Executive Summary

A fair processing strategy is needed to support Chester le Street Health Limited in meeting the legal requirement for fair processing of personal and confidential information by organisations involved in commissioning and providing care in an extremely complex organisational and operational environment.

The use of patients’ data is a vital part of the delivery of care and commissioning process. Providing information to the public is integral to the provision of care and the commissioning cycle. It is also an important part of the overall engagement with a health economy of a commissioner as part of their public participation and involvement.

The strategy is also needed to ensure that both the company and staff are clear about their legal and professional obligations.


This document sets out the Chester le Street Health Limited Fair Processing Strategy for direct and indirect care uses of personal and confidential data.


Fair Processing describes the circumstances and communication for patients and the public required when personal and confidential data derived from the provision of health and social care services is used, linked and shared across the health economy. This may be direct or indirect care uses. [1]

This strategy is relevant for all those with responsibility for use of patient data and information governance in health and social care organisations. It is important that a consistent approach to fair processing is adopted to provide the necessary assurance to both the public and to bodies disclosing such data to others.

The scope of the Fair Processing Strategy covers

  • why a fair processing strategy is needed and the strategic context;
  • to do to meet fair processing requirements, including developing privacy notices, outlining the information that should be given to patients and what to do to disseminate the information;
  • the need to enable, support and inform clinicians to meet relevant legal and professional obligations.

The document also sets out the means of communicating the Strategy and its supporting material.


Intended end state on processing patient data for indirect uses

The intended end-state of how the restructured NHS will process patient data following the 2012 Health and Social Care Act and the outcome of the Caldicott Review [2] is based on

  • use of pseudonymised data wherever feasible to avoid the use of Personal Confidential Data (PCD) where this is not necessary; or
  • use of a controlled environment (eg Accredited Safe Haven (ASH)) and weakly pseudonymised data (ie a single pseudonym or identifier such as NHS Number or postcode) where fully pseudonymised data cannot be used but using weakly pseudonymised data is feasible; or
  • consent for the activities that require Personal Confidential Data (PCD) and consent is feasible; or
  • use of the Section 251 regulations through the Confidentiality Advisory Group (CAG) to set aside the Common Law of Confidence (CLC), where pseudonymised data, ASH arrangements or consent are not feasible routes and the use of personal confidential data can be justified eg in Research.

Therefore data may be legitimately obtained and held for a range of purposes and in a variety of forms. The Data Protection Act requires the holders of the data to be clear to relevant data subjects how their data will be used.

Use of personal data

NHS and social care organisations utilise personal data in various aspects of their operations. It is a requirement of the Data Protection Act 1998 [3] that such data is processed on a fair basis and that data subjects are duly informed about such uses. It is necessary therefore to provide ‘privacy notices’ to deliver explanations to individuals when information is collected about them – in effect stating ‘how we use your data’. Thus, fair processing describes best practice communications to ensure that patients know how these organisations are using their data and to ensure data from these organisations can be legally processed by fulfilling their fair processing obligations.

The use of personal data in health and social care can be grouped in two main ways:

  • the primary use is for the provision of direct care and care services
  • the second use is for indirect care purposes care services. that is for uses other than for direct care and care services

Direct Care

The primary use is for provision of direct care and care services. Data are collected from patients and shared between regulated professionals (whether in the same or different organisations) to enable the provision of care. Relevant data are stored and processed in computer systems within care providers, such as general practices and hospitals and within community services.

The sharing of data between regulated professionals and their organisations is implicit in the process of provision of care. Fair processing requires that such sharing is explicit to the patient and is understood by the patient. This is especially so when there are changes to the delivery of services, for example where services are to be outsourced to a new provider, the use of independent sector providers or for potential sharing with social care for integrated care.

Where such changes are to be made, there is a need to update fair processing leaflets and to actively communicate these proposed changes well in advance of implementation. Information about how to raise concerns will also be required and consideration given to patient objections.

Indirect Care

The second use is for indirect care purposes, which is to support

  • the commissioning of the provision of services, organisation of services,
  • the management of funding and resources
  • monitoring the effectiveness and provision of services.

Relevant data are derived from the data collected in the provision of direct care. Such data are stored and processed within commissioning organisations, such as CCGs and NHS England, and any contracted data processing organisations.

Fair Processing Strategy


The Fair Processing Strategy is intended to enable, through a variety of communications channels and mechanisms,

  • informing health and social care organisations of how data relating to patients and service users may be collected, processed and used, together with their responsibilities for utilising privacy notices
  • reminding organisations that are data controllers that they need to check that they do indeed process personal data fairly within the meaning of the Data Protection Act
  • outlining the ways in which privacy notices should be developed and utilised
  • informing clinicians and professional staff of how the data from patients and service users may be used and their obligations with that data
  • informing patients and service users of how the data they provide to health and social care organisations is collected, protected and used both in general and specifically, as well as providing information about who they should contact if they want to complain or know more.

Information should be made available to patients and service users initially giving basic privacy information at a high level, with directions or links to more detailed information for those that wish to follow this up. The more detailed information will also need to cover the specific uses referred to in the last bullet point above. The specific uses relate to the various major domains, such as research, commissioning and risk stratification, for which additional detail about the use and management of relevant data will need to be provided.

Privacy Notices

The ICO’s Privacy Notice Code of Practice  [4]states that privacy notices

“should tell people who you are, what you are going to do with their information and who it will be shared with”.

It can also tell people more than this. For example, it might provide information about people’s rights of access to their data or local arrangements for keeping their data secure. A privacy notice should be genuinely informative making an organisation more transparent about how they are using data.

It is necessary for organisations to provide and draw patients and service user’s attention to their privacy notices.

Communications mechanisms

The privacy notices and other communications that support a Fair Processing Strategy have a number of difference audiences including patients, service users, carers, clinicians, professional staff and the public.

Implementation of the communication elements may require some or all of the following (depending on local discussion/agreement)

  • simple high level messages/strap lines about data sharing across health and social care
  • separate views for the different audiences,
  • simple structures to enable and support easy navigation by use/purpose or user type, including the ability to drill through to greater detail.
  • a master or reference site of updated content to provide relevant and necessary information in order to meet the NHS’s legal obligations
  • documentation of who has responsibility for maintaining the Fair Processing ‘technical content’,

The detailed information for patients and public needs to include

  • the uses of their data,
  • the related purpose of the uses
  • the forms in which the data will be used
  • who the users will be
  • how their data will be protected.

Topics on which specific Fair Processing statements will be required include

  • Invoice Validation, for example by providers (when they are required to invoice) and by commissioners (why they are required to validate invoices); ensuring patients are aware of how confidential data are processed for invoice validation
  • Risk Stratification – population scoring
  • Risk stratification – case finding
  • Research
  • National statistics
  • Data linkage and analysis


Annex 1 - The Fair Processing Strategy – uses of data (taken from the NHSE Fair Processing Strategy)


Rationale and benefits

The reasons health and social care organisations, both locally and nationally, need to use data about the services provided to patients and service users and their outcomes include

  • enabling the organisations to monitor how well they are doing in of providing the services and the quality of the services
  • enabling health and social care services to be planned
  • comparing care received in one area with another to determine what has worked best.
  • supporting ethically approved research
  • making sure the NHS receives the correct payments for the
  • determining where improvements may be needed to deliver highest quality care.

Examples of benefits arising include:

  • finding more effective ways of preventing, treating and managing illnesses;
  • guiding local decisions about the changes that are needed to respond to the needs of local patients;
  • supporting public health by anticipating risks of particular diseases and conditions, and help us to take action to prevent problems;
  • improving the public’s understanding of the outcomes of care, giving them confidence in health and social care services;
  • guiding decisions about how to manage NHS resources so that they can best support the treatment and care of all patients;
  • supporting patients that are most at risk or would most benefit from a particular treatment;
  • helping researchers by supporting studies that identify patterns in diseases, responses to different treatments and potential solutions.

These are the sorts of reasons and benefits that should be included in general and specific privacy notices.

Sharing and linking data

NHS patients and social care service users may receive care and treatments from a number of different places such as their GP, hospital or community service. It is necessary to link this information together to provide the full picture needed to support the activities listed above. In effect, sharing information enables the NHS to improve its understanding of the most important health needs and the quality of the treatment and care provided.

Protecting data

Information about individual people, such as their postcode and NHS number, rather than their name, are used to link their records, in a secure system. This enables the identities of individuals to be protected. Information, which does not reveal who the individuals are, can then be used by others, such as those planning NHS services and approved researchers to support the provision of care.


The Data Protection Act requires that health and social care organisations only share the minimum amount of information they need to understand what is happening and how to improve services.


The NHS may release information to approved researchers and some third party organisations, where this is allowed, under the strict rules in place to protect individual’s privacy. The NHS and social care organisations are required to use information in line with the law, national guidance and best practice and will never identify a particular person in any published reports.


Individual Choice

The NHS has committed to provide the right for individuals to prevent confidential information from being shared or used for any purpose other than supporting the provision of direct care, except in special circumstances. If an individual does not want information to be shared outside their GP practice, this can be added to their medical record. This will prevent their confidential information being used other than where necessary by law, (for example, if there is a public health emergency).

It will also be possible to restrict the use of information held by other places where care is provided, such as hospitals and community services. Again, this can be achieved through the individual’s GP.

It is important to note that this is different to sharing decisions made, for example in relation to sharing medical record information in support of treatment.

The choice not to share information for indirect care purposes will not affect the care provided.

Specific uses of data - commissioning

There are a range of functions in the commissioning role that leads to a variety of uses of information about individuals. These different purposes will lead to the need to identify these purposes and uses in relevant privacy notices. An overview is given below.

For commissioning services that pertain to direct care or commissioned as individual packages of care (this includes Specialist Commissioning, Prisons, Military, Long Term Conditions and Requests for Individual Funding) – the NHS already has a set process for fair processing notices, generic patient leaflet and standard wording for the consent form.

For commissioning purposes there is a need to explain to patients how their data will be used to support health care management and administration, and how they can object (dissent). To support this, there is the need to cover each of the scenarios where use of person level data occurs, namely

  • Financial purposes - to ensure that that providers are billing appropriately for the care received and that they to the correct commissioner, such as if someone is on holiday and needs emergency treatment.
  • determining risk profiles of the registered population to identify patients that would benefit from proactive intervention.
  • Case management - where the NHS will offer intervention and patients should then not only consent to be included, but also allow their data to be shared across health and social care or multiple partners. Thus for integrated care there is the need for a standard for fair processing notices, individual patient information about the integrated care programme, what happens to their data if they agree or disagree.
  • specific types of commissioning on an individual person basis, where consent to commission and use of the data are the norm.

[1] The Caldicott Review 2013 defined indirect care as ‘activities that contribute to the overall provision of services to a population as a whole or a group of patients with a particular condition, but which fall outside the scope of direct care. It covers health services management, preventative medicine, and medical research. Examples of activities would be risk prediction and stratification, service evaluation, needs assessment, financial audit.’

[2] see

[3] see

[4] see