Clinical Commissioning Group
  • NHS Stockport Clinical Commissioning Group
  • NHS Trafford Clinical Commissioning Group
  • NHS Tameside & Glossop Clinical Commissioning Group
  • NHS Heywood, Middleton & Rochdale Clinical Commissioning Group
  • NHS Salford Clinical Commissioning Group
  • NHS Bolton Clinical Commissioning Group

The dataset collected from secondary care providers, for example hospitals, by NHS Digital is referred to the Secondary Uses Service (SUS) is the single, comprehensive repository for healthcare data in England which enables a range of reporting and analyses to support the NHS in the delivery of healthcare services. When a patient or service user is treated or cared for, information is collected which supports their treatment. For further information, please visit NHS Digital’s website: http://digital.nhs.uk/sus.

The following are the types of organisations NHS Digital receives data from, and then forwards on to our data processor in an anonymised format or a de-identified format with NHS Number in order to link and analyse the data. 

Where data is used for these statistical purposes, stringent measures are taken to ensure individuals cannot be identified.

Types of organisations and types of information we receive:

  • Acute Trusts – Hospitals - we receive anonymised acute data such as A&E attendances, waiting times, diagnosis, treatments, and follow ups, length of stay, discharge information and next steps.
  • Community trusts or community organisations - we receive anonymised community data such as outpatient information, waiting times, diagnosis and treatments, referrals and next steps, domiciliary and district nursing (which includes home visits) and community rehabilitation units.  
  • Mental Health Trusts or Mental Health organisations - we receive anonymised mental health data such as rehabilitation and outpatient attendances, waiting times, diagnosis, treatment, length of stay, discharge, referrals and next steps. 
  • Primary Care organisations, for example your local GP practice. We receive anonymised primary care data such as attendances, diagnosis, treatment, GP or GP practice visits, referrals, medication/prescriptions information and follow-ups. 

We may also contract with other organisations to process this data. We ensure external data processors that support us are legally and contractually bound to operate this process. They have security arrangements to maintain confidentiality where data that could or does identify a person is processed. The external data processors we work with to do this is NHS Arden and GEM Commissioning Support Unit (CSU).

The types of secondary use processing we do in the CCG are:

Risk Stratification

Type of data

Pseudonymised / Anonymised / Aggregate Data

Source of Data

Primary Care, Secondary Care and Community Care

Legal basis for processing Personal Data and Special Category  of data under GDPR

Article 6 (1)(c) - Processing is necessary for compliance with a legal obligation

Article 9(2)(h) - Processing is necessary for the purposes of preventative or occupational medicine for the assessment of the working capacity of the employee, medical diagnosis, the provision of health and social care or treatment or the management of health and social care systems

Section 251 NHS Act 2006

NHS England encourages CCG’s and GPs to use risk stratification tools as part of their local strategies for supporting patients with long-term conditions and to help and prevent avoidable admissions. Knowledge of the risk profile of our population helps the CCG to commission appropriate preventative services and to promote quality improvement in collaboration with our GP practices.

Risk stratification tools use various combinations of historic information about patients, for example, age, gender, diagnoses and patterns of hospital attendance and admission and primary care data collected in GP practice systems.

Risk stratification is a process which applies computer based algorithms, or calculations to identify those patients who are most at risk from certain medical conditions and who will benefit from clinical care to help prevent or better treat their condition. To identify those patients individually from the patient community would be a lengthy and time-consuming process which would by its nature potentially not identify individuals quickly and increase the time to improve care.  A GP / health professional at your GP Practice review this information before a decision is made.

There are two types of risk stratification:

  • Risk Stratification for case-finding identifies/ manages patients who are at high risk of emergency hospital admission or to reduce the risk of certain diseases developing. This is called Risk Stratification for case-finding.
  • Risk Stratification for Commissioning allows the CCG to understand the health needs of the local population in order to plan and commission the right services.

For risk stratification, there is a Section 251 approval in place which allows NHS Digital to receive personal confidential data.  They process this via DSCRO who then send pseudonymised data to the CCG. This is detailed in the flow chart below.

The CCG use a system / tool called the OpenPseudonymiser provided by Nottingham University in order to undertake anonymous / pseudonymised analysis.

If you do not wish information about you to be included in our risk stratification programme, please contact your GP Practice. They can add a code to your records that will stop your information from being used for this purpose.

Invoice Validation

Type of data

 Personal Data – demographics
 Pseudonymised – coded health care data

Source of Data

GP Practice and other care providers

Legal basis for processing Personal Data and Special Category  of data under GDPR

 Article 6 (1)(c) - Processing is necessary for compliance with a legal obligation

 Article 9(2)(h) - Processing is necessary for the purposes of  preventative or occupational medicine for the assessment of the working capacity of the employee, medical diagnosis, the provision of health and social care or treatment or the management of health and social care systems

Section 251 NHS Act 2006, NHS Constitution (Health and Social Care Act 2012)

There may be times where one healthcare organisation will need to invoice another for treatment given to a patient. This can occur, for example, when you need hospital treatment while away from home on holiday. The hospital at which you were seen may need to invoice us for the treatment you received.

Before paying the invoice, we will need to be sure that we, and not another CCG, are responsible for your treatment costs as well as checking to ensure that the amount you are being billed for is correct. A limited amount of information about you needs to be processed Information such as your NHS Number and details of treatment. This information may be passed on to enable the billing process to proceed. This process is known as invoice validation.

These details are held in a secure environment and kept confidential. This information will only be used to validate invoices, and will not be shared for any further commissioning purposes.

CCGs and NHS England, which includes Commissioning Support Units and Greater Manchester Shared Service, do not have a legal right to access personal confidential data (PCD) for the purpose of validating invoices. There is a section 251 approval in place for personal data to be used to validate invoices lawfully, without the need to obtain explicit consent from the individual patient at a local level. This data and the invoice validation process for WBCCG is undertaken by Greater Manchester Shared Service (GMSS) who are registered as a Controlled Environment for Finance (CEfF). This ensures that procedures and systems for managing invoices on behalf of the CCG are in line with national requirements as set out in the “Who Pays? – Determining responsibility for payments to providers” issued by NHS England (August 2013). 

NHS Shared Business Services – Finance and Accounting Services

Some provider invoices for patient care submitted to Clinical Commissioning Groups for payment are processed via NHS Shared Business Services. They provide support services for the NHS, providing finance and accounting solutions.   NHS SBS also use offshore service provider called Sopra Steria who are based in India.  Both NHS SBS and Sopra Steria have met the necessary information governance standards to process data overseas.

1000 characters left
Add files

Login Form