Privacy notice

Definitions of terms used within this notice

GDPR/Data Protection Act 2018 (DPA) 

The Act of Parliament which regulates the processing of information relating to living individuals, including the collecting, holding, use, and sharing (disclosure) of such information. Herts & West Essex ICB as a Data Controller is required to ensure the principles of UK GDPR/DPA 2018 are adhered to, ensuring we are legally compliant in the way we collect and use your information. 

Data Controller

A person (individual or organisation) who determines the purposes for which and the manner in which your identifiable information will be collected and used. Data Controllers must ensure that any collection and use of identifiable information complies with the principles of the UK GDPR/Data Protection Act 2018. For health and social care organisations the Data Controller will be the organisation holding your information. Providing a complete, factually correct and easy-to-read Privacy Notice is just one of the requirements of a Data Controller. Herts & West Essex ICB is the Data Controller unless otherwise stated in this Privacy Notice. 

Data Processor

Any person (other than an employee of the Data Controller) who processes data on behalf of the Data Controller. The Information Commissioner, who is statutorily responsible for ensuring organisations comply with the Act, recommends that organisations should choose data processors carefully and have in place effective means of monitoring, reviewing and auditing their processing with a written contract in place. There is further information detailing the use of data processors in the section informing you of the details of information collected and used for specific purposes 


Consent describes the informed agreement for something to happen after consideration by you. For consent to be legally valid, you must be informed, must have the capacity to make the decision in question and must give consent voluntarily. In the context of consent to share information, this means you should know and understand how your information is to be used and shared (there should be ‘no surprises’) and you should understand the implications of your decision. 

Explicit Consent

Explicit consent is unmistakeable. It must be given in writing or verbally, or conveyed through another form of communication such as signing. You may have the capacity to give consent even though you may not be able to write or speak. It may also be required for a use other that than for which the information was originally collected, or when sharing is not related to your direct health and social care. 

Personal Data

Data which relates to a living individual who can be identified from that data or from that data and other information which is in the possession of, or is likely to come into the possession of the ICB (for example, name, address, date of birth, NHS Number)

Sensitive Personal Data (in the context of the NHS)

Data consisting of information as to an individual’s physical or mental health or condition

Pseudonymised Data

Pseudonymisation is a technical process that replaces identifiable information such as a NHS number, postcode, date of birth with a unique identifier, which obscures the ‘real world’ identity of the individual patient to those working with the data

Anonymised Data

Anonymisation is the process of turning data into a form which does not identify individuals and where identification is not likely to take place.

Aggregated Data

The consolidation of data relating to multiple individuals, and therefore the data cannot be traced back to a specific individual.

Anonymised Patient Level Data

Activity level data which has had identifiers removed so as to render it anonymous.

Primary Care Data

Primary care refers to the work of health professionals who act as a first point of contact for patients such as GP’s and pharmacists, primary care data is therefore data collected within GP Practices, dental practices, community pharmacies and high street optometrists.

Secondary Care Data

Secondary care is the health care provided by specialists who generally do not have first contact with patients, it includes hospital care, community care and mental health care, secondary care data is therefore data collected by hospital, mental health and community services.