Fair Processing for Risk Stratification Checklist

Question Description and Tasks Y/N Done Action
Q1. Does the GP Practice publish a fair processing notice to explain to patients how their personal data is used? Yes Go to Q2
No Allocate responsibility for designing a fair processing notice and communications strategy and implement an action plan.
Q2. Does the Practice’s fair processing notice include both:

– Our identity – who we are, what we do
– The reasons why we collect and use personal data?

Yes Go to Q3
No These are the basic legal requirements of a fair processing notice. The notice should also contain any extra information to ensure patients are adequately informed and the Practice can process data fairly.
Q3. Have the Practice adequately considered what extra information is necessary to include in our fair processing notice? Yes Go to Q4
No Put yourself in the patient’s position and identify the purpose for using their personal data and their respective choices to determine what you need to tell them to ensure the processing is fair. Consider involving the Patient Participation Group for advice and support.
Q4. Does the fair processing notice include clear information about our risk stratification programme? Yes Go to Q5
No People have a legal right to know how their personal data is being used and it is particularly important to tell them when that use is not obvious and involves sensitive data. Processing will be unfair and therefore unlawful if people have not been provided with adequate fair processing information.
Q5. Has the Practice explained risk stratification in such a way that our patients understand:- What risk stratification is
– Risk stratification for case finding; and
B16- Risk stratification for commissioning
– Data is matched from other sources and where it comes from
– The CCG’s role
– Who does B16 risk stratification
Yes Go to Q6
No Risk stratification is not considered to be a “direct care” purpose although it may lead to interventional care being offered. Neither is it a purpose that will be obvious to patients. It is therefore important to explain it in terms that a patient will understand.  It is also important to explain the steps you take to ensure their confidentiality is protected.
Q6. Have we explained their NHS Constitution rights to opt-out, including:- Patients’ opt-out choices
– What a decision to opt out means to patient care
– What the Practice will do to uphold a patient’s decision to opt-out
– The circumstances where patient choice could be over-riden
Yes Go to Q7
No Opt-out choices are complex and it is important to ensure that where people do have a choice they are provided with enough information to make an informed decision, including the consequences of that decision, and are they are given a genuine opportunity to exercise this right. In particular, opting-out should not impact on the provision of care.
Q7. Has the Practice adequately explained what section 251 is and how it provides the lawful basis to use personal data for risk stratification purposes? Yes Go to Q8
No If you are relying on NHS Act 2006 Section 251 Regulations to use personal data, then you have legal duty to inform patients. This does not affect their right to object.
Q8. Is the fair processing notice clear and understandable and free from technical and legalistic terms? Yes Go to Q9
No Keep it simple – avoid using complicated terms and unexplained abbreviations. It needs to be understood by the people that it is aimed at.
Q9. The fair processing notice been tested with the Patient Participation Group for clarity, completeness and understanding? Yes Go to Q10
No It is good practice to ask for patient representatives to assist and provide advice on the development of the fair processing notice to ensure it is understood and meets the needs of the audience it is intended for.
Q10. Can the fair processing notice be produced to meet equality and diversity needs? Yes Go to Q11
No Contact the CCG (or your equality and diversity advisory service) provider for further advice
Q11. Has organising the information into sections to make it more user friendly been undertaken? Yes Go to Q12
No Layering information to provide a basic high-level summary with links to further detailed information is recommended. This encourages reading, makes the information easier to digest and enables people to learn more if needed.
Q12. Is the fair processing information actively communicated by:

– Providing a leaflet?
– Including a leaflet with correspondence?
– Issuing it to support verbal explanations?
– Including it in newsletters?
– Publishing it on our website?
– Putting posters and leaflets in public areas?
– Asking patients if they have seen it?

Yes Go to Q13
No Privacy notices must actively communicated when:
– The Practice is using sensitive information
– The intended use is likely to be unexpected or objectionable; and
– The information is shared with another organisation in an unexpected way.
“Actively communicate” means taking positive action and making full use of all opportunities and the technology available to communicate it.
Q13. Have we engaged with the CCG’s wider local communications process? Yes Go to Q14
No It is advisable for local health communities to work in collaboration and adopt a consistent approach to fair processing notices to avoid confusion and conflicting advice. The CCG or CSU’s Communications team can provide advice and help to coordinate the approach.
Q14. Is the fair processing notice reviewed for:

– Effectiveness – are patients reading it?
– Updates – new or changed purposes?

Yes Go to Q15
No Lack of patient response may indicate the need to post it in a more prominent place e.g. front page of a website
Q15. Have patients   been given enough information to make an informed choice about the use of their data? Yes Go to Q16
No Misleading, inaccurate or lack of information does not allow the individual to make an informed choice and does not adequately satisfy the condition for fair processing.
Q16. Do patients know what to do if they choose to opt-out of data sharing for non-direct care purposes? Yes Go to Q17
No A central point of contact to deal with patient queries and receive requests to opt-out should be clearly stated on the fair processing notice.
Q17. Do patients know who to ask if they want access to their personal data? Yes Go to Q18
No A central point of contact to deal with patient queries and receive requests for access to records should be clearly stated on the fair processing notice.
Q18. Is the Practice confident that our actions adequately cover the DPA’s fair processing requirement? Yes Go to Q19
No Omissions could constitute unfair processing and risk complaint and regulatory action. The ICO’s Privacy Code of Practice should be consulted if in doubt.
Q19. Does the fair processing notice satisfy the NHS Constitution guarantees and pledges? Yes Go to Q20
No The right to object to confidential information being shared for purposes beyond an individual’s care and treatment should be followed through by actual processes to ensure individuals fully understand what they can object to and how to initiate that process, otherwise it could be considered unfair processing.
Q20. Is the GP Practice confident to publish the fair processing notice? Yes Go ahead and publish, but be aware that regular reviews are essential and act on patient feedback where necessary.