Cardiff and Vale – Population Health Management Programme Privacy Notice
This privacy notice explains how the partner organisations (acting as Joint Data Controllers) within the Population Health Management Programme (PHMP) will collect, use and protect personal data for the purpose of completing population health management analysis of data from all partner organisations to provide insights into population health needs.
The Joint Data Controllers for the purposes of the PHMP are:
- Cardiff and Vale University Health Board
- Cardiff Council
- All GP Practices in the Cardiff and Vale area
- Welsh Ambulance Service NHS Trust
All partner organisations have the status of ‘Joint Data Controller’, which means that they are responsible in law for the data that they process, and we are all party to a Joint Controllership Agreement that sets out how and why we process that information.
The PHMP will combine system data already held by the listed partner organisations to provide population health management outputs for an integrated health system.
Clinical outcomes will be analysed to develop revised pathways and planning, ensuring public authority budgets are spent where needed and on services for quality outcomes of patients by improving care pathways.
The analysis itself will be conducted on behalf of the partner organisations by a third-party data processor (Lightfoot Solutions). The data processor shall receive only pseudonymised data (data that ‘can no longer be attributed to a specific data subject without the use of additional information’). The data processor will be unable to reverse the pseudonymisation key, which will be retained securely by the partner organisations.
What is the legal basis for our use of your personal information?
The personal information we process is data already held by the listed partner organisations for the purposes of providing you with care or services.
The lawful bases we rely on for using your personal information are:
- GDPR Article 6 (e) we need it to perform a public task
As extra protection is provided for certain classes of information called ‘special category personal data’ such as health information, an additional lawful basis must be identified in order to process these classes of information, as outlined below:
- GDPR Article 9 (2) (h) Provision of preventative or occupational medicine, health or social care or treatment, or the management of health or social care systems
Other applicable articles may include:
- GDPR Article 9(i) – processing is necessary for reason of public interest in the protection of public
Data Protection Act 2018 – Schedule 1, Part 1, (2) (2) (f) – Health and social care purposes
Data Protection Act 2018 – Schedule 1, Part 1, (3) (a) – necessary for reasons of public interest in the area of public health
How we store your personal information
Your information is securely stored securely. We keep information only for as long as it is needed and when no longer needed it will be deleted / destroyed securely.
- The data processed for the purposes of the PHMP is data already held by the listed partner organisations for the purposes of providing you with care or services.
- Data will therefore be retained in accordance with existing organisational retention schedules relating to the initial processing purpose.
Under data protection law, you have rights including:
- Your right of access – You have the right to ask us for copies of your personal information.
- Your right to rectification – You have the right to ask us to rectify information you think is inaccurate. You also have the right to ask us to complete information you think is incomplete.
- Your right to restriction of processing – You have the right to ask us to restrict the processing of your information in certain circumstances.
- Your right to object to processing – You have the right to object to the processing of your personal data in certain circumstances.
You are not required to pay any charge for exercising your rights. If you make a request, we have one month to respond to you.
How to complain if you are unhappy about how your data is used
In addition to contacting your GP Practice, you can complain directly to:
By post: Data Protection Officer, County Hall, Room 357, Atlantic Wharf, Cardiff Bay, CF10 4UW
Cardiff & Vale University Health Board
By post: Cardiff and Vale University Health Board, Information Governance Department, Woodland House, Maes-y-Coed Road, Cardiff, CF14 4TT
Welsh Ambulance Services NHS Trust
By post: Data Protection Officer, Welsh Ambulance Services NHS Trust headquarters
Ty Elwy, Unit 7, Richard Davies Road, St Asaph Business Park, St Asaph, Denbighshire, LL17 0LJ
You also have the right to complain to the Information Commissioner’s Office using the following details:
By post: The Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF
Telephone: 0330 414 6421
Further advice and guidance from the ICO on this issue can be found on the ICO website.