Population Health Management – Privacy Notice

Under data protection law we must tell you about how we use your personal information. This includes the personal information that we share with other organisations and why we do so. Our main GP practice privacy notice is on our website. This additional privacy notice provides details about Population Health Management.

What is Population Health Management (PHM)?

This work is aimed at improving the health of both local and national populations.

It is about improving the physical and mental health outcomes and wellbeing of people and making sure that access to services is fair and equal. It helps to reduce the occurrence of ill-health and looks at all the wider factors that affect health and care.

Population Health Management requires health and social care organisations to work together with communities and partner agencies. The organisations will share de-identified information (where information about you has been removed) with each other in order to get a view of health and services for the population in a particular area.

Across Ipswich and East Suffolk and North East Essex a population health management programme has been introduced. The programme will combine this de-identified information from GP practices, community service providers, hospitals and other health and care providers to allow a comprehensive picture of health and care needs to be identified and services planned according to need.

How will my Personal Information be used?

The information needed for this Programme will include information about your health and social care.  Information about you and your care will be used in the programme, but in a format that does not directly identify you which we refer to within this privacy notice as pseudonymised.

The information will be used for a number of health and social care related activities such as:

  • improving the quality and standards of care provided
  • research into the development of new treatments
  • preventing illness and diseases
  • monitoring safety
  • planning services

Your Personal information will be shared with?

Your GP will send the information they hold on their systems to the NHS North of England Commissioning Support Unit (NECS), who are part of NHS England.   NHS Digital who already holds information about other health and care attendances, will send the information they hold to NHS North of England Commissioning Support Unit (NECS).

NECS will make the GP data linkable with other local and national data sources to understand the population health more effectively. This process is called Pseudonymisation and any information that identifies you has been removed and replaced with a pseudonym (Unique Code).

The pseudonym will only ever be reidentified if we discover that you may benefit from a particular health intervention, in which case only the relevant staff within your practice will be able to see your personal information in order to offer this service to you.

The pseudonymised data will be sent to a company called Optum.  Optum have been commissioned by NHS England to provide specialist analysis of the data to support improvements to the local populations health and to target health and social care resources effectively.

Both NECS and Optum are required to protect your information and maintain confidentiality at all times.

What will happen to my Personal Information when the Project is Finished?

For the NHS England and Improvement/Optum programme, data will be processed only for the duration of the 20-week programme.  Once the 20-week programme has completed the information will be securely destroyed from Optum systems.

NECS working on behalf of the practice will retain the practice data as agreed for a maximum of 14 days to ensure that they successfully remove any identifiable data once this is accomplished the identifiable practice data will be securely destroyed. The remaining de-identified data will be used by analysts to provide health and social care statistics for PHM projects for the length of each project as agreed with the practice.

Our legal basis for sharing data

Health Care Providers are permitted by data protection law to use information where it is “necessary for medical purposes”. This includes caring for you directly as well as management of health services more generally.

Sharing and using your information in this way helps to provide better health and care for you, your family and future generations. Confidential patient information about your health and care is only used where allowed by law and in the majority of cases, anonymised data is used so that you cannot be identified.

Under data protection law, we can only share patient data if we have a legal basis under Articles 6 and 9 of the UK GDPR.

Our legal basis for sharing patient data is Article 6(1)(c) – legal obligation, as we are required under the Health and Social Care 2012 Act.

When we are sharing patient data about health we also need a legal basis under Article 9 of the UK GDPR.

Article 9(2)(h) – as we are sharing patient data for the purposes of providing care and managing health and social care systems and services. This is permitted under paragraph 2 of Schedule 1 of the DPA.

Article 9(2)(i) – as patient data will also be used for public health purposes. This is permitted under paragraphs 3 of Schedule 1 of the DPA.

Article 9(2)(j) – as patient data will also be used for the purposes of scientific research and for statistical purposes. This is permitted under paragraph 4 of Schedule 1 of the DPA.

You have a choice about whether you want your confidential patient information to be used in this way. If you are happy with this use of information you do not need to do anything.

National Data Opt-out (opting out of NHS Digital sharing your data)

This applies to identifiable patient data about your health which is called confidential patient information. If you don’t want your confidential patient information to be shared by NHS Digital with other organisations for purposes except your own care – either GP data, or other data it holds, such as hospital data – you can register a National Data Opt-out.

If you have registered a National Data Opt-out, NHS Digital won’t share any confidential patient information about you with other organisations, unless there is an exemption to this, such as where there is a legal requirement or where it is in the public interest to do so, such as helping to manage contagious diseases like coronavirus. You can find out more about exemptions on the NHS website.

From 1 October 2021, the National Data Opt-out will also apply to any confidential patient information shared by the GP practice with other organisations for purposes except your individual care. It won’t apply to this data being shared by GP practices with NHS Digital, as it is a legal requirement for us to share this data with NHS Digital and the National Data Opt-out does not apply where there is a legal requirement to share data.

You can find out more about and register a National Data Opt-out, or change your choice on nhs.uk/your-nhs-data-matters or by calling 0300 3035678.