Risk stratification is a process GPs use to help them to identify and support patients with long-term conditions and to help prevent unplanned hospital admissions or reduce the risk of certain diseases developing such as type 2 diabetes. This process is used for case- finding and is a type of profiling as it is the automated processing of personal data to analyse or predict health needs. However, this is not a solely automated process as whilst cases are identified through an automated process, no decisions are made automatically; they are made by the GP.
The CCG also uses risk stratified data to understand the health needs of the local population in order to plan and commission the right services, which is called ‘risk stratification for commissioning.’ Risk stratification tools use historic information about patients, such as age, gender, diagnoses and patterns of hospital attendance and admission collected by NHS Digital from NHS hospitals and community care services. This is linked to data collected in GP practices and analysed to produce a risk score.
GPs are able to identify individual patients from the risk stratified data when it is necessary to discuss the outcome and consider preventative care. However, the CCG can never identify an individual from the risk stratified data that we see. Where the risk stratification process has linked GP data to health data obtained from other sources i.e. NHS Digital or other health care provider, the GP will ask for your permission to access the details of that information. NHS ML CSU is our data processor for risk stratification purposes.
Sources of personal data
Personal data is supplied by GPs and NHS Digital (Secondary Use Services Data)
Categories of personal data
Data from the GP Practice system will be obtained by using a “bulk data extract”, uploaded directly by the risk stratification tool supplier from the practice system. Prior to the upload, the supplier will obtain permission from the practice to request the data from the practice system provider and the practice will notify their system providers that this permission has been granted.
The data extract will EXCLUDE patients who have expressed a wish not to share information. Reports produced from the system including identifiable data are only provided back to your GP or member of your care team as data controller in an identifiable form. Your GP can provide more information about . any risk stratification programme they are using. Should you have any concerns about how your information is managed at the surgery please contact the Practice Manager to discuss how the disclosure of your personal information can be limited. The Secondary Uses Service
(SUS) is the single, comprehensive repository for healthcare data in England which enables a range of reporting and analyses to support the NHS in the delivery of healthcare services. Information on care provided for all patients by health care providers (both NHS and independent sector healthcare providers for NHS patients only) must be submitted to the Secondary Uses Service according to the Commissioning Data Set Mandated Data Flows guidelines.
Recipients of personal data
The combined CCG’s Secondary Use Service (SUS) data and GP data which contains an identifier (usually NHS number) is made available to clinicians with a legitimate relationship with their patients to enable them to identify which patients should be offered targeted preventative support to reduce those risks. NHS East Leicestershire and Rutland CCG does not have access to identifiable information.
Legal basis for Processing
For the General Data Protection Regulation (GDPR) purposes is Article 6(1)(e) ‘…exercise of official authority… For special categories (health) data the basis is 9(2)(h) ‘…health or social care…’.