NHS All Age Continuing Care (AACC) Patient Level Data Set Transparency Notice

This transparency notice explains for the All Age Continuing Care data collection:

• why we collect information about you (we call this “personal data”)
• what we do with it, including who we share it with
• how long we keep it for and where we store it
• our legal basis for using it
• what your data protection rights are

To read more about how NHS England uses personal data to improve health and care, see Transparency Notice: how we use your personal data

The All Age Continuing Care (AACC) data set is a patient level, output based, secondary uses data set which aims to deliver robust, comprehensive, nationally consistent and comparable person-based information for children, young people and adults who are in contact with continuing care services, as defined in the National Framework for NHS Continuing Healthcare and NHS-funded Nursing Care and the National Framework for Children and Young People’s Continuing Care. The AACC data will be collected from Integrated Care Boards in England and/or their system suppliers (ICB’s).

As a secondary uses data set it intends to re-use operational and financial data and is used to inform service improvements and monitor service performance, patient experience, and outcomes.

Under data protection law, NHS England is the ‘controller’ for the AACC data collection.  This means that we make decisions about what personal data we need to collect and how we will use your data to run the data collection. See the “Our legal basis for collecting and analysing personal data section” below for more information.

The AACC data collection will start from 1 April 2025 and will be collected monthly. Patient information collected includes:

• local patient identifier
• organisation identifier (organisation that generated the local patient identifier)
• NHS number
• NHS number status
• person birth date
• postcode of usual address
• person stated gender code*
• person stated sexual orientation code*
• ethnic category*
• religion or belief system affiliation code*
• person death date and
• disability indicator

Medical information such as patient condition and diagnoses information are not collected in this data set.

On receipt of the data we :-

• validate the data, standard validation routines are applied at the record value level to check the submission meets the required mandate and format, and to check that expected values are present and correct based on the context of the record
• using the NHS Number we add the patients registered GP from the Personal Demographics Service database and to the Master Person Service (MPS) to ensure that records are matched accurately.
• we then de-identify (pseudonymise) to remove NHS Number and replace with a Token ID, which means to remove identifiers but are still able to link data in this collection to the same patient’s data in another dataset held by NHS England
• the de-deidentified data is stored within the NHS England National Data Commissioning Repository (NCDR)

The AACC Data Team within NHS England, part of NHS England’s AACC Business Unit, and AACC Strategic Improvement programme, are responsible for carrying out analysis of the AACC data in order to provide performance information across the service and at the ICB level.

Continuous monitoring of these metrics will allow for informed and targeted allocation of resources to improve service delivery.

AACC data and metrics will be used to check and monitor adherence to the National Frameworks, particularly in CYP continuing care where there is known to me more variation in local procedures.  The AACC data team also produce and disseminate dashboards for consumption by NHS England and ICB’s.

We have been issued a legal document, called Directions, from the Secretary of State for Health and Social Care which places a legal obligation on NHS England to collect and analyse AACC data. These Directions are issued to NHS England under section 254 of the Health and Social Care Act 2012 and are called the NHS All Age Continuing Care Directions 2024. 

Under the UK General Data Protection Regulation (UK GDPR), NHS England is the controller of your personal data where we have been told to collect and use your data by law (we have a legal obligation). We are also a joint controller with the Department of Health and Social Care, which is a government department the Secretary of State for Health and Social Care holds responsibility for.

Where NHS England has been directed by the Secretary of State for Health and Social Care they are joint controllers with regard to establishing the purpose for the data processing, NHS England is sole controller in respect of sharing of personal data.

NHS England’s legal basis under the UK GDPR and Data Protection Act 2018 (DPA 2018) is:

• Article 6(1)(c) - Legal obligation (the Directions).
• Article 9(2)(g) – substantial public interest supplemented plus DPA 2018 Schedule 1, Part 2, para 6 - Statutory etc and government purposes
• Article 9(2)(h) – Healthcare purposes, plus Schedule 1, Part 1, paragraph 2 (health or social care purpose) of DPA 2018 

NHS England’s Common Law Duty of Confidentiality legal basis is:

• Legal obligation (the Direction).
• NHS England also issues the hospitals in scope of this collection with a legal document called a Data Provision Notice under section 259 of the Health and Social Care Act 2012.  This places a legal obligation on the hospitals to provide the data to NHS England without breaching the Common Law Duty of Confidentiality.

NHS England will share data with organisations who have a lawful basis and need to access AACC data to support improvements to AACC delivery. 

The following aggregate reports are made available to ICB submitting organisations:

A data quality report is provided to ICB submitters on receipt of submission consisting of any errors or warnings raised by the standard and custom validations to detail to them any issues to be corrected and resubmitted to NHS England.

Two dashboards are provided to submitters by the NHS England AACC Data Team via the NHS Futures online platform:

• the Reconciliation Dashboard aggregates data from all providers’ AACC data set submissions and shows figures alongside equivalent aggregate data from the separate NHS CHC Data Set aggregate submission.
• the Data Receipt and Errors dashboard shows counts of records submitted by all providers, and counts of records that raised errors or warnings according to standard and custom and validations

Additionally AACC flows are sent to ICBs for commissioning purposes and is part of the suite of commissioning data products approved to flow to ICBs under an existing Data Sharing Agreement and for transparency available to view. 

Data will be made available via the NHS England’s Data Access Request Service (DARS),including through the NHS England secure data environment where relevant and in line with national policy guidelines. NHS England will use its discretionary powers under section 261 of 2012 Act and under any other statutory powers to disseminate data. Organisations will be able to apply to the DARS and on approval, with the appropriate legal basis, have access to data obtained under the Direction.

Any dissemination will be subject to appropriate organisations applying to access the data having a lawful basis to process it, NHS England having a lawful basis to disclose it, successful applications being made to the DARS and the organisations entering into a data sharing agreement. 

External requests for data from the AACC data set will be evaluated on a case-by-case basis through the Data Access Request Service (DARS), with oversight from the Advisory Group for Data (AGD) where appropriate. Such requests will be assessed by DARS in line with Data Access Request Service (DARS) guidance and standards.

NHS England has legal powers under the Health and Social Care Act 2012 to share data with organisations where it is necessary for particular purposes. 

Organisations must apply and gain approval through NHS England’s Data Access Request Service (DARS) to access AACC data.  Where a DARS application is approved, data will only be shared for analysis through the DARS Each application is assessed very carefully to make sure that the organisation:  

• has a legal basis to access the data
• will use the data for the benefit of health and care and for the agreed purposes only 
• will handle and store the data securely 

We only share data which can identify you (identifiable data) if this is absolutely necessary and the organisation who has made an application for data cannot achieve their purpose without it.  Where possible we remove information from the data which identifies you, or we replace it with a unique reference number (this is known as pseudonymisation). 

Each organisation we share data with must sign a Data Sharing Framework Contract and a Data Sharing Agreement and we may carry out audits to check they are using the data as agreed. 

We publish all of our data releases on our data release register which details who NHS England has shared data with, for what purpose, and the expected benefits.

Where appropriate, requests to access data includes independent scrutiny from the Advisory Group for Data (AGD).

The minimum retention period for AACC data for a maximum of 20 years after the closure of the AACC project.  This retention period will be reviewed regularly to ensure that the data is only held as long as is necessary our purposes in accordance with the Records Management Code of Practice 2021 and our Records Management Policy. 

Other organisations we share your personal data with must only keep it for as long as is necessary and as set out in their Data Sharing Agreement. Information about this will be provided in their privacy notices on their websites. 

This data will be stored within the UK.

You can read more about the health and care information collected by NHS England, and your choices and rights in:

• how we look after your health and care information
• NHS England general Transparency Notice and its associated GDPR Record of processing entry 
• how to make a subject access request

The National Data Opt-Out introduced on 28 May 2018 allows patients to opt out of their confidential patient information being used for research or planning purposes.

If you have registered a National Data Opt-Out, NHS England can still collect your data under the Directions.  This is because the National Data Opt-Out does not apply where NHS England has a legal obligation to collect the data (see section 6.4 of the National Data Opt-Out Operational Policy Guidance for more information).

You can find out more about and register a national data opt-out or change your choice on nhs.uk/your-nhs-data-matters

We will not share your identifiable patient information with other organisations for research and planning purposes, unless there is an exemption to this. You can find out more about where your choice does not apply and about opting out of sharing your health records on the NHS website.

We take our responsibility to look after your data very seriously. If you have any questions or concerns about how NHS England uses your data, please contact our Data Protection Officer at: [email protected]

If you are not happy with our response, you have the right to make a complaint about how we are using your data to the Information Commissioner’s Office by calling 0303 123 1113 or through their website: https://ico.org.uk/make-a-complaint/  

NHS England may make changes to this Transparency Notice. If so, the date on the page header will also change. Any changes to this notice will apply immediately from the date of any change.