North East London Health & Care Partnership logo

Legal information

Accessibility statement

Website accessibility statement inline with Public Sector Body (Websites and Mobile Applications) (No. 2) Accessibility Regulations 2018

This accessibility statement applies to

This website is run by NHS North East London Integrated Care Board.

We want as many people as possible to be able to use this website. For example, that means you should be able to:

  • change colours, contrast levels and fonts
  • zoom in up to 200% without the text spilling off the screen
  • navigate most of the website using just a keyboard
  • navigate most of the website using speech recognition software
  • listen to most of the website using a screen reader (including the most recent versions of JAWS (Job Access with Speech), NVDA (NonVisual Desktop Access) and VoiceOver)

We’ve also made the website text as simple as possible to understand.

Customising the website

AbilityNet has advice on making your device easier to use if you have a disability. This is an external site with suggestions to make your computer more accessible: AbilityNet – My computer my way

With a few simple steps you can customise the appearance of our website to make it easier to read and navigate.

How accessible this website is

We know some parts of this website are not fully accessible:

  • some parts may not be fully compatible with screen readers
  • you may not be able to access all content by using the keyboard alone
  • not all media will have a transcript or be subtitled
  • some text may not reflow in a single column when you change the size of the browser window and at certain levels of magnification
  • some older PDF documents are not fully accessible to screen reader software

Feedback and contact information

If you need information on this website in a different format like accessible PDF, large print, audio recording or braille, please use the online contact form. We will try and respond as quickly as possible but this will be no more than 5 working days.

Reporting accessibility problems with this website

We are always looking to improve the accessibility of this website. If you find any problems not listed on this page or think we’re not meeting accessibility requirements, please let us know at

We’ll try and respond as quickly as possible but this will be no more than 5 working days.

Enforcement procedure

The Equality and Human Rights Commission (EHRC) is responsible for enforcing the Public Sector Bodies (Websites and Mobile Applications) (No. 2) Accessibility Regulations 2018 (the ‘accessibility regulations’). If you are not happy with how we respond to you, please contact the Equality Advisory and Support Service (EASS) directly. Contact details for the Equality Advisory and Support Service (EASS).

The government has produced information on how to report accessibility issues. Reporting an accessibility problem on a public sector website.

Technical information about this website’s accessibility

NHS North East London Integrated Care Board is committed to making its website accessible, in accordance with the Public Sector Bodies (Websites and Mobile Applications) (No. 2) Accessibility Regulations 2018.

Compliance status

This website is partially compliant with the Web Content Accessibility Guidelines 2.1 AA standard, due to the non-compliances listed below.

The full guidelines are available at Web Content Accessibility Guidelines version 2.1.

Non accessible content

The content listed below is non-accessible for the following reasons.

Noncompliance with the accessibility regulations

The following items do not comply with the WCAG 2.1 AA success criteria

Information is conveyed as an image of text rather than as text itself so that it’s not compatible with screen readers and other assistive technology

We aim to improve our websites accessibility on a regular and continuous basis. See the section below (‘What we’re doing to improve accessibility’) on how we are improving our site accessibility.

Content that’s not within the scope of the accessibility regulations

PDFs, videos and other documents

Many of our older PDFs, videos and Word documents do not meet accessibility standards – for example, they may not be structured so they’re accessible to a screen reader. This does not meet

WCAG 2.1 success criterion 4.1.2 (name, role value).

The accessibility regulations do not require us to fix PDFs or other documents published before 23 September 2018 if they’re not essential to providing our services. For example, we do not plan to fix archive material such as news articles published before 2018.

Regulations for PDFs or other documents published before 23 September 2018

What we’re doing to improve accessibility

  • A regular bi-monthly central website audit using an automated service, followed by manual prioritisation of issues with key user journeys
  • We use a design framework which is stable and has been tested for accessibility issues. This cuts down, but doesn’t totally remove, the risk of web editors adding design elements that are not accessible
  • Support, guidance and training process in place for all staff to increase awareness of accessibility and what our responsibilities are.

Preparation of this accessibility statement

This statement was prepared on 31 March 2021. It was last reviewed on 31 March 2021.

This website was last tested in March 2021. The test was carried out by NEL CSU.

Cookie Policy

This Cookie Policy explains what cookies are and how we use them, the types of cookies we use i.e, the information we collect using cookies and how that information is used, and how to control the cookie preferences. For further information on how we use, store, and keep your personal data secure, see our Privacy Policy.

You can at any time change or withdraw your consent from the Cookie Declaration on our website
Learn more about who we are, how you can contact us, and how we process personal data in our Privacy Policy.

Manage your consent.

What are cookies ?

Cookies are small text files that are used to store small pieces of information. They are stored on your device when the website is loaded on your browser. These cookies help us make the website function properly, make it more secure, provide better user experience, and understand how the website performs and to analyze what works and where it needs improvement.

How do we use cookies ?

As most of the online services, our website uses first-party and third-party cookies for several purposes. First-party cookies are mostly necessary for the website to function the right way, and they do not collect any of your personally identifiable data.

The third-party cookies used on our website are mainly for understanding how the website performs, how you interact with our website, keeping our services secure, providing advertisements that are relevant to you, and all in all providing you with a better and improved user experience and help speed up your future interactions with our website.

What types of cookies do we use ?

Essential: Some cookies are essential for you to be able to experience the full functionality of our site. They allow us to maintain user sessions and prevent any security threats. They do not collect or store any personal information. For example, these cookies allow you to log-in to your account and add products to your basket, and checkout securely.

Statistics: These cookies store information like the number of visitors to the website, the number of unique visitors, which pages of the website have been visited, the source of the visit, etc. These data help us understand and analyze how well the website performs and where it needs improvement.

Marketing: Our website displays advertisements. These cookies are used to personalize the advertisements that we show to you so that they are meaningful to you. These cookies also help us keep track of the efficiency of these ad campaigns.

The information stored in these cookies may also be used by the third-party ad providers to show you ads on other websites on the browser as well.

Functional: These are the cookies that help certain non-essential functionalities on our website. These functionalities include embedding content like videos or sharing content of the website on social media platforms.

Preferences: These cookies help us store your settings and browsing preferences like language preferences so that you have a better and efficient experience on future visits to the website.

The below list details the cookies used in our website.

cookielawinfo-checbox-analyticsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category “Analytics”.
cookielawinfo-checbox-functionalThe cookie is set by GDPR cookie consent to record the user consent for the cookies in the category “Functional”.
cookielawinfo-checbox-othersThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category “Other.
cookielawinfo-checkbox-necessaryThis cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category “Necessary”.
cookielawinfo-checkbox-performanceThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category “Performance”.
viewed_cookie_policyThe cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

How can I control the cookie preferences ?

Should you decide to change your preferences later through your browsing session, you can click on the “Cookie Policy” link on your screen. This will display the consent notice again enabling you to change your preferences or withdraw your consent entirely.

In addition to this, different browsers provide different methods to block and delete cookies used by websites. You can change the settings of your browser to block/delete the cookies. To find out more about how to manage and delete cookies, visit

Privacy policy

This privacy notice tells you about information we obtain, hold and use about you. It describes what we do with it, how we will look after it and who we share it with. It covers information we collect directly from you as well as information we may get from other organisations.

This notice does not provide exhaustive detail. However, we keep and maintain accurate and detailed records about how your information is used.

We can provide further detail and explanation should it be requested and without charge.  Contact details for us can be found at the end of this page.

We keep our privacy notice under regular review. It was last updated in July 2023.

Our commitment to Data Protection and Confidentiality

We are committed to protecting your privacy and will only ‘process’ data (processing refers to how data is Held, Obtained, Recorded, Used and Shared), in accordance with Data Protection Legislation and NHS guidance.

This includes ensuring NEL complies with the UK General Data Protection Regulation (GDPR), the Data Protection Act (DPA) 2018, and any applicable national Laws as required.

In addition, consideration will also be given to all applicable Law concerning privacy, confidentiality, the processing and sharing of personal data including:

  • the Human Rights Act 1998,
  • the Health and Social Care Act 2012 as amended by the Health and Social Care (Safety and Quality) Act 2015,
  • the Common Law Duty of Confidentiality, and the
  • Privacy and Electronic Communications (EC Directive) Regulations 

As a Data Controller, NEL has a duty to:

  • keep sufficient information to provide services and fulfil our legal responsibilities
  • keep your records secure and accurate
  • only keep your information as long as is required
  • collect, store and use the information you provide in a manner that is compatible with the UK General Data Protection Regulation and the Data Protection Act.  
  • Notify the Information Commissioner’s Office of all personal information processing activities. Our registration details can be found on the public register of Data Controllers .

All information that we hold about individuals will be held securely and confidentially. We use administrative and technical controls to do this.

All of our staff, contractors and committee members receive appropriate and on-going training to ensure they are aware of their personal responsibilities and have contractual obligations to uphold confidentiality.

We will only use the minimum and proportionate amount of personal information necessary. Where possible we will use information that does not directly identify individuals, but when it becomes necessary for us to know or use personal information a person, we will only do this when we have either a legal basis or have that person’s consent. We use strict controls to ensure that only authorised staff are able to access personal data. Only a limited number of authorised staff have access to information that identifies individuals, where it is appropriate to their role, and is strictly on a need-to-know basis.

NEL has a Data Protection Officer who plays key role in ensuring our accountability for Data Protection.

The Caldicott Guardian is the person responsible for protecting the confidentiality of patient information and enabling appropriate and lawful information sharing. 

Why we process your information

For some of our services, we need to collect personal data so we can get in touch or provide the service. The ICB can use your personal data under many different laws. The main ones that apply are the NHS Act 2006, the Health and Social Care Act 2012, the Care Act 2014, the Data Protection Act 2018 and the General Data Protection Regulations.

In some cases, there is a statutory requirement to process your data and we can do so without your consent. For some services where individuals choose to engage with e.g., where someone wishes us to include them on our mailing list, NEL process this data by requesting your explicit consent.

Where NEL commissions a contract for the provision of a clinical service, the organisation which delivers that service are the Data Controller. These providers are subject to NHS contract and have to keep your details safe and secure and use them only to provide the service.

NEL has undertaken an assurance exercise, validated via the completion of the Data Security and Protection toolkit, which has assured the legal basis of processing for each of the ICB’s activities. NEL processes person identifiable data for the following purposes: 

  • Financial Transactions including processing applications for funding treatments
  • Invoice validation
  • Dealing with complaints
  • Processing Safeguarding referrals
  • Continuing Healthcare
  • Risk Stratification
  • Patient & public involvement  
  • National registries
  • To ensure we meet our legal and statutory obligations
  • Clinical audit
  • GP data including performance and monitoring information
  • Investigating and managing serious incidents

As an employer, NEL will process employee data for the following purposes:

  • To ensure that the information we hold about you is kept up to date.
  • To deal with any employee / employer related disputes that may arise.
  • Employment and payroll purposes.
  • For assessment and analysis purposes to help improve the operation and performance of NEL
  • To enable the monitoring of protected characteristics in accordance with the Equality Act 2010 and ensure that we continue to meet equality standards.
  • To prevent, detect and prosecute against fraud.
  • To respond to requests made by a “relevant authority” under Section 29 of the Data Protection Act 2018, such as the police, government departments and local authorities with the regulatory powers to request access to personal data without the consent of the data subject for the purposes of the prevention or detection of crime.
  • In accordance with the consent provided by you as part of your terms and conditions of employment; and
  • To comply with our legal obligations as an employer, i.e., HMRC and pensions.

The types of information we use

For the majority of our work, we do not need to know the personal details of individuals who live in our community, and this is our preferred way of working. It should be noted that information which cannot identify an individual is not covered by data protection law. There are different types of information collected and used across the ICB as follows.

Identifiable – information which contains personal details that identify individuals such as name, address, email address, NHS Number, full postcode, date of birth.

Pseudonymised – individual level information where individuals can be distinguished by using a coded reference, which does not reveal their ‘real world’ identity

Anonymised – data which is about you but from which you cannot be personally identified.

Details of information used for specific purposes

Use of anonymised and aggregated data 

We use anonymised and aggregated data to plan health care services, including: 

  • Checking the quality and efficiency of the health services we commission.
  • Preparing performance reports on the services we commission.
  • Working out what illnesses people will have in the future, so we can plan and prioritise services and ensure these meet the needs of patients.
  • Reviewing the care being provided to make sure it is of the highest standard.

Use of pseudonymised (de-identified) Information

We use pseudonymised information in our role, including:

  • Commissioning – to plan, design, purchase and pay for the best possible care available for you; look at the care provided by different providers across our area to make sure that together they support the needs of the local population; performance manage contracts; to prepare statistics on NHS performance to understand health needs and support service redesign, modernisation and improvement; to help us plan future services to ensure they continue to meet our local population needs.
  • Risk Stratification – to identify groups of patients who would benefit from some additional help from their GP or care team. The aim is to prevent ill health and possible future hospital stays, rather than wait for you to become sick. Only de-identified information is accessible to the ICB in order to help us plan the most appropriate health services for our population.

Use of personal information

As an ICB, we do not routinely hold or have any access to medical records.  The provider of your healthcare for example an Acute Trust, or GP would hold this information.  However, we may need to hold some information about you, for example:  

  • If you have made a complaint to us about healthcare that you have received, and we need to investigate
  • If access to specific treatments is regulated via eligibility criteria which include the Individual Funding Request process
  • If you ask us to provide funding for Continuing Healthcare or Personal Health Budget services
  • If you ask us for our help or involvement with your healthcare, or where we are required to fund specific specialised treatment for a particular condition that is not already covered in our contracts with organisations that provide NHS care
  • If you ask us to keep you regularly informed and up to date about the work of NEL, or if you are actively involved in our engagement and consultation activities or service user participation groups
  • In circumstances where our safeguarding staff are involved in the most serious cases.
  • Where our Quality teams are undertaking monitoring visits, limited clinical information may be accessed in a de-identified form.
  • Where information processing falls within NEL’s infection control oversight functions.
  • Staff personal confidential information for employment purposes

Our records may include relevant information that you have told us, information provided on your behalf, by relatives or those who care for you and know you well, or from health professionals and other staff directly involved in your care and treatment. Our records may be held on paper or in a computer system. 

Sharing your information with other organisations or individuals (third parties)

If you are receiving services from the NHS, we share information that does not identify you (anonymised) with other NHS and social care partner agencies for the purpose of improving local services, research, audit, and public health. 

We would not share information that identifies you unless:

  • You have given us permission
  • This is anonymised and therefore non-personal data
  • We are lawfully required to report information to the appropriate authorities e.g., to prevent fraud or a serious crime
  • It is necessary to protect children and vulnerable adults from harm.
  • A formal court order has been served upon us. 
  • For the health and safety of others, for example to report an infectious disease like meningitis or measles.

The legal basis for processing personal data

NEL is a public body established by the NHS Act 2006 as amended by the Health and Care Act 2022. As such our business is based upon statutory powers which underpin the legal bases that apply for the purposes of the GDPR.

NEL processes personal data under a variety of legal bases depending on the data being processed and the purposes it is processed. Below are examples of the most commonly used legal bases.

  • The legal basis for the majority of our processing:

Article 6(1)(e) – processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.

  • For entering into and managing contracts with the individuals concerned, for example our employees the legal basis is:

Article 6(1)(b) – processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract.

  • Where we have a specific legal obligation that requires the processing of personal data, the legal basis is:

Article 6(1)(c) – processing is necessary for compliance with a legal obligation to which the controller is subject.

  • Where we process special categories data, for example data concerning health, racial or ethnic origin, or sexual orientation, we need to meet an additional condition in the UK GDPR. Where we are processing special category personal data for purposes related to the commissioning and provision of health services the condition is:

Article 9(2)(h) – processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services.

  • Where we process special category data for employment or safeguarding purposes the condition is:

Article 9(2)(b) – processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment and social security and social protection law.

  • We may also process personal data for the purpose of, or in connection with, legal proceedings (including prospective legal proceedings), for the purpose of obtaining legal advice, or for the purpose of establishing, exercising or defending legal rights. Where we process personal data for these purposes, the legal basis for doing so is:

Article 6(1)(e) – processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller; or

Article 6(1)(c) – processing is necessary for compliance with a legal obligation to which the controller is subject; or.

Where we process special category data for these purposes, the legal basis for doing so is:

Article 9(2)(f) – processing is necessary for the establishment, exercise or defence of legal claims; or

Article 9(2)(g) – processing is necessary for reasons of substantial public interest.

Section 251 of the NHS Act 2006

The Secretary of State for Health gives limited permission for ICBs (and other NHS commissioners) to use certain confidential patient information when it is necessary for our work for purposes other than direct care such as information from NHS Digital for commissioning, Risk Stratification and Invoice Validation. 

This approval is given under Regulations made under Section 251 of the NHS Act 2006 and is based on the approval of the Health Research Authority’s Confidentiality and Advisory Group

This allows the Secretary of State for Health to make regulations to set aside the common law duty of confidentiality for defined medical purposes. Section 251 came about because it was recognised that there were essential activities of the NHS, and important medical research, that required the use of identifiable patient information – but, because patient consent had not been obtained to use people’s personal and confidential information for these other purposes, there was no secure basis in law for these uses.

Section 251 was established to enable the common law duty of confidentiality to be overridden to enable disclosure of confidential patient information for medical purposes, where it was not possible to use anonymised information and where seeking consent was not practical, having regard to the cost and technology available.

More information about Section 251 is available from the Health Research Authority web site. 

Notice under Regulation 3(4) of the Health Service Control of Patient Information (COPI) Regulations 2022

Under this regulation the Secretary of State for Health and Social Care has the power to issue healthcare organisations, GPs, local authorities and arms-length bodies with a notice requiring them to share confidential patient information with organisations entitled to process this under the COPI Regulations. Notices are issued for a specific purpose, the most recent being to support efforts against Covid 19.

The Covid 19 notice expired on the 30 June 2022.   

NHS England is responsible for and is the data controllers for the COVID-19/Flu Vaccination programme. For the privacy notice relating to this programme please visit the NHS England privacy notice website.

Your rights

Under the General Data Protection Regulation all individuals have certain rights in relation to the information the ICB holds about them. Not all rights apply equally to all our processing and are dependent on the lawful basis for processing. Further information can be found on the ICO site ‘Lawful Basis for Processing’ section.

If you require further detail each link below will take you to the Information Commissioner’s Office’s website where further detail is provided in section ‘When does the right apply’.

These rights are:

Currently NEL does not use automated decision-making (making a decision solely by automated means without any human involvement).

These are commitments relating to your rights set out in the NHS Constitution, for further information please visit: 

Data subject access requests and how to exercise other rights

Individuals can access personal information about them by making a ‘data subject access request’ under the UK General Data Protection Regulation. Click here to find out more information about how to make a request for any personal information we may hold and/or to exercise any of your other rights under Data Protection legislation

To make a request for any personal information we may hold and/or to exercise any of your other rights under Data Protection legislation please contact the Information Governance Team using details in the Subject Access Request Privacy Notice.

Opting out

Confidential information can be used for improving health, care and services including:

  • planning to improve health and care services 
  • research, for example to find a cure for serious illnesses. 

If you do not wish to share or process your information for purposes beyond your direct care, or have any concerns then please let us know:

Type 1 opt-out

If you do not want personal confidential data to be shared outside your GP practice, for purposes beyond your direct care you can register a type 1 opt-out with your GP practice. Patients are only able to register the opt-out at their GP practice.

National Data Opt-Out: information held by NHS Digital 

Previously you could tell your GP surgery if you did not want NHS Digital, to share confidential patient information that it collects from the across the health and care service for purposes other than your individual care. This was called a type 2 opt-out.

From 25 May 2018 the type 2 opt-out has been replaced by the National Data Opt-out. Any type 2 opt-outs recorded by your GP practice up to 11th October 2018 have been automatically converted to a National Data Opt-out.

Objections will be respected, except in very limited circumstances such as: 

  • You have given explicit permission for a particular use of data (e.g., a research project)
  • Data is anonymised and therefore non personal data
  • We are lawfully required to report certain information to the appropriate authorities e.g., to prevent fraud or a serious crime
  • It is necessary to protect children and vulnerable adults from harm
  • A formal court order has been served upon us
  • For the health and safety of others, for example to report an infectious disease like meningitis or measles. 

You have the right to refuse/ withdraw consent to information sharing at any time and your decision will not affect your individual care. 

Further information on the National Data Opt-Out and how to set a National Data Opt-Out can be found here at: 

How each of our services uses your information

What we use your information for – Please select the information that is relevant to you from the list below for full details on how your information is used:

How long we hold information for and our destruction arrangements

All records held by the ICB will be kept for the duration specified by national guidance from NHS Digital found in the  Records Management Code of Practice 2021

In all circumstances data will be retained in accordance with data protection requirements and ‘kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed’. 

Once data is no longer required it will be destroyed securely:

  • Paper records will be destroyed in line with international standards. Where external confidential waste suppliers are used these will be under contract and assurance that destruction meets the necessary legal requirements and standards. 
  • For digital media permanent destruction will be achieved by over writing the media a sufficient number of times or physical destruction of media by breaking it up into small pieces. 

Our data processors

We ensure external data processors that support us are legally and contractually bound to operate and prove security arrangements are in place where data that could or does identify a person are processed. The ICB remains the data controller (the organisation responsible for determining the purposes for which and the manner in which personal data is used under Data Protection Legislation) of such information at all times. We use data processors to provide services such as HR and Information Technology.

Concerns about how we are using your information 

We try to meet the highest standards when collecting and using personal information. For this reason, we take any complaints we receive about this very seriously. We encourage people to bring concerns to our attention if they think that our collection or use of information is unfair, misleading or inappropriate. We would also welcome any suggestions for improving our procedures.  

For more information about Data Protection, or if you are unsatisfied with the way your personal information has been handled, you can contact the national regulator, the Information Commissioner’s Office, at

Information Commissioner’s Office 
Wycliffe House 
SK9 5AF 

Subject access request

Under the General Data Protection Regulation (GDPR) and the Data Protection Act 2018, you have the right to see or be given copies of any personal data we hold about you. This may include documents such as reports, minutes, or emails.

What do I need to include in my request?

  • Your name and contact details (you may be required to provide proof of identity)
  • The name of the person the information relates to, if acting on another’s behalf.
  • State clearly what you want – you may not want all the personal data that the organisation holds about you, for example you may want information which relates to a specified time period.
  • Any details or relevant dates that will help it identify what you want

How quickly will I get a response?

NHS North East London Integrated Care Board has one calendar month in which to respond to your request.  An extension of a further two months can be granted for requests which are “complex or numerous”. We will let you know if this is the case within one month

Do I need to make my request in writing?

You can make a request verbally or in writing. If you make your request verbally, we recommend you follow it up in writing to provide a clear trail of correspondence. It will also provide clear evidence of your actions

Can I make a request on behalf of someone else?

Yes. If making a request on behalf of someone else, NHS North East London Integrated Care Board needs to be satisfied that the third party making the request is entitled to make the request and may ask for proof of this.

If making a request on behalf of a child, you may be asked to provide proof of parental responsibility and/or depending on the age and understanding of the child, evidence of their consent

Make a Subject Access Request now:

Please download the Subject access request form and email your request to  or post to Subject Access Request NHS North East London, Information Governance Team, 4th Floor – Unex Tower, 5 Station Street, London E15 1DA.

Download: Subject access guidance and form