Health Economics Unit: Privacy Policy

Effective Date: 9 September 2023

Introduction

At the Health Economics Unit (HEU), we are committed to safeguarding your privacy. This Privacy Policy outlines our commitment to protecting and respecting your personal information. Please read this policy to understand how we manage your data.

Our Data Protection Responsibilities

The HEU is a health economics and analytics organisation hosted by NHS England and is not a separate entity in its own right. Adhering to the highest data protection standards, we take our privacy responsibilities seriously, ensuring the professional, legal, and ethical management of personal data.

Services We Provide

HEU offers economic and analytical expertise to support the future of healthcare delivery. Our services include:

• Evaluating the effectiveness of interventions
• Comparing health benefits and costs of diverse options
• Matching capacity to demand
• Understanding local populations for improved health and well-being

For more information on our services, please see here.

Data Services for Commissioners Regional Offices

In line with the Health and Social Care Act 2012, commissioners (now Integrated Care Boards – ICBs) cannot directly manage identifiable personal and confidential information for commissioning purposes. To address this, the Health, and Social Care Information Centre (HSCIC), now known as NHS Digital, collects and processes national health and social care data. HEU acts as a data processor ensuring de-identified data is provided for our client organisation ICBs.

For further details about this service and the Data Services for Commissioners team, please see here.

Lawful Basis for Processing Your Personal Data

HEU processes data on behalf of client organisations, which act as data controllers. The legal basis for processing depends on these organisations. When HEU acts as a data controller, we may rely on the following legal bases:

Article 6(1)(a): Consent from data subjects for specific purposes (rarely used).

Article 6(1)(e): Processing necessary for the public interest or official authority.

Article 9(2)(g): Processing necessary for substantial public interest (determined by Data Protection Act 2018).

Article 9(2)(h): Processing necessary for preventive, occupational medicine, and health or social care management.

We also adhere to the Common Law Duty of Confidentiality, ensuring personal information is not used without a legal basis.

How We Use and Share Your Information

We have stringent procedures for sharing personal information, involving documentation and oversight by a Caldicott Guardian. We do not share individuals’ identifiable information unless there is a defined legal basis or explicit consent. Any transfer of personal information to third countries is limited and involves safeguards.

We share anonymised statistical data with client organisations to enhance local services, aid commissioning decisions, and manage healthcare services.

How Your Information is Stored

Your personal data is stored securely, with strict access controls, encryption, and physical safeguards. All organisations accessing NHS patient data must meet National Data Guardian’s data security standards.

How Long Your Information is Kept

We retain personal information in accordance with data protection laws and NHS Records Management Code of Practice 2021. Information may be kept longer if there is a business requirement. For specific retention periods, please see here.

How the Wider NHS Uses Your Information

HEU, as part of NHS England, collaborates with other organisations to improve patient care. Patient data is collected during healthcare service use to ensure quality care, support research, prevent illness, monitor safety, and plan services. All uses of confidential patient information comply with legal requirements. Anonymised data is often used for research and planning.

You have the option to opt out of sharing your confidential patient information for purposes beyond individual care. For more information, visit www.nhs.uk/your-nhs-data-matters.

Your Information Rights

Under the UK GDPR and Data Protection Act 2018, you have the following rights:

• Right to Be Informed
• Right of Access (Subject Access Request)
• Right of Rectification
• Right of Erasure (in specific circumstances)
• Right of Portability (in specific circumstances)
• Right to Object (in specific circumstances)
• Withdraw Consent (for processing based on consent)
• We do not use automated decision-making or profiling at this time.

How to Request Your Information

To request your information (Subject Access Request), please contact us using the following details:

Email: heu.support@nhs.net

Postal Address: 10 South Colonnade, 7th Floor, Canary Wharf, London, E14 5EA.

Exercising Your Information Rights

Upon receiving your request, HEU will respond within one month, although extensions may apply in certain cases. Contact us through:

Email: heu.support@nhs.net

Postal Address: 10 South Colonnade, 7th Floor, Canary Wharf, London, E14 5EA.

For requests related to our client organisations, please refer to their Privacy Notices.

Concerns About Your Information

If you have concerns about how your personal information is being used, please visit our Help and Contact page for details. Our Data Protection Officer, Caldicott Guardian, and Senior Information Risk Owner are available to address your concerns.

You may also contact the Information Commissioner’s Office for independent advice on data protection and privacy issues. For further information visit the ICO website.

Review of Privacy Policy

We regularly review our privacy policy. Any updates will be posted on this webpage.

Last Updated: 9 September 2023