National Diabetes Audit (Wales): Transparency Notice

This transparency notice explains for the National Diabetes Audit 

• why we collect information about you (we call this “personal data”)
• what we do with it, including who we share it with
• how long we keep it for and where we store it
• our legal basis for using it
• what your data protection rights are

This notice covers the data we collect for the National Diabetes Audit from diabetes services in Wales. For more information on the data we collect for the National Diabetes Audit in England, see the National Diabetes Audit (England) Transparency Notice. 

The National Diabetes Audit (NDA) Programme was originally developed to help improve services and monitor the impact of the diabetes national service framework (NSF). Since 2011, the National Paediatric Diabetes Audit has been delivered by the Royal College of Paediatric Child Health (RCPCH).

The NDA is commissioned by and funded by the Welsh Government, managed by the Healthcare Quality Improvement Partnership (HQIP) and delivered by NHS England working with Diabetes UK.

The NDA helps improve the quality of diabetes care by enabling participating NHS services and organisations to:

• assess local practice against National Institute for Health and Care Excellence (NICE) guidelines
• compare their care and outcomes with similar services and organisations
• identify gaps or shortfalls that are priorities for improvement
• identify and share best practice
• provide comprehensive national pictures of diabetes care and outcomes in England and Wales

Through participation in the audit, local services are able to benchmark their performance, identify where they are performing well, and improve the quality of treatment and care they provide. For example:

• the Quality Improvement Toolkit has been developed in collaboration with the Royal College of General Practitioners (RCGP) to help practices use their diabetes data to improve services.
• Diabetes UK manages Quality Improvement Collaboratives (QIC) which set local aims to improve diabetes care. Using audit data, specialist services work together with other providers to develop skills, share learning and improve clinical practice

The NDA Programme covers:

• National Diabetes Core Audit including NDA core, Type 1, Adolescent and Young Adult (AYA), Young Type 2 and Diabetes Prevention Programme
• National Pregnancy in Diabetes Audit (NPID)
• National Diabetes Footcare Audit (NDFA)
• National Diabetes Inpatient Safety Audit (NDISA))
• National Diabetes Audit – Integrated Specialist Survey (NDA ISS)
• National Gestational Diabetes Audit

Under data protection law, NHS England is the ‘controller’ for the NDA. This means that we make decisions about what personal data we need to collect and how we will use your data to run the data collection.

The NDA collects information about patients who receive diabetes care in Wales.

For more information on the data we collect for the National Diabetes Audit in England, see the National Diabetes Audit (England) Transparency Notice. 

We collect the following information:

Personal data

• NHS number
• date of birth
• postcode (NDA Core collection only)

Special category data

• ethnicity
• diabetes type
• Body Mass Index (BMI)
• blood pressure
• smoking status

We then link this data to other datasets that NHS England holds. Data linkage allows us to understand the types of complications people with diabetes can experience and gives a better picture of diabetes care whilst reducing the burden placed on NHS services who submit the data to NHS England so that they do not have to submit the same data twice.  For example, demographic information such as patient ethnicity, diabetes type and postcode which is already submitted to NHS England for the Core NDA collection can be used for patients registered in NDFA or NPID collection.

More information on data collected for the purposes of the NDA is available. 

For the NDA programme collections, we collect data from healthcare providers in Wales such as:

• GP practices (if they have chosen to participate in the audit)
• specialist diabetes out-patient services

• maternity units with a joint diabetes and maternity service within NHS Trusts
• diabetes footcare services within NHS trusts
• NHS acute care providers

We also collect National Paediatrics Diabetes Audit (NPDA) data from the Royal College of Paediatrics and Child Health (RCPCH) and link this to NDA data to understand the transition of care from paediatric to adult diabetes services.

We also link to other data NHS England holds, such as the Maternity Services Dataset for the purposes of the National Gestational Diabetes Audit. 

Upon receipt of the data from healthcare providers, we pseudonymise (de-identify) the data for security and data minimisation purposes. The data is analysed to improve data completeness and quality. NDA data is then linked to other datasets held by NHS England to produce a complete picture of diabetes care and compare patient outcomes to help identify areas for quality improvement. Through participation in the audit, local services can benchmark their performance and identify where they are performing well and improve the quality of treatment and care they provide to patients.

We also publish NDA data in a variety of formats such as annual national reports and interactive data dashboards. 

Data protection law requires NHS England to have a legal basis before we can use your personal data.

Our legal basis is:

Public task - Article 6(1)(e) of UK GDPR. NHS England has accepted a section 255 Request under the Health and Social Care Act 2012 from Digital Health and Care Wales (DHCW) to establish and operate an information system for the collection and analysis of information relating to people with diabetes in Wales. This Request is called the National Diabetes Audit for NHS Wales 2021.

We also need an additional legal basis in the UK GDPR and the Data Protection Act 2018 (DPA 2018) to use data which is extra sensitive. This is known as ‘special categories of personal data’. Our legal bases to use data relating to your health for the purposes of the NDA are:

• health or social care – Article 9(2)(h) of UK GDPR, plus Schedule 1, Part 1, Paragraph 2 “Health or social care purposes” of DPA 2018
• public health – Article 9(2)(i) of UK GDPR, plus Schedule 1, Part 1, Paragraph 3 “Public health” of DPA 2018
• scientific research - Article 9(2)(j) of UK GDPR, plus Schedule 1, Part 1, Paragraph 4 “Research etc” of DPA 2018

We treat the data we hold with great care. All data which is shared by NHS England is subject to robust rules relating to privacy, security and confidentiality and only the minimum amount of data necessary to achieve the relevant health and social care purpose will ever be shared. 

Data is shared or is expected to be shared with organisations such as healthcare providers, clinicians, and commissioners of NHS services, for example:

• the organisation that provided your care: to assess the effectiveness of your care and to improve the services they offer 
• Digital Health and Care Wales: to inform policy and guidelines  
• research organisations, including universities and charities: to carry out research 

Organisations must apply and gain approval through NHS England’s Data Access Request Service to access NDA data.

Each application is assessed very carefully to make sure that the organisation: 

• has a legal basis to access the data
• will use the data for the benefit of health and care and for the agreed purposes only 
• will handle and store the data securely 

We only share data which can identify you (identifiable data) if this is absolutely necessary and the organisation who has made an application for data cannot achieve their purpose without it. Where possible we remove information from the data which identifies you, or we replace it with a unique reference number (this is known as pseudonymisation). 

Each organisation we share data with must sign a Data Sharing Framework Contract and a Data Sharing Agreement and we carry out audits to check they are using the data as agreed. 

The minimum retention period for NDA data is 8 years after the closure of the NDA audit initiative. This retention period will be reviewed regularly to ensure that the data is only held as long as is necessary our purposes in accordance with the Records Management Code of Practice 2021 and our Records Management Policy. 

Other organisations we share your personal data with must only keep it for as long as is necessary and as set out in their Data Sharing Agreement. Information about this will be provided in their privacy notices on their websites

We securely store your data on our servers in the United Kingdom (UK).

Under data protection law, you have the following rights over your data for this collection:

• Your right to be informed – You have the right to be told how and why we are using your personal data. We have published this transparency notice to provide you with this information
• Your right to get copies of your data – You have the right to ask us for copies of your personal data (right of access). For more information, see how to make a subject access request
• Your right to get your data corrected – You have the right to ask us to correct (rectify) your personal data if you think it is inaccurate or incomplete
• Your right to limit how we use your data – You have the right to ask us to limit the way we use your personal data (restrict processing) in certain circumstances
• Your right to object to how we use your data – You have the right to object to how we process your data in certain circumstances

To make a rights request, email us at [email protected].

We take our responsibility to look after your data very seriously. If you have any questions or concerns about how NHS England uses your data, please contact our Data Protection Officer at: [email protected] 

If you are not happy with our response, you have the right to make a complaint about how we are using your data to the Information Commissioner’s Office by calling 0303 123 1113 or through their website. 

We may make changes to this notice. If we do, the 'last edited' date on this page will also change. Any changes to this notice will apply immediately from the date of any change.