Data Controller(s)

NHS Barnsley CCG

Purpose

Invoice validation is part of the process by which providers of care or services get paid for the work they do.

Invoices, with supporting information, are submitted to the CCG of their service for payment, but before payment can be released, the CCG needs to ensure that the activity claimed for each patient is their responsibility. These invoices are validated within a special secure area known as a Controlled Environment for Finance (CEF), hosted on our behalf by NHS Rotherham CCG, to ensure that the right amount of money is paid, by the right organisation, for the treatment provided. The process followed ensures that only the minimum amount of information about individuals is used by a very limited number of people and is designed to protect confidentiality.

Type of information Used

Identifiable (NHS number, date of birth or postcode) and Special Category (health information)

Legal basis

UK GDPR Article 6(1)(e) – processing is necessary for the performance of a task carried out in the exercise of official authority vested in the controller.

UK GDPR Article 9(2)(h) processing is necessary for the purposes of the provision of health or social care or treatment or the management of health or social care systems and services.

A section 251 approval (CAG 7-07(a)(b)(c)/2013) from the Secretary of State, through the Confidentiality Advisory Group of the Health Research Authority, enables the CCG to process identifiable information for the purpose of invoice validation within a Controlled Environment for Finance.

How we collect (the source) and use the information

Organisations that provide treatment submit their invoices to the CCG for payment. The nominated secure area (Controlled Environment for Finance) receives additional information, including the NHS Number, or occasionally date of birth and postcode, from the organisation that provided the treatment.

NHS Digital sends information into the secure area, including the NHS number and details of the treatment received. The information is then validated ensuring that any discrepancies are investigated and resolved between the Controlled Environment for Finance and the organisation that submitted the invoice. The invoices will be paid when the validation is completed.

The CCG does not receive any identifiable information for purposes of invoice validation, however we do receive aggregated reports to help us manage our finances.

Data Processors

NHS Rotherham CCG who operate the Controlled Environment for Finance as a shared service.

NHS Shared Business Services - used by the Controlled Environment for Finance as a Data Processor

Transfers of Data Overseas

NHS SBS carry out some of their processing activity in India. Where this occurs, it is governed by the use of approved Model Contract Clauses.

Your Rights

With regards to Invoice Validation under UK GDPR you have the right:

• To be informed about the processing of your information (this notice)
• Of access to the information held about you
• To have the information corrected in the event that it is inaccurate
• To object to it being processed or used
• Not to be subject automated decision-taking or profiling
• To be notified of data breaches

Invoice Validation has been granted an exemption from the National Data Opt-Out by the Confidentiality Advisory Group.

How long we will keep the information

Invoices are retained for 6 years after the end of the financial year to which they relate.

Who we will share the information with (recipients)

This information is not shared outside of the CCG.