NHS Birmingham and Solihull Privacy Policy – 1 July 2022

 This privacy policy explains how NHS Birmingham and Solihull uses and protects personal data.

How your personal information is used

Please click on the highlighted text within the notice below for links to further information. A glossary, which provides definitions for the terms used throughout this notice, can be found at the bottom of the page.

Data Controller: Birmingham and Solihull Integrated Care Board

Address: Wesleyan Building, Colmore Row, Birmingham, B4 6AR

Senior Information Risk Owner: Chief Information Officer (Primary Care)

Caldicott Guardian: Chief Medical Officer            

Data Protection Officer (DPO): Associate Director of Governance

DPO Contact Details: nhsbsolicb.ig@nhs.net

The ICB is responsible for planning, designing and paying for your NHS health services. We do this by ‘commissioning’ or buying health and care services including:

  • Out of Hours Primary Medical Services
  • Planned hospital care and unplanned care, such as A&E and Ambulance Services
  • Community Health Services e.g. Rehabilitation care,  Speech and Language Services, Continence Services, Wheelchair Services, Home Oxygen Services, (but not including Health visiting and Public Health)
  • General Practice Services including other Community Based Services provided by GP practices beyond the scope of the GP contract
  • Maternity and new-born services
  • Child Health (mental and physical)
  • Mental Health and learning disability services, including psychological therapies
  • NHS Continuing Healthcare

A list of General Practices within Birmingham and Solihull ICB can be found here. We manage the performance of services that we commission to make sure that they are safe, provide quality care and meet the needs of local people.

The purpose of this privacy policy is to inform you about the personal data we collect, what we do with it, how we look after it and who we might share it with. It helps us ensure that we are open and transparent about our uses of personal data and how they help us meet our commissioning duties. It covers information that we collect directly from you or collect from other individuals or organisations.  

The ICB is a ‘Data Controller’ as defined by General Data Protection Regulation and determines the purposes for which and the means by which personal data is processed. We have a duty to inform you how your information is used, the legal basis for using the information, who we share information with and how we keep it secure and confidential.

We need to use information about you in various forms and will only use the minimum amount of information necessary for that purpose. Where possible, we will use information that does not identify you. The ICB uses and processes several different types of information, click on the links below for more information:

  • Identifiable information - which contains personal details that identify individuals such as name, address, email address, NHS Number, full postcode, date of birth, medical information.
  • Pseudonymised - Individual level information where individuals can be distinguished by using a coded reference, which does not reveal who the person is.
  • Anonymised data which is about you but from which you cannot be personally identified.
  • Aggregated - grouped information about individuals that has been combined to show general trends or values without identifying individuals.

This privacy policy refers to an organisation called NHS Digital, who are are the national provider of information, data and IT systems for commissioners (such as the ICB), analysts and clinicians in health and social care. NHS Digital provides information based on identifiable data passed securely to them by Primary and Secondary Care Providers who are legally obliged to provide this information.

Our records may be held on paper or in a computer system.

Use of Anonymised Data 

We use anonymised data to plan health care services, including: 

  • Checking the quality and efficiency of the health services we commission;
  • Preparing performance reports on the services we commission;
  • Working out what illnesses people will have in the future, so we can plan and prioritise services and ensure these meet the needs of patients;
  • Reviewing the care being provided to make sure it is of the highest standard.

Use of Pseudonymised (De-identified) Information

We use de-identified information in our role as commissioner, including:

  • Commissioning - to plan, design, purchase and pay for the best possible care available for you; look at the care provided by different providers across our area to make sure that together they support the needs of the local population; performance manage contracts; to prepare statistics on NHS performance to understand health needs and support service redesign, modernisation and improvement; to help us plan future services to ensure they continue to meet our local population needs.
  • Risk Stratification - to identify groups of patients who would benefit from some additional help from their GP or care team. The aim is to prevent ill health and possible future hospital stays, rather than wait for you to become sick. Only de-identified information is accessible to the ICB in order to help us plan the most appropriate health services for our population.

Use of Personal and Sensitive (Identifiable) Information

The ICB commissions health services within Birmingham and Solihull and in most cases does not hold general medical records or confidential patient data. However, there are some exceptions, such as Continuing Healthcare data.  

There are some categories of personal data for which special safeguards are required by law, known as special category data. This includes records relating to health, sex life, race, ethnicity, political opinions, trade union membership, religion, genetics and biometrics. There are also additional safeguards in respect of personal data relating to criminal convictions.

The following list provides information about the ICB’s uses of personal data, please click on the links for further information. This information includes details that we are required to provide by law, such as the type of information used and purpose, the legal basis for the collection and use of the information, how we collect and use the information required and any third parties with whom we may share the information.

We are committed to protecting your privacy and will only process personal data in accordance with the General Data Protection Regulation, the Data Protection Act 2018, the Common Law Duty of Confidentiality and NHS Professional Codes of Practice. In the circumstances where we are required to use personal identifiable information we will only do this if:

  • The information is necessary for your direct healthcare, or
  • We have received consent from you to use your information for a specific purpose, or
  • There is an overriding public interest in using the information:
    • In order to safeguard an individual,
    • To prevent a serious crime or in the case of Public Health or other emergencies, to protect the health and safety of others, or
  • There is law that allows or compels us to use or provide information, or
  • We have permission from the Secretary of State for Health and Social Care to use certain confidential patient identifiable information when it is necessary to support the services we provide.

Everyone working for the ICB has a legal and contractual duty to keep personal data about you confidential and are subject to confidentiality clauses included within their employment contract.

All personal data that we hold about you will be held securely and confidentially. The ICB uses technical and organisational controls to do this and are required on an annual basis to provide evidence of our data protection and information security policies and procedures via the Data Security and Protection Toolkit. Our staff, contractors and committee members receive appropriate and ongoing training to remind them of their data protection responsibilities.

Staff are trained to recognise and report possible Data Protection breaches and the ICB has procedures for investigating, managing and learning from breaches that occur. Your information will not be sent outside of either the United Kingdom or the European Economic Area (EEA), unless we have gained assurances that appropriate safeguards to protect personal data are in place. The ICB’s Data Protection Policies and Procedures can be found at the bottom of the Data Protection notice.

Sharing Information with Health and Care organisations

Whenever a new arrangement is made to share information externally, both with health and social care organisations or third party suppliers, we will ensure that a legal basis has been identified, using a tool called a Data Protection Impact Assessment, which will highlight any risks to your information and ensure they are resolved before any sharing takes place. If a new arrangement is made to share information or any existing arrangements are altered, this privacy policy will be updated to reflect those changes.

You have many rights in respect of your personal data and these are outlined below, accompanied by a link to the relevant section of the Information Commissioner’s Office website, which explains how and when these rights apply. These rights are:

If you would like to use any of these rights, please contact nhsbsolicb.ig@nhs.net.

In addition to these rights, the NHS introduced the National Data Opt-Out on 25 May 2018, enabling patients to opt-out from the use of their data for research or planning purposes across the NHS. Whilst it is not possible to ‘opt-out’ of uses of data necessary for the provision of direct care and treatment, you can opt-out of ICB uses of data that do not relate to direct care, such as Risk Stratification, via the National Data Opt-Out.

If you have any queries about the ICB’s use of personal data, please contact nhsbsolicb.ig@nhs.net

If you have any questions or complaints regarding the information we hold about you, or the use of your information, please contact:

NHS Birmingham and Solihull ICB

Senior Information Governance Manager

Floor 2

The Wesleyan

Colmore Row

Birmingham, B4 6AR


For independent advice about data protection, privacy and data-sharing issues, or to make a complaint about the ICB’s handling of your personal data you can contact:

The Information CommissionerWycliffe HouseWater LaneWilmslowCheshire, SK9 5AF

Website : https://ico.org.uk/

Aggregated – grouped information about individuals that has been combined to show general trends or values without identifying individuals.

Anonymised - data which is about you but from which you cannot be personally identified.

Caldicott Guardian – a senior person responsible for protecting the confidentiality of patient and service-user information and enabling appropriate information sharing. Each NHS and Social Care organisation is required to have a Caldicott Guardian.

Data Controller – natural or legal person, public body, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.

Data Processor – natural or legal person, public authority, agency or other body which processes personal data on behalf of the data controller.

Data Protection Act 2018 – UK legislation introduced in 2018 to enact the General Data Protection Regulation (GDPR) into UK law and to implement standards which the GDPR leaves to EU member states.

Data Protection Officer – Under the GDPR all public authorities must appoint a Data Protection Officer. The role of the DPO includes:

  • Monitor ICB compliance with the GDPR
  • Provide advice and assistance with regards to the completion of Data Protection Impact Assessments
  • Act as a contact point for the Information Commissioner’s Office (ICO), members of the public and ICB staff on matters relating to GDPR and the protection of personal information

General Data Protection Regulation (GDPR) – the main legislation on data protection binding all EU member states from May 2018. The UK has implemented the GDPR via the Data Protection Act 2018 and therefore the requirements of the GDPR still apply now that the UK has left the EU.

Identifiable - information which contains personal details that identify individuals such as name, address, email address, NHS Number, full postcode, date of birth.

Personal data – any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

Primary Care - Primary care settings include GP Practices, pharmacists, dentists and some specialised services such as military health services.

Processing – any operation or set of operations which is performed on personal data or on sets of personal data whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

Pseudonymised - individual level information where individuals can be distinguished by using a coded reference, which does not reveal their ‘real world’ identity.

Right of Access Requests – The right a data subject has from the controller for confirmation as to whether or not personal data concerning him or her are being processed and, where that is the case, access to the personal data and further information about the processing.

Secondary Care - Secondary care settings include local hospitals, rehabilitative care, urgent and emergency care (including out of hours and NHS 111), community and mental health services.

Senior Information Risk Owner (SIRO) – an executive or member of the Senior Management Board of an organisation with overall responsibility for information risk across the organisation.

Special Category (Sensitive) data - categories of personal data for which special safeguards are required by law. This includes records relating to health, sex life, race, ethnicity, political opinions, trade union membership, religion, genetics and biometrics.