Prescribing observatory for mental health (POMH-UK) privacy notice

The Royal College of Psychiatrists’ (the College) Centre for Quality Improvement (CCQI) runs several projects, including POMH-UK (the Prescribing Observatory for Mental Health) which aims to improve the quality of care provided for people with mental health conditions and problems.

POMH-UK works with NHS Trusts and other healthcare organisations [1].

The College is the data controller for the information you provide to us as part of a project.

If you have any queries about the process or how we handle your information, please contact us at dataprotection@rcpsych.ac.uk

Sources of information used by POMH-UK

Information is submitted to POMH-UK from a number of sources.

NHS Trusts or organisations submit information on organisational processes and patients' care as part of their participation.

Some of this information is collected from hospital records, although most of the information on organisational processes is collected specifically for their participation in the project.

Data is submitted via a secure, third-party web-based tool.

Security and confidentiality is maintained through the use of passwords and registration processes.

Where NHS Trusts or organisations submit data about patients’ care, the data is pseudonymous or anonymous.

The POMH-UK team cannot identify the individual patient from the information they receive.

Where the data is pseudonymised, the individual NHS Trusts or organisations, hold the information needed to link a patient to the information submitted about the individuals care.

POMH-UK also gathers registration information directly from NHS Trusts or organisations to support the management of the project, such as contact details for the local individuals responsible for the Trust or organisation in the project.

Most CCQI projects collect information from other sources, such as staff providing care and treatment, or organisations and individuals who work closely with the Trust/organisation in question.

What will we do with the information you provide to us?

All of the information you provide will only be used for the purpose for which you provided it or to fulfil business, legal or regulatory requirements if necessary.

POMH-UK will not share any of the information provided to us with any third parties for marketing purposes.

Information is held in secure data centres in the EU and US which comply with ISO 27001 and Cyber Essential Plus security standards.

The information you provide will be held securely by us and/or our data processors whether the information is in electronic or physical format.

All the data is accessible only to staff members working on the individual project and data processors by approval.

All data is held within restricted areas, is password protected and encrypted.

POMH-UK may produce public reports showing aggregated data at national level at specific points during the project.

Customised reports are also produced for participating NHS Trusts or organisations containing data at national, Trust/organisation and team/service levels, which are only made available to the NHS Trust or organisation who provided the data. NHS Trusts and organisations appear anonymously within all POMH-UK reports.

POMH-UK may publish aggregated data on its website and in appropriate scientific journals.

POMH-UK collects data for quality improvement but may occasionally work in collaboration with other groups or organisations on specific topics that are not part of POMH-UK quality improvement programmes. NHS Trusts and organisations choose to participate in data collection for all topics and retain control of their data. Individual datasets of participating NHS Trusts and organisations will not be shared with third parties. Anonymous and aggregated data may be shared with collaborators and published.

We will use the staff contact details at the NHS Trust or organisation provided to us at registration to contact you and in connection with the ongoing working relationship with POMH-UK.

You can request for the information to not be used to communicate with you about events or other communications such as newsletters. 

What information do we ask for, and why?

POMH-UK does not collect more information than we need to fulfil our stated purposes and will not retain it for longer than is necessary. 

The information we ask for is used to either maintain a record of you and to contact you, or for the purpose of assessing compliance against the agreed standards and providing reports on performance.

We process:

  • Patient information such as age, gender, ethnicity, diagnosis, legal status;
  • Care data including date of admission, treatment and interventions received (e.g. medication, psychological therapies), processes of care such as medication reviews;
  • Outcome data including date of discharge, re-admission, discharge destination and clinical improvements;
  • Data on organisational processes and procedures.

Use of data processors 

Data processors are third parties who process data for us.  We have contracts in place with our data processors.

This means that they cannot do anything with the information unless we have instructed them to do it.

All the information provided to our data processors is pseudonymised and they will not share your personal information with any organisation apart from us.

They will hold it securely and retain it for the period we instruct. 

The data processors we use are:

  • Software providers/hosts for databases which hold the data;
  • External statisticians for detailed analysis of anonymised sections of data.

How long is the information retained for?

The CCQI adheres to the timescales specified in the College’s Record Retention Schedule.

If you wish to learn more about our retention periods, please contact us using the details below.

Legal basis for processing

POMH-UK process data under the contract the NHS Trust or organisation has entered into with us.

Confidentiality

The information received and managed by the project team is treated as confidential. 

The information is available to the project team in an anonymous or pseudonymised format.

In the case of pseudonymised data, individual patients are only identifiable by the submitting NHS Trust/organisation using their coded patient lists which are held by them.

The project team do not have access to these lists. 

The project team will not publish information that can enable individual patients or staff to be identified, nor allow third parties to access the data.

The confidentiality and security of information maintained in the following ways:

  • All reports include aggregated data at the relevant level (national, NHS Trust/organisation);
  • Reports with data on individual teams/services within NHS trusts or organisations are only shared with the relevant organisation concerned;
  • In all reports, NHS Trusts/organisations are assigned codes for benchmarking performance against others;
  • Individual teams/services are assigned codes by the NHS Trust/organisation that supplied their data and cannot be identified by the POMH-UK team.

We do not routinely share information with Regulatory or Public Authorities, for example: the Care Quality Commission or other equivalent bodies. We will share information where we have a statutory or regulatory requirement to do so, for example where we identify that staff or patients may be in imminent danger, where there are concerns about unsafe practices or where they may be breaches of human rights.

Your rights

Under the Data Protection Act 1998, and incoming General Data Protection Regulation (GDPR) you have rights as an individual which you can exercise in relation to the information we hold about you.

What if I do not want my information used by the audit?

Patients or staff members can choose to opt-out of the project.

Opting out of the audit will not affect the care an individual receives or their employment with the relevant organisation.

For more information about how to opt-out of the audit, please contact the person responsible for the project in your local NHS Trust/organisation directly as the project team does not hold identifiable information. 

Complaints or queries

The College takes any complaints we receive about the way in which we use personal data very seriously.

We encourage people to bring it to our attention if they think that our collection or use of information is unfair, misleading or inappropriate.

If you want to make a complaint about the way we have processed your personal information you can contact us using the details at the bottom of this notice.

You can also complain to the Information Commissioner’s Office directly:

Information Commissioner's Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF

Website: http://www.ico.org.uk/

Tel: 0303 123 1113

Changes to this privacy notice

We keep our privacy notice under regular review. This Privacy Notice was last updated in October 2020.

How to contact us

If you want to request information about our privacy policy you can email us at dataprotection@rcpsych.ac.uk or at the below address:

Data Protection Officer
Royal College of Psychiatrists
21 Prescot Street
London
E1 8BB

[1] For the purpose of this notice, both of these will be referred to as NHS Trusts or organisations as they hold overall control for the information submitted as part of the project.

Please read our disclaimer.

 


 

Get in contact to receive further information regarding a career in psychiatry