Privacy
Home »
This privacy policy is for this website; NICOR and governs the privacy of its users who choose to use it. It explains how we comply with the General Data Protection Regulation (GDPR) and the Data Protection Act 2018 (DPA).
This policy will explain areas of this website that may affect your privacy and personal details, how we process, collect, manage and store those details and how your rights under the GDPR, DPA & PECR are adhered to. Additionally it will explain the use of cookies or software, advertising or commercial sponsorship from third parties and the download of any documents, files or software made available to you (if any) on this website. Further explanations may be provided for specific pages or features of this website in order to help you understand how we, this website and its third parties (if any) interact with you and your computer/device in order to serve it to you. Our contact information is provided if you have any questions.
-
1. Data Protection
NICOR is required to comply with the laws and regulations that apply to protecting the patient information that we collect and how it is used. These are the United Kingdom General Data Protection Regulation (UK-GDPR) and the Data Protection Act 2018 (DPA). NICOR is committed to protecting your privacy in the collection and use of data required for us to provide our services.
-
2. NICOR National Clinical Audits and Registries
NICOR is currently being hosted at the NHS Arden and Greater East Midlands Commissioning Support Unit (Arden and GEM) where it is responsible for the delivery and management of the National Cardiac Audit Programme (NCAP). The NCAP comprises the following specialist disease and treatment areas:
• Paediatric and adult congenital heart disease
• Heart attacks
• Angioplasty
• Adult cardiac surgery
• Heart failure
• Cardiac rhythm management (devices and ablation)
• Cardiac rehabilitation
• Percutaneous transcatheter aortic valve implantation
• Percutaneous mitral and tricuspid valve repair procedures
• Percutaneous left atrial appendage occlusion (to prevent stroke)
• Percutaneous patent foramen ovale closure (to prevent recurrent stroke). -
3. Privacy Notice
This privacy notice for the NICOR website can be found in the publications folder.
-
4. What information we collect about you and from whom?
Depending on where you live in the UK and Ireland, we may collect personal data about you. We collect your “Relevant Personal Data” (see the full list later in this section but this includes personal health and demographic details) from hospitals in England, Wales, Northern Ireland and Ireland for the NCAP. The Ambulance Trusts in England and Wales also provide pre hospital information on care and treatment of heart attack patients transferred by ambulance. Additionally, some hospitals in Ireland and private hospitals in England, Wales and Ireland provide patient information to NICOR.
-
5. Who commissions the audits?
NHS England (NHSE) and NHS Wales (GIG Cymru) commission the NCAP via Arden and GEM. NHSE is the Data Controller for the data collected on patients in England. This means that it is the organisation that controls the purpose and the way in which NICOR may use your personal data. NHS Wales (through Digital Health and Care Wales) is the Data Controller for the data collected on patients in Wales.
The following is the relevant personal data that most hospitals submit to NICOR:
• Forenames and Surname
• Date of Birth
• Full postcode of usual address at date of diagnosis
• Hospital Number
• NHS Number
• Demographic details of age, sex and ethnicity
• Date/time of treatment (or if appropriate date of death)
• Clinical data relating to the treatment
• Name and GMC number of your specialist providing care.Full details of all the datasets for each of the specialist domains of the NCAP are on the NICOR website (and the datasets for the new NCAP registries will be made available later this year).
-
6. Why do we collect your information?
We collect your information as part of national clinical audit for assessing and reporting on quality improvement and for benchmarking. The information collected is also useful for quality assurance and research purposes. We provide the commissioners of NHS services and policy makers with information for commissioning purposes and to improve the delivery of cardiac services. The UK regulators such as the Care Quality Commission (CQC) and the Medicines and Healthcare products Regulatory Agency (MHRA), also use the information for quality assurance purposes. The information is also useful for service improvement and research. The other benefit of collecting patient information once for multiple uses is that this reduces the time required for data collection thus making this a cost-effective process. We have the necessary approvals from the Health Research Authority’s Confidentiality Advisory Group, the Research Ethics Committee and the Data Controllers for use of your information for different purposes.
-
7. Why we use your information
We use your personal information for the following purposes:
• Linking your information with other national databases for audit purposes. For example, NHSE provides NICOR with mortality tracking information, to enable NICOR to calculate how long patients live after different types of treatment. Hospital Episode Statistics (HES) data, also provided by NHSE, are valuable in determining whether the audit has captured all of the patients with the relevant condition (‘case ascertainment’) and to determine readmission rates. Patient identifiers, including patient’s name, date of birth, NHS number, gender and post code are used for linkages of NICOR information with other national databases. All this is covered in the approval granted to NICOR by the Secretary of State for Health and Social Care via the Health Research Authority’s Confidentiality Advisory Group (CAG).
• Publication of Quality Improvement and Benchmarking Reports. These are useful for all our stakeholders including NHS commissioners, patients and members of the public, and service providers (hospitals and clinicians). NHS regulators also use these for quality assurance and patient safety purposes. Our published reports contain anonymised data reports and do not identify any individual patient.
• Onward sharing audit information for medical and scientific research. We do not pass on personal details to researchers unless appropriate approvals have already been granted. Such personal details are almost always required only for the purposes of linkage to other datasets. The final documents in these cases, i.e. final audit or research reports, do not allow the identity of any individual patient. This is strictly controlled. The use of NCAP data for research within NICOR and by external researchers is covered in England and Wales by approval from the Secretary of State for Health and Social Care under Section 251 of the NHS Act 2006 (CAG approval).
• Conducting research on public health issues and national emergencies. Data, advice and information on public health issues and emergencies (such as the COVID-19 pandemic) may be required by the UK Government, its agencies and other researchers. For COVID, the legal basis for this data sharing was covered by the Direction from the Secretary of State under Section 254 of the NHS Act 2012 (COVID-19 Public Health Directions 2020) to establish and operate a system for the collection and analysis of the information specified. NICOR conformed to this requirement for COVID-19 purposes. This also included an obligation on NHSE to onward share NICOR’s English data with third parties conducting COVID-19 related research. Unless such a Direction is made, all other applications have to seek permission from the Data Controllers.
• Linkages with national databases for research purposes. This includes linkages with other national databases such as NHSE’s mortality and Hospital Episode Statistics (HES) data (both hospital – and patient-level data). We also have research collaborations with the University of Leicester and NHSE to link NICOR data with the National Cancer Research and Analysis Service (NCRAS) data, as there are increasing numbers of people living with both heart disease and cancer. To better understand how these diseases and their treatments interact we link the audit data and the HES and ONS mortality data to the NCRAS registries.
-
8. Why are we allowed to process your information?
Under the GDPR, the processing of personal information by NICOR is carried out under the lawful basis of ‘Public Task’, because the processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller (Article 6(1)(e)). This is justified through commissioning arrangements which link back to NHSE, the Welsh Government and other national bodies with statutory responsibilities to improve quality of health care services.
The GDPR Article 9(2)(i) allows us to process information because it is necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health or ensuring high standards of quality and safety of health care and of medicinal products or medical devices, on the basis of Union or Member State law which provides for suitable and specific measures to safeguard the rights and freedoms of the data subject, in particular professional secrecy. This is justified as all NICOR audits and registries aim to drive improvements in the quality and safety of care and to improve outcomes for all patients.
We also process personal information because it is necessary for the purposes of scientific research and statistical purposes (GDPR Article 9(2)(j)).
The common law Duty of Confidentiality will be considered and applied to each project and will be met depending upon whether the project holds section 251 exemption, as explained above, or obtains informed consent from individual patients or their representatives.
The Secretary of State for Health and Social Care has granted NICOR an exemption from the National Data Opt-Out Policy for national clinical audit (and registry) purposes, so that hospitals in England will continue to collect and submit information on all patients required for NCAP. Patients in England may still apply directly to NICOR to opt out of the uses of their data for audit, service delivery and research purposes (for contact details, see the end of Section 11). In England, the National Data Opt-out Policy will be implemented by NICOR, as necessary, when onward sharing of any identifiable data. Whilst the National Data Opt out Policy applies in England only, patients in other parts of the UK have the right to object to the use of their personal information, although you must give specific reasons for your objection based upon your concerns.
In accordance with the common law duty of confidentiality, and approval from the Secretary of State for Health and Social Care, the NCAP registries are permitted to collect, use and store patient data from England and Wales without informed patient consent. However, currently, confidentiality requirements for collecting and processing NCAP data from private patients are met through obtaining informed consent from individual patients or their representatives.
-
9. How we safely store, use, and disclose your information
The following security measures are in place to safeguard your information:
• Your information is kept strictly confidential and stored and analysed in a very secure environment. We are very careful with the information hospitals provide about patients and their care and follow strict rules about how we keep it and who can use it.
• Everyone working at NICOR has a legal duty to maintain the highest levels of confidentiality, and all our staff receive training in how to handle your information securely. Except in certain specific circumstances, your information will generally only be available to staff on a ‘need to know’ basis, i.e. staff members who are involved in the management of the database containing your information or those involved in analyses and reporting.
• We ensure the information collected conforms to the strict rules of confidentiality established by Acts of Parliament, including the Data Protection Act 2018, the United Kingdom General Data Protection Regulation (UK-GDPR) and NHS Act 2006 and Health and Social Care Acts 2001/12.
• The data received by NICOR are stored on a secure system, which is a password-protected file repository, accessible only by named individuals. The data are retained for as long as approved by NHSE. When appropriate, the supplied data are securely destroyed using industry standard file shredding software and removed from any backup tapes.
• Wherever possible analyses, reports and data derived from our audits and registries are anonymised and do not contain any information that can be used to identify individual patients. We sometimes grant researchers access to data that identifies patients, if it is necessary for their study, and they have the relevant ethics and confidentiality approvals to use it with the right security controls in place.
-
10. How long is your information kept?
Personal data for the national clinical audits and registries are retained indefinitely. The reason for this is that long-term longitudinal data (over many years) is required for trend analyses to demonstrate variations and changes in clinical practice and for improvements in quality of care. The minimum retention period for all NICOR audit records is eight years; this is consistent with NHS Retention and Disposal Schedule guidelines. For reasons mentioned above, there is no maximum retention period for national clinical audits. All records identified for retention for a period greater than eight years are subject to review and justification, including specific outcomes and level of statistical merit derived from the individual audits by audit project groups. The disposal of any data will be clearly documented including date of disposal, details of the data destroyed and the method of data destruction. Disposal methods include secure destruction of computer media in which the backups are held and the erasure of data from NICOR servers to the current NHS guidelines/standards.
-
11. Transferring your information to other countries
Historically we have received patient data from the United Kingdom and Ireland (although from 1 April 2021 NHS Scotland decided not to participate in the NCAP. NHS Scotland is seeking a legal framework whereby the Scottish patients’ data may be processed by NICOR along with patient data for which NHSE is the data controller to assist benchmarking for hospitals in Scotland). NICOR only processes the patient information in England. If any information is required to be transferred outside of the UK for any purposes (audit or research) we will ensure that all appropriate approvals are in place before the transfer can take place.
-
12. Your rights as a data subject
The right to be informed
We are required to inform you about how we collect and use your personal information (for example, by the information given in this Privacy Notice).The right to access
By law you are entitled to request a copy of any information we hold on you. This is known as a Subject Access Request. We will aim to provide the requested information to you within 30 days, but if we are unable to do so then we will explain the reasons to you. In most cases we will provide a copy of the information to you for free, but there are some circumstances where we will need to charge.You can do this by writing to Jon Moore (interim DPO) at NHS England using the contact details provided below. NICOR would be able to provide you with a copy of your information that we hold. NICOR would send it to you either as a paper record or as encrypted data on a CD/Pen drive, which would be sent to you by recorded delivery. Alternatively, we can make your data available to you electronically via NICOR’s secure Dropbox. To access your data electronically we require your personal email address and a contact phone number. Once we have uploaded your data file, we would need to contact you to give you the password to access your encrypted file.
Jon Moore (Interim DPO)
Delivery Directorate
NHS England
Quarry House
Quarry Hill
Leeds
LS2 7UEThe right to rectification
You may also request that we make changes to any information we hold about you that is incorrect or incomplete. We will take action to rectify inaccuracies in the personal information we hold about you when it is drawn to our attention. Sometimes it may be be necessary to add an explanatory note to your information rather than change the original record.The right to erasure
Due to the nature of national clinical audit (whereby as many patients as possible need to be included in the analyses) which is linked to the direct care you have received and for public health purposes we would consider any Subject Rights Requests from individuals (under GDPR) on a case-by-case basis.The right to restrict processing
You may request that we restrict the processing of your information in certain circumstances, for example if you believe it to be inaccurate. In most cases a restriction of processing is a temporary measure while we investigate your concerns. The right to restrict processing is not an absolute right, and we may decide not to restrict the processing of your information if we consider that processing to be necessary for the purpose of the public interest or for the purpose of your legitimate interests.The right to object to us processing your personal information
The national data opt-out is a service that allows patients to opt out of their confidential patient information being used for research and planning. Further information is available at the following link: https://digital.nhs.uk/services/national-data-opt-outThe right to data portability
NICOR’s basis for processing your information under the GDPR means that we are not legally required to provide your information in a machine-readable form, although we will try to provide information that you have asked us for (such as under a Subject Access Request) in the format you prefer if it is practical for us to do so.In order to exercise any of the above-mentioned rights please write to Jon Moore (NHS England’s Interim DPO) at the address below. This will not affect the quality of your healthcare.
Jon Moore (Interim DPO)
Delivery Directorate
NHS England
Quarry House
Quarry Hill
Leeds
LS2 7UE -
13. NICOR’s Data Controllers
NHS England is the Data Controller for all NICOR’s data collected from all hospitals in England. NHS Wales (through Digital Health and Care Wales) is the Data Controller for all data collected from hospitals in Wales.
NHSE has a Data Protection Officer (DPO) who is responsible for ensuring that we respect your rights and follow the law. If you have any concerns about how we look after your personal information, please feel free to contact the data protection officer at NHSE, by E mail: england.dpo@nhs.net or by telephone: 0300 311 2233. Alternatively, you may write to:
Jon Moore (Interim DPO)
Delivery Directorate
NHS England
Quarry House
Quarry Hill
Leeds
LS2 7UEIf you are not satisfied with NICOR’s response, in addition to your right to contact the data protection officer(s) at NHSE, you have the right to make a complaint to the Information Commissioner’s Office (ICO) at:
Wycliffe House
Water Lane
Wilmslow
SK9 5AF
https://ico.org.uk/