Privacy notice

Our Commitment to data privacy and confidentiality issues

We are committed to protecting your privacy and will only process personal confidential data in accordance with the UK GDPR/DPA 2018, the Common Law Duty of Confidentiality and the Human Rights Act 1998. The various laws and rules about using and sharing confidential information, with which the ICB will comply, are available in “A guide to confidentiality in health and social care” which is published on the NHS Digital website. 

Hertfordshire and West Essex ICB is a Data Controller under the terms of the UK GDPR/DPA 2018 we are legally responsible for ensuring that whenever we collect, use, hold, obtain, record or share personal confidential data about you, we do it in compliance with UK GDPR/DPA 2018 Article 5 – Principles Relating to Processing of Personal Data. 

All data controllers must notify the Information Commissioner’s Office (ICO). Our ICO Data Protection Register number is ZB340513 and our entry can be found in the Data Protection Register on the Information Commissioner’s Office website.

Everyone working for the NHS has a legal duty to keep information about you confidential. The NHS Care Record Guarantee and NHS Constitution provide a commitment that all NHS organisations and those providing care on behalf of the NHS will use records about you in ways that respect your rights and promote your health and wellbeing. 

All identifiable information that we hold about you will be held securely and confidentially. We use administrative and technical controls to do this. We use strict controls to ensure that only authorised staff are able to see information that identifies you. A limited number of authorised staff have access to information that identifies you, but only where it is appropriate to their role and strictly on a need-to-know basis. 

All health and social care organisations are required to provide annual evidence of compliance with applicable laws, regulations and standards through the Data Security and Protection Toolkit. As a new organisation we are required to have action plans in place in order to submit a baseline assessment in xxx and a toolkit submission by 30 June 2022. The individual requirements for which we will have to provide evidence for can be found here. Further information regarding Information Governance and the Data Security and Protection Toolkit  can be found in Further Definitions and Terms. 

All of our staff, contractors and committee members receive appropriate and on-going training to ensure they are aware of their personal responsibilities and have contractual obligations to uphold confidentiality, enforceable through disciplinary procedures. All staff are trained to ensure they understand how to recognise and report an incident and the organisation has procedures for investigating, managing and learning lessons from any incidents that occur. 

We will only retain information in accordance with the schedules set out in the Records Management Code of Practice Care 2021. The ICB’s Records Management Policies include guidance around the secure destruction of information in line with the Code of Practice. 

The ICB has a Caldicott Guardian, who is a senior person responsible for protecting the confidentiality of a patient information and enabling appropriate information-sharing. Further information about the role of the Caldicott Guardian can be found in Further Definitions and Terms.

The Caldicott Guardian for Herts & West Essex ICB is Jane Kinniburgh, please see the Contact Us section below for contact details. 

The GDPR requires an organisation to appoint a data protection officer (DPO) if they are a public authority or body, or if you carry out certain types of processing activities.

DPOs assist organisations to monitor internal compliance, inform and advise on data protection obligations, and act as a contact point for data subjects and the supervisory authority. The DPO for the ICB is Michael Watson​​​​​​​.

Your information will not be sent outside of the United Kingdom where the laws do not protect your privacy to the same extent as the law in the UK. We will never sell any information about you.