We obtain, record, share and use your information as part of CNWL’s responsibility to provide your medical care. This includes:
- Healthcare provision/Clinical Audits
- Social care
- Management of our care record systems
- Maintaining and improving health services.
Our healthcare professionals and employees are under obligation maintain professional secrecy and are required to maintain confidentiality as part of their employment contract. Everyone working for CNWL is subject to the common law duty of confidentiality.
Protection of life and vital interests
CNWL may use your information to protect you or someone else’s life when this is absolutely necessary.
Sometimes we are required by law to pass on certain information about you. Legal obligations to share information include:
- Notifying officials of infectious diseases which present significant risk to human health and the wider public under the Public Health (Control of Disease) Act 1984 and the Health Protection (Notification) Regulations 2010
- Where a court orders us to share your information
- When it’s required by us or others to detect, investigate or prevent serious crime.
- Assisting third parties with regulatory responsibilities such as the Care Quality Commission and Information Commissioner’s Office.
National Fraud Initiative (NFI)
We are required by law to protect the public funds we administer. We may share information provided with other bodies responsible for auditing or administering public funds, in order to prevent and detect fraud. The Cabinet Office is responsible for carrying out data matching exercises.
Data matching involves comparing computer records held by one body against other computer records held by the same or another body to see how far they match. This is usually personal information. Computerised data matching allows potentially fraudulent claims and payments to be identified. Where a match is found it may indicate that there is an inconsistency which requires further investigation. No assumption can be made as to whether there is fraud, error or other explanation until an investigation is carried out.
We participate in the Cabinet Office's National Fraud Initiative: a data matching exercise to assist in the prevention and detection of fraud. Please see this guidance.
The processing of data by the Cabinet Office in a data matching exercise is carried out with statutory authority under its powers in Part 6 of the Local Audit and Accountability Act 2014. It does not require the consent of the individuals concerned under data protection legislation or the General Data Protection Regulation (GDPR). For further information on the reasons why it matches particular information, see this guidance.
For further information on data matching at the Central and West London NHS Foundation Trust please contact Kate Harrington Stillwell, Local Counter Fraud Specialist, by emailing firstname.lastname@example.org. You can also find further information on how the NFI has assisted the NHS and other public sector organisations.
CNWL is a research organisation. The Trust processes personal information for research purposes under the public interest.
Safeguards apply widely to research with personal data. They include obtaining Research Ethics Committee approval, only processing personal data that’s necessary (‘data minimisation’) and ensuring the data cannot be linked to you (‘anonymising’ or ‘pseudonymising’ the information).
Confidential patient information provides numerous benefits. It is used in research to find cures and better treatments for diseases like diabetes and cancer.
The national data opt-out (see below) is a new service that allows people to opt out of their confidential patient information being used for research and planning.
You can opt-out on the NHS website.
National Data Opt-Out
In line with the recommendations made by the National Data Guardian in her ‘Review of Data Security, Consent and Opt-outs’, the national data opt-out was introduced for the health and social care system on 25 May 2018. This to give patients and the public more control over how their confidential patient information is used for research and planning purposes.
What is the National Data Opt-Out?
It is a service that enables the public to opt out of their confidential patient information being used for purposes beyond their individual care and treatment – specifically research and planning. The public can change their national data opt-out choice at any time.
Who needs to comply with the National Data Opt-Out Policy?
The national data opt-out applies to data for patients where their care is provided in England by a publicly funded organisation or the care has been arranged by a public body such as the NHS or a Local Authority. It does not apply to data related to private patients at private providers.
In summary, the national data opt-out applies to:
- all NHS organisations (including private patients treated within such organisations),
- all Local Authorities providing publicly funded care,
- adult social care providers where the care provided is funded or arranged by a public body, and
- private or charitable healthcare providers providing NHS funded treatment or arranged care.
Which data disclosures do national data opt-outs apply to?
National data opt-outs apply to a disclosure when an organisation, e.g. a research body, confirms they have approval from the Confidentiality Advisory Group (CAG) for the disclosure of confidential patient information held by another organisation responsible for the data (the data controller) such as an NHS Trust.
Simply, National data opt-outs apply in cases where the approval is subject to the Confidentiality Advisory Group (CAG) ‘standard condition’ that 'the wishes of patients who have withheld or withdrawn their consent are respected'(e.g. their opt-out)
The CAG approval is also known as a section 251 approval and refers to section 251 of the National Health Service Act 2006 and its current Regulations, the Health Service (Control of Patient Information) Regulations 2002. The NHS Act 2006 and the Regulations enable the common law duty of confidentiality to be temporarily lifted so that confidential patient information can be disclosed without the data controller being in breach of the common law duty of confidentiality.
In practice, this means that the organisation responsible for the information (the data controller) can, if they wish, disclose the information to the data applicant, e.g. research body, without being in breach of the common law duty of confidentiality.
National data opt-outs do not apply where:
- information being disclosed is anonymised in accordance with the Information Commissioner’s Office’s anonymisation code of practice,
- the individual has given their consent for their information to be used for a particular purpose, e.g. a specific research study,
- there is an overriding public interest in the disclosure, i.e. the public interest in disclosing the data overrides the public interest in maintaining confidentiality, also referred to as the ‘public interest test’, and
- there is a legal requirement that sets aside the common law duty of confidentiality or the information is required by a court order.
In these scenarios above, section 251 approvals would not have been sought.
What will the CNWL do?
The Trust will put processes in place to assess any current or future uses of confidential patient information prior to disclosure to consider and apply national data opt-outs where necessary in accordance with national data opt-out operational policy. These will be included in Trust policies and procedures and disseminated to staff. The Trust will also update its patient’s privacy notice with a national data opt-out compliance statement.