Information Governance and Data Protection

How does NICOR protect your data?

NICOR takes data protection extremely seriously.

We comply with both the Data Protection Act 2018 and the General Data Protection Regulation (GDPR).

When finalised, we will provide a diagram to help explain the governance arrangements for NCAP within NHS England.

Anonymised data prevents patient identification

NICOR collects information that is part of the essential activity of the NHS. It helps with decision making on service delivery and improvements in healthcare and is used in important medical research. Information for medical research usually require identifiable patient information for linkage to other datasets. However, NICOR will not use or onward share patient information for research purposes, if you have opted out under the National Data Opt-out Policy.

All NICOR audits and registries have approval under Section 251 of the NHS Act 2006, which means NICOR can use patient identifiable data, without obtaining patient consent. Our applications for approval were reviewed by the Health Research Authority’s Confidentiality Advisory Group and where relevant by the Research Ethics Committee.

Section 251 of the NHS Act 2006  allows the use of confidential patient information for audit or medical research when it is not possible to use anonymised information and when seeking consent is not practical. Section 251 will continue to be required until the processes to link data in pseudonymised form are properly developed within the NHS.


  • NICOR produces anonymised data from individual identifiable patient records to support medical research.
  • NICOR collects and uses information about past or present geographical location from patient records. Postcodes are required for analysis. As there is a potential to identify individual patients using this information, it is regarded as ‘patient identifiable data’.
  • NICOR is able to identify, and with appropriate data controller’s approval, contact patients to invite them to participate in medical research.
  • NICOR can use patient data for medical research.
  • NICOR links patient identifiable information from more than one source, validating the completeness or quality of the information.
  • NICOR has the authority to process patient identifiable information for the purpose of auditing, monitoring and analysing patient care and treatment.
  • NICOR has the authority to process patient identifiable information for an authorised user for one or more of the purposes outlined above.


  • NICOR protects this information by using security and confidentiality processes recognised by the community to be more advanced than other national data collection and aggregation initiatives.
  • NICOR stores and analyses the information in a secure environment.
  • Access to this information is restricted to appropriate members of NICOR.
  • NICOR provides regular information governance training to all NICOR staff.
  • NICOR ensures the information collected conforms to the strict rules of confidentiality established by Acts of Parliament, including the Data Protection Act 2018, the NHS Act 2006, the Health and Social Care Act 2001 and the Health and Social Care Act  2008.