NICOR Privacy Notice

The NICOR Privacy Notice applies to all personal data processed by the NHS England NICOR service.  

Find further information about NHS England's privacy notices and how we use your information.

NHS England is the responsible data controller for the processing of personal data which is collected via the National Institute for Cardiovascular Outcomes and Research (NICOR) data collection system to meet the delivery of some elements of the National Cardiac Audit Programme (NCAP).

The NHS England NCAP is required to comply with the laws and regulations that apply to protecting the patient information that NHS England collect and how it is used. These are the UK General Data Protection Regulation (UK-GDPR) and the Data Protection Act 2018 (DPA).  The NHS England NICOR service is committed to protecting your privacy in the collection and use of data required for us to provide our services.

The NICOR service is delivered by NHS Arden and Greater East Midlands Commissioning Support Unit (Arden and GEM) on behalf of NHS England, which comprises of the following specialist disease and treatment areas:

• paediatric and adult congenital heart disease
• heart attacks
• angioplasty
• adult cardiac surgery
• heart failure
• cardiac rhythm management (devices and ablation)
• percutaneous transcatheter aortic valve implantation
• percutaneous mitral and tricuspid valve repair procedures
• percutaneous left atrial appendage occlusion (to prevent stroke)
• percutaneous patent foramen ovale closure (to prevent recurrent stroke)

NHS England and NHS Wales (GIG Cymru) commission NCAP via Arden and GEM CSU.

NHS England and NHS Wales (through Digital Health and Care Wales) are the Data Controllers for the processing of data about patients treated in England and Wales respectively, and also about patients whose care they commission from hospitals in either country.  This means that they determine the purpose and way in which the NICOR service may use the personal data collected for national clinical audits and registries.

We collect your 'Relevant Personal Data' (see the full list below, including personal health and demographic details) from hospitals in England, Wales, Northern Ireland and the Republic of Ireland for the NCAP. Ambulance trusts in England also validate pre-hospital information on care and treatment of heart attack patients transferred by ambulance.  Additionally, some private hospitals in England and Ireland provide patient information to the NICOR service.

Revelant personal data

The following is the relevant personal data that most hospitals submit to the NHS England NICOR service:

• forenames and surname
• date of birth
• full postcode of usual address at date of diagnosis
• hospital number
• NHS number
• demographic details of age, sex and ethnicity
• date/time of treatment (or if appropriate date of death)
• clinical data relating to the treatment
• name and GMC number of your specialist providing care

Find full details of all the datasets for each of the specialist domains on the NICOR website.

We collect your information as part of national clinical audit for assessing and reporting on quality improvement and for benchmarking. The information collected is also useful for quality assurance and research purposes. We provide the commissioners of NHS services and policy makers with information for commissioning purposes and to improve the delivery of cardiac services.

The UK regulators such as the Care Quality Commission (CQC) and the Medicines and Healthcare products Regulatory Agency (MHRA), also use the information for quality assurance purposes. The information is also useful for service improvement and research.

The other benefit of collecting patient information once for multiple uses is that this reduces the time required for data collection thus making this a cost-effective process. 

We use your personal information for the following purposes:

Linking your information with other national databases for audit purposes

For example, NHS England provides the NICOR service with an internal flow of mortality tracking information, to enable the NICOR service to calculate how long patients live after different types of treatment. Hospital Episode Statistics (HES) data, also provided as an internal flow by NHS England, are valuable in determining whether the audit has captured all of the patients with the relevant condition (‘case ascertainment’) and to determine readmission rates. Patient identifiers, including patient’s name, date of birth, NHS number, gender and post code are used for linkages of NCAP information with other national databases.

Publication of quality improvement and benchmarking reports

These are useful for all our stakeholders including NHS commissioners, patients and members of the public, and service providers (hospitals and clinicians).  NHS regulators also use these for quality assurance and patient safety purposes. NICOR published reports contain anonymised data reports and do not identify any individual patient.

Onward sharing audit information for medical and scientific research

NHS England only pass on data that includes personal details to researchers that have obtained the appropriate approval i.e. ‘section 251 support’ (see below) and Health Research Authority (HRA) research ethics approval. Such personal details are almost always required only for the purposes of linkage to other datasets. The final documents in these cases, i.e. final audit or research reports, do not allow the identity of any individual patient. This is strictly controlled.

Linkages with national databases for NHS England research purposes

This inclues the National Cancer Registration and Analysis Service (NCRAS).

Data Protection

Under the UK GDPR, the lawful basis for NHS England’s processing of personal data for NCAP purposes is Article 6(1)(e) “processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller”.

This is underpinned by NHS England’s statutory duties, commissioning arrangements, and power to collect and analyse data when requested by organisations such as NHS Wales.

For the processing of special categories of personal data the following apply:

For clinical audit:

• article 9(2)(h) “…necessary for …the provision of health …or the management of health… systems…”; and 
• article 9(2)(i) “…necessary for reasons of public interest in the area of public health…” as NICOR audits and registries aim to drive improvements in the quality and safety of care and to improve outcomes for all patients.

For research:

• article 9(2)(j) “…necessary for… scientific or historical research purposes”.

The common law duty of confidentiality

The Secretary of State for Health and Social Care has the power under Regulation 5 of the Control of Patient Information (COPI) Regulations 2002, to approve the processing of confidential patient information for medical purposes, without patient consent. Such approval sets aside the duty of confidentiality. It is known commonly as ‘section 251 support’ and is given on the recommendation of the Confidentiality Advisory Group of the Health Research Authority (HRA).

NHS England has section 251 support for the NCAP registries to collect, use and store patient data from England and Wales without patient consent. This approval sets aside the duty of confidentiality owed by the submitting Trusts and NHS England.

When researchers apply to NHS England for data to support their projects, in each case we assess how they will respect the common law duty of confidence before agreeing to provide the data. The project may have section 251 support, or alternatively, we may provide the data in a form that doesn’t identify individuals.

The National Data Opt Out

People can choose to stop their confidential patient information being used for research and planning and can also make a choice for someone else like their children under the age of 13. This choice applies only to the health and care system in England. It does not apply to health or care services accessed in Scotland, Wales or Northern Ireland.

The Secretary of State for Health and Social Care has granted NHS England an exemption from the National Data Opt-Out Policy for national clinical audit (and registry) purposes, so that hospitals in England will collect and submit information on all patients required for the NCAP, irrespective of whether they have registered an opt-out.

As there is no such exemption for research purposes, the National Data Opt-out Policy will be implemented by the NICOR service, as necessary, when we share identifiable data with other organisations for research.

Whilst the National Data Opt-out Policy applies in England only, everyone has the right to object to the processing of their personal data by NHS England. So, patients may apply to NHS England to object of the uses of their data for the NICOR service’s audit and service delivery (for contact details, see Section 12).

The following security measures are in place to safeguard your information:

• Your information is kept strictly confidential and stored and analysed in a very secure environment. We are very careful with the information hospitals provide about patients and their care and follow strict rules about how we keep it and who can use it.
• Everyone working within the NICOR service has a legal duty to maintain the highest levels of confidentiality, and all our staff receive training in how to handle your information securely. Except in certain specific circumstances, your information will generally only be available to staff on a ‘need to know’ basis. That is, staff members who are involved in the management of the database containing your information or those involved in analyses and reporting.
• We ensure the information collected conforms to the strict rules of confidentiality established by Acts of Parliament, including the Data Protection Act 2018, the United Kingdom General Data Protection Regulation (UK-GDPR) and NHS Act 2006 and Health and Social Care Acts 2001/12.
• The data received by the NICOR service on behalf of NHS England are stored on a secure system, which is a password-protected file repository, accessible only by named individuals. The data are retained for as long as approved by NHS England. When appropriate, the supplied data are securely destroyed using industry standard file shredding software and removed from any backup tapes.
• Wherever possible analyses, reports and data derived from our audits and registries are anonymised and do not contain any information that can be used to identify individual patients. NHS England sometimes grant researchers access to data that identifies patients, if it is necessary for their study, and they have the relevant ethics and confidentiality approvals to use it with the right security controls in place.

Personal data for the national clinical audit is retained to calculate the long-term survival for the patient, and to track the pathway of other cardiac events to see whether appropriate treatment has been given, the record must be kept open beyond 20 years.

The reason for this is that long-term longitudinal data (over many years) is required for trend analyses to demonstrate variations and changes in clinical practice and for improvements in quality of care. The minimum retention period for all NHS England audit records is eight years; this is consistent with NHS Retention and Disposal Schedule guidelines.

For reasons mentioned above, there is no maximum retention period for national clinical audits. All records identified for retention for a period greater than eight years are subject to review and justification, including specific outcomes and level of statistical merit derived from the individual audits by audit project groups.

The disposal of any data will be clearly documented including date of disposal, details of the data destroyed and the method of data destruction. Disposal methods include secure destruction of computer media in which the backups are held and the erasure of data from the NICOR service servers to the current NHS guidelines/standards.

Historically the NICOR service have received patient data from the United Kingdom and Ireland (although from 1 April 2021 NHS Scotland decided not to participate in the NCAP.  NHS Scotland is seeking a legal framework whereby the Scottish patients’ data may be processed by NHS England along with patient data for which NHS England is the data controller to assist benchmarking for hospitals in Scotland).

The NICOR service only processes the patient information in England. If any information is required to be transferred outside of the UK for any purposes (audit or research) it will ensure that all appropriate approvals are in place before the transfer can take place.

Your data protection rights and how they apply are explained below.

The right to be informed

We are required to inform you about how we collect and use your personal information (for example, by publishing the information given in this Privacy Notice).

The right to access

By law you are entitled to request a copy of any information we hold on you. This is known as a Subject Access Request. We will aim to provide the requested information to you within 30 days, but if we are unable to do so then we will explain the reasons to you. In most cases we will provide a copy of the information to you for free, but there are some circumstances where we will need to charge.

You can do this by writing to Jon Moore (interim DPO) at NHS England using the contact details provided below.  

The right to rectification

You may also request that we make changes to any information we hold about you that is incorrect or incomplete. We will take action to rectify inaccuracies in the personal information we hold about you when it is drawn to our attention. Sometimes it may be necessary to add an explanatory note to your information rather than change the original record.

The right to erasure

Due to the nature of national clinical audit (whereby as many patients as possible need to be included in the analyses) which is linked to the direct care you have received and for public health purposes we would consider any Subject Rights Requests from individuals (under GDPR) on a case-by-case basis.  

The right to restrict processing

You may request that we restrict the processing of your information in certain circumstances, for example if you believe it to be inaccurate. In most cases a restriction of processing is a temporary measure while we investigate your concerns. The right to restrict processing is not an absolute right, and we may decide not to restrict the processing of your information if we consider that processing to be necessary for the purpose of the public interest or for the purpose of your legitimate interests.

The right to data portability

NHS England’s basis for processing your information under the GDPR means that we are not legally required to provide your information in a machine-readable form, although we will try to provide information that you have asked us for (such as under a Subject Access Request) in the format you prefer if it is practical for us to do so.

The right to object

You are entitled to object to the processing of your personal data by NHS England. This right is not absolute and we will consider each request on a case-by-case basis. This right operates separately from the National Data Opt-Out.

In order to exercise any of the above-mentioned rights please write to Jon Moore (NHS England’s Interim Data Protection Officer) at the address below. This will not affect the quality of your healthcare.

Jon Moore (Interim DPO)
Delivery Directorate
NHS England
7 & 8 Wellington Place
Leeds
LS1 4AP

Email: [email protected]

NHS England has a Data Protection Officer (DPO) who is responsible for ensuring that we respect your rights and follow the law. If you have any concerns about how we look after your personal information, please feel free to contact the data protection officer at NHS England, by email: [email protected] or by telephone: 0300 311 2233. Alternatively, you may write to:

Jon Moore (Interim DPO)
Delivery Directorate
NHS England
7 & 8 Wellington Place
Leeds
LS1 4AP

If you are not satisfied with NHS England’s response, in addition to your right to contact the data protection officer(s) at NHS England, you have the right to make a complaint to the Information Commissioner’s Office (ICO) at:

Wycliffe House
Water Lane
Wilmslow
SK9 5AF

Website: https://ico.org.uk/