NCAPOP Privacy Notice

Updated: October 2024

Healthcare Quality Improvement Partnership Ltd (HQIP) (referred to as “HQIP” “We, “Our” or “Us”) are committed to protecting the privacy and security of your Personal Data and being open and honest about how it is used.

About HQIP

The Healthcare Quality Improvement Partnership (HQIP) was established in April 2008 to promote quality in healthcare and, to increase the impact that clinical audit has on healthcare quality improvement. We are an independent organisation led by the Academy of Medical Royal Colleges and The Royal College of Nursing.

HQIP commissions, manages, supports and promotes national and local quality improvement, through this work HQIP is responsible for several national quality improvement programmes. These include the National Clinical Audit and Patient Outcome Programme (NCAPOP) and the National Joint Registry (NJR).  The NCAPOP is composed of approximately 38 projects which cover national clinical audit and clinical outcome reviews. NHS England, Department of Health, Welsh Government and other devolved nations fund and commission HQIP to manage these programmes.

This Privacy Notice relates to HQIP where we are a Data Controller for commissioned or hosted projects.

HQIP is a controller for the clinical data collected and processed by these programmes, we determine and authorise the purpose for, and manner in, which the data collected are processed.

For the NCAPOP specifically, HQIP is joint data controller in partnership with NHS England for the England component of the NCAPOP and Digital Health and Care Wales (DHCW) for the Wales component of the NCAPOP.

The organisations HQIP commissions to deliver these projects are data processors as they are responsible for collecting and processing personal data. HQIP does not directly receive, handle or otherwise process personal or special category data as part of the work it commissions from other organisations to deliver the NCAPOP.

We have developed this Privacy Notice to inform you of the data we collect, what we do with your information, what measures we take to keep it secure as well as the rights and choices you have over your Personal Data. It is important that you read this notice so that you are aware of how and why we are using such information.

Data Protection Legislation

Throughout this document we refer to Data Protection Legislation.

In the United Kingdom (UK), Data Protection Legislation means the Data Protection Act 2018 (“DPA 2018”), United Kingdom General Data Protection Regulation (“UK GDPR”), the Privacy and Electronic Communications (EC Directive) Regulations 2003 (“PECR”) and any legislation implemented in connection with the aforementioned legislation.

HQIP has a Data Protection Officer who can be contacted by emailing: [email protected].

Lawful basis

Under GDPR the lawful basis used by HQIP for NCAPOP purposes is:

  • performance of a task in the public interest (article 6(1)(e))

The lawful basis we use for processing special category data is

  • ‘public health’ to ensure high standards of quality and safety in health care (article 9(2)(i))

Under the UK Data Protection Act 2018 the lawful basis is Schedule 1(1)(3) underpinned by the Health and Social Care Act 2021 Part 1, section 2.

This is justified as through its NCAPOP projects HQIP aim to drive improvements in care and outcomes for patients, with commissioning and funding arrangements which link back to NHS England, the Welsh Government and other national bodies who have statutory responsibilities to improve quality of health care services.

Individual projects are required to meet the common law duty of confidentiality if personally identifiable patient health information is processed. The lawful basis under GDPR and the common law duty of confidentiality will be project specific.

NCAPOP projects are commissioned to process patient health data for secondary purposes and may rely on different legal gateways for such processing (this is usually either an approval granted by the Confidentiality Advisory Group (CAG) under section 251 of the NHS Act 2006 or an NHSE’s Direction).

Please refer to individual project privacy notices for details of their lawful basis under GDPR and the common law duty of confidentiality. These can be found on the relevant provider websites, please see below for a hyperlinked list to all projects.

Re-use of personal data from commissioned / hosted projects

Personal health data processed for HQIP’s commissioned / hosted programmes often can have significant public benefit, so HQIP has a data access process and operates a Data Access Request Group (DARG) to manage requests and provide approval for data sharing or reuse.

The DARG must give permission before any personal data can be used for third party access for research purposes, service evaluation, clinical audit or for any use of the audit data outside of the stated purpose for which it was collected. HQIP will only share data where there is demonstrable public benefit and the necessary ethical, security and legal permissions are in place. DARG is also the mechanism for sharing personal data back to the joint data controllers for the data, such as NHS England and Digital Health and Care Wales.

The range of applicant organisations, from hospitals and universities, through to statutory bodies such as our funders, means that the legal provisions relied on for the new processing of the personal data are varied, particularly in relation to meeting or legally setting aside the duty of confidentiality.

Some examples are included below, however the list is not exhaustive:

  • HQIP’s Overarching Research Database Approval for the NCAPOP which permits the re-use of de-personalised data for research purposes under S.251 of the NHS Act 2006 (Reference 24/CAG/0108, approved 18/09/2024, as listed on the Confidentiality Advisory Group Register)
  • The Data Services for Commissioners Direction – when data is shared with NHS England and onwards to Integrated Care Boards and NHS organisations for commissioning purposes
  • Explicit patient consent (for example for interventional research studies)
  • Section 251 of the NHS Act 2006 or a Welsh Ministers’ Direction to DHCW, in line with the National Health Service (Wales) Act 2006 and the Digital Health and Care
  • Regulation 3, Health Service (Control of Patient Information) Regulations 2002 when data is shared with the UK Health Security Agency
  • Individual third-party approvals under Section 251 of the NHS Act 2006, and its current regulations when sharing data for research or non-research purposes, where there is sufficient public interest and no other legal provision can be used.
Project specific information

Each quality improvement project has its own privacy notice and fair processing documentation to ensure transparency. Data from Devolved Nations (such as Scotland and Crown Dependencies may be included in some of the NCAPOP projects. More details around this will be provided in the specific privacy notice for each project. Individual project privacy notices should be referred to for the following information as details are project specific:

  • What data is being collected and what they are used for
  • How long data is kept
  • What data is shared and with whom
  • Security (how data are kept secure)
  • How to exercise your individual rights
  • Where applicable, how the project complies with the National Data Opt Out in England
  • Details of the Data Protection Officer

Please see below for a list of all national quality improvement projects which HQIP commissions, manages or hosts:

How we use your information

We use your information in the following ways:

  • To send you communications required by law or which are necessary to inform you about changes to the services we provide you. For example, updates to this privacy policy
  • To comply with our contractual or legal obligations to share data with law enforcement. For example, when a court order is submitted to HQIP to share data with law enforcement agencies or a court of law
  • To process and monitor your order should you buy something from us (such as through our Data Access Request process)

Please note that we may process your Personal Data without your knowledge or consent, where this is required or permitted by law.

When we will collect your information

In general, we will collect this data directly from you. Where this is the case, you are under no obligation to provide us with your Personal Data.

  • When you apply for audit data via our data access process
  • Through our National Clinical Audit Directory
Who we share your personal details with

We use Service Providers (“Data Processors”) who are third parties who provide elements of services for us. Examples of these Data Processors include, but are not limited to:

  • sub-contractors for the performance of any contract we enter into with them or you; or
  • service providers acting as processors who provide IT and system administration services

For further information about personal data we collect on our website, please see our Privacy Notice, available here. We have Data Processor Agreements in place with our data processors. This means that they cannot do anything with your personal data unless we have instructed them to do it. They will not share your personal data with any organisation apart from us or further sub-processors who must comply with our instructions. They will hold your personal data securely and retain it for the period we instruct.

In addition to the Data Processors indicated above, we may have to share your personal data with third party Data Controllers in order to provide our services to you or otherwise fulfil our legal obligations.

Examples of third parties include:

  • local authorities/public services;
  • NHS bodies;
  • The Police, and other law enforcement agencies; and/or
  • The Courts.
How long we will keep your information

We will always retain your personal data in accordance with the Data Protection Legislation and never retain your information for longer than is necessary.

Personal data processed for the purpose of a data access request processed via our Data Access Request Group service is retained for 6 years after your data sharing agreement expiry date. Declaration of Interest records are retained of 6 years. Supplier contracts are retained for 6 years.  For other personal information we will retain it for no longer than is necessary, and in accordance with our records management policy.

Automated decision making and profiling

Your data is not subject to automated decision making or profiling as defined in data protection legislation.

Security of your personal data

We know your personal information is important to you and data security is of great importance to HQIP. We have put in place appropriate technical and organisational measures to prevent your personal data from being accidently lost, used, or accessed in an unauthorised way, altered, or disclosed.

We take security measures to protect your information including:

  • Limiting access to our resources to only those that we have determined are entitled to have it;
  • Managing a data security breach reporting and notification system which allows us to monitor and communicate information on data breaches with you or with the applicable regulator when required to do so by law;
  • All staff are regularly trained in IT, data security and data protection;
  • Implementing access controls to our information technology systems; and,
  • Deploying appropriate procedures and technical security measures (including strict encryption, anonymisation and archiving techniques) to safeguard your information across all our computer systems, networks and websites.
How we protect your personal data

We know your personal information is important to you. Therefore, we securely store the personal information we receive and use appropriate security features to prevent any unauthorised access. We have internal policies which set out and guide our data security. All staff adhere to this approach and are regularly trained in data protection.

Your rights over your information

The right to be informed about our collection and use of personal data; 

You have the right to be informed about the collection and use of your personal data. We ensure we do this with our internal and external Privacy Notices (including this document). These are regularly reviewed and updated to ensure these are accurate and reflect our data processing activities.

Right to Access Your Personal Data 

You have the right to access the Personal Data that we hold about you in many circumstances, by making a request. This is sometimes called a ‘Data Subject Access Request.’ If we agree that we are obliged to provide Personal Data to you (or someone else on your behalf), we will provide it to you or them free of charge and aim to do so within 1 month from when your identity has been confirmed.

We would ask for proof of identity and sufficient information about your interactions with us that we can locate your Personal Data.

Right to Rectify Your Personal Data 

If any of the Personal Data we hold about you is inaccurate, incomplete, or out of date, you may ask us to correct it.

Right to Erasure 

You have the right to have personal data erased. This is also known as the ‘right to be forgotten’. The right is not absolute and only applies in certain circumstances. For instance, the right to erasure does not apply where we have a legal obligation to retain your Personal Data.

Right to Restrict Processing 

You have the right to ask us to restrict the processing of your personal data. For example, this may be because you have issues with the accuracy of the data we hold or the way we have processed your data. The right is not absolute and only applies in certain circumstances.

Right to Portability 

The right to portability gives you the right to receive personal data you have provided to a controller in a structured, commonly used, and machine-readable format. It also gives them you the right to request that a controller transmits this data directly to another controller.

Right to Object 

You have the right to object to our processing of some or all the personal data that we hold about you. This is an absolute right if we use your data for direct marketing but may not apply in other circumstances where we have a compelling reason to do so, e.g., a legal obligation.

For more information about your privacy rights 

In the UK, the Information Commissioner’s Office (ICO) regulates data protection and privacy matters. They make a lot of information accessible to consumers on their website, which you can access here: https://ico.org.uk/for-the-public.

You can make a complaint to the ICO, or any other supervisory authority, at any time about the way we use your information. However, we hope that you would consider raising any issue or complaint you have with us first. We will always do our absolute best to solve any problems you may have.

If you would like to exercise any of your rights listed above or contact us about the processing of your personal data, please contact the Data Protection Officer by emailing [email protected]

HQIP is on the Information Commissioner’s Office register of Data Controllers (reference is Z1780946) and has a Data Protection Officer who can be contacted at the address on the website or by emailing: [email protected].

NHS England Data Protection Officer can be contacted by emailing [email protected]. Digital Health and Care Wales joint Data Protection Officer can be contacted by emailing: [email protected].