Effective date: 18 December 2018

Who is this document for?

This document is for all people who have been a patient at an NHS hospital in England or have interacted with mental health services through the NHS in England over the past five years.

What type of personal information we hold

We hold and process data that has been anonymised and which cannot be used to identify an individual. We also hold and process data that is pseudonymised prior to being sent to us, meaning that parts of the data that could be used to identify someone are replaced with a key. We do not hold that key and so are not able to identify anyone from the pseudonymised data that we hold.

We hold pseudonymised and anonymised extracts of health and care records received in the National Health Service in England, in the form of Hospital Episode Statistics (HES), Secondary Use Service Payment By Results (SUS PbR), primary care data, social care data and the Mental Health Services Data Set (MHSDS). This covers a broad range of primary care, social care, hospital activity and spend covering GP appointments, inpatient and day case admissions, outpatient appointments, critical care, accident and emergency attendances, social care interaction and mental health services interaction.

You will be included in this database if you have been a patient at a GP practice or NHS hospital in England, or have interacted with social care, community care or mental health services through the NHS in England, and you have not opted out of your data being sent to NHS Digital or used in healthcare research and planning. These data sets, although they contain your personal information, are always pseudonymised such that we would not be able to identify you, nor would we try to identify you in any instance unless specifically requested to do so by the data controller. A detailed explanation of HES, SUSPbR , primary care, social care and MHSDS can be found by clicking each acronym. You are able to manage your personal data choices within the NHS by following this link.

How we use your personal information

We process patient data for the purpose of helping healthcare organisations to identify areas of opportunity in performance or efficiency and work with them to improve. Customers use our services for a number of different purposes including:

  • To benchmark performance and spend against similar health systems in England
  • Identify improvements in operational efficiency and monitor the impact of implemented changes
  • Understand the drivers of activity and spend in a system and use this to develop a forward plan
  • Analyse patient outcomes, quality and activity metrics and use this to develop plans to improve

HES and SUS PbR data are provided to us by NHS Digital, where we act as a data controller along with NHS Digital through signing a Data Sharing Framework Contract and a Data Sharing Agreement. These data are provided to us by NHS Digital under licence and under sections 261(1) and 261(2)(b)(ii) of the Health and Social Care Act 2012.

Moreover, under General Data Protection Regulation (GDPR) we have specified the legal bases for collecting and processing your data; this is as follows:

  • Article 6 (1) (f) – It is necessary for our legitimate interests in being able to provide tools and services that will benefit healthcare organisations.
  • Article 9 (2) (j) – It is necessary for reasons that are in the public interest in the area of public health. We provide tools and services to public healthcare organisations that help them to monitor and improve the standards and quality of care that they offer. Our processing is thus designed to benefit patients and society as a whole through facilitating better healthcare in the UK

Some of our NHS clients provide us with pseudonymised patient-level healthcare data that we use for our analyses; here we act as the data processor and our NHS client acts as the data controller who is acting in the public interest. The legal basis for processing the data here is, through the data controller, article 6(1)(e) and 9(2)(j) of GDPR, which state that it is necessary for reasons in the public interest.

How we share your personal information

Your personal data will be used only for specific client work and for research in the public interest. The data we share with our NHS clients will not be identifiable unless specifically requested to do so by the data controller. HES and SUS PbR data provided to us by NHS Digital will always be shared in an aggregated format, and never in a form that could be identifiable. Indeed, in most cases, we will share aggregated analysis with its NHS clients in presentations, reports or cloud-based visualisation tools, in full compliance with the small numbers guidance in the HES Analysis Guide. In general, all outputs can be grouped into one of several categories detailed below:

  • We provide detailed reports to clients, which contain data in table format containing aggregated, non-patient identifiable data with small numbers suppressed in line with the HES Analysis Guide;
  • These reports may also contain visualisations created using data based on aggregated, non-patient identifiable results of quantitative analysis;
  • We present the aggregated, non-patient identifiable results with small numbers suppressed, in the form of tables and visualisations, at meetings with NHS client stakeholders;
  • We provide interactive visualisations to NHS clients in the form of cloud-based tools;
  • National benchmarks will be derived from the national data sets provided to us by NHS Digital and may be shared with our NHS clients

Where we process your personal information

The patient data we receive from NHS Digital and from other NHS organisations is only ever processed in the UK. We never send or process your personal data outside of the UK.

How long we keep your personal information

When acting as a data controller, we only keep the historical HES and SUS PbR data in our data warehouse for as long as our agreement with NHS Digital exists. When acting as a data processor, we keep pseudonymised data provided to us by our NHS clients for a maximum of 5 months after the end of our contract of work.

Accessing your information and other rights

You have a number of rights relating to your personal information, including:

  • Access – You have the right to request a copy of any personal information we hold about you.
  • Correction – If any of the information we hold about you is incorrect or incomplete then this should be corrected through your healthcare provider or via NHS Digital.
  • Erasure – You can request that your personal information is erased if it is no longer necessary for CF to keep it, or you no longer consent for your personal healthcare information to be used for research and planning (see below), or you object and there are no overriding grounds to keep it or if it is unlawful for us to continue to keep it
  • Restriction – You can request that the use of your personal information is limited to storage only and that we use it for no other purpose. This applies when you contest the accuracy of the personal information that we hold, or our use of the information is unlawful, or we no longer need the information except in relation to legal claims, or you object to the use of your data and we need to verify whether or not out purpose for keeping it overrides the grounds of your objection

How to object or withdraw consent

You can opt-out of your confidential patient information being used for research and planning by visiting https://www.nhs.uk/your-nhs-data-matters. Opting out means that your pseudonymised data will not be passed to use. Moreover, if we already hold your personal information and you subsequently opt-out, when our systems are refreshed your information will no longer be held by us.

How to contact us

If you have any query about your personal information rights then please contact our Information Governance lead, Jo Andrews, on [email protected], call us on +44 (0)20 3770 7535, or write to us at CF, 4th Floor, Henry Wood House, 2 Riding Street, Marylebone, London, W1W 7FA

How to complain

If you feel that we have let you down in relation to your information rights, then please contact Information Governance using the details above.

You can also make complaints directly to the Information Commissioner’s Office (ICO). The ICO is the independent authority upholding information rights for the UK. Their website is ico.org.uk and their telephone helpline number is 0303 123 1113.

Carnall Farrar Ltd Proprietary Information

The information contained in this document is Carnall Farrar Ltd proprietary information and is disclosed in confidence. It is the property of Carnall Farrar Ltd and shall not be copied or disclosed to others, in full or in part, or used for any other purpose without the prior written consent of Carnall Farrar Ltd.