National clinical audit privacy notice

The Royal College of Psychiatrists (the College) hosts several national clinical audits which collect data on compliance with agreed standards and provide local NHS Trusts/organisations with benchmarked reports on compliance and performance. 

The audits aim to improve the quality of care provided for an identified group of service users (patients), such as those with dementia in general hospitals.  At present, the College hosts the following audits:

  • National Audit of Dementia;
  • National Clinical Audit of Anxiety and Depression;
  • National Clinical Audit of Psychosis.

The College is the data processor for the information you provide to us as part of a national clinical audit.  The funder of the national clinical audits, the Healthcare Quality Improvement Partnership (HQIP), is the data controller for the data submitted to national clinical audits.

If you have any queries about the process or how we handle your information, please contact us at dataprotection@rcpsych.ac.uk

Sources of information used by national clinical audits

Information about a service users care is submitted to the relevant audit by the NHS Trusts or organisations providing NHS-funded care, providing care to the service user.

The majority of the information is collected from hospital records, although some may be collected specifically for the purpose of the audit. Data is submitted via a secure web-based tool. 

Security and confidentiality is maintained through the use of passwords and registration process.

Information submitted about service users’ care is pseudonymised. 

The national clinical audit teams cannot identify the individual service user from the information they receive.

The individual NHS Trusts or organisations providing NHS-funded care, hold the information needed to link a particular service user to the information submitted about the individuals care.

The national clinical audits also gather registration information directly from NHS Trusts or organisations providing NHS-funded care to support the management of the audit, such as contact details for the individuals responsible for the local implementation of the audit.

Some national clinical audits collect information from other sources such as staff providing care and treatment, and in some cases from service users, their family members, friends or carers.

Data is submitted via a third party secure web-based tool or paper questionnaires received by pre-paid post.

The data collected from service users, their family members, friends or carers is anonymous.

What will we do with the information you provide to us?

All of the information you provide will only be used for the purpose for which you provided it or to fulfil business, legal or regulatory requirements if necessary.

The national clinical audits will not share any of the information provided to us with any third parties for marketing purposes. 

Information is held in secure data centres in the EU and US which comply with ISO 27001 security standards. 

The information you provide will be held securely by us and/or our data processors whether the information is in electronic or physical format.

All of the data is accessible only to staff members working on the individual audit and data processors by approval.

All audit data is held within restricted areas, is password protected and encrypted. 

The national clinical audits publish reports on the aggregated data at NHS Trust/organisation, Clinical Commissioning Group (CCG), regional and national levels at specific points during the audit programme. 

We will use the staff contact details at the NHS Trust or organisation providing NHS-funded care you provide to us at registration to contact you and in connection with any ongoing relationship with the relevant national clinical audit.

You can request for the information to not be used to communicate with you about events or other communications such as newsletters. 

What information do we ask for, and why?

The national clinical audits do not collect more information than we need to fulfil our stated purposes and will not retain it for longer than is necessary. 

The information we ask for is used to either maintain a record of you and to contact you, or for the purpose of assessing compliance against the agreed audit standards and providing benchmarked reports on compliance and performance. 

We process:

  • Demographic data including age, sex, ethnicity;
  • Equal opportunities information. This is not mandatory information – if you don’t provide it, it will not affect your status with the college. This information will not be made available to any staff outside of the college in a way which can identify you. Any information you do provide, will be used only to produce and monitor anonymous equal opportunities statistics and to promote diversity and equality.
  • Care data including date and time of admission, interventions received (e.g. medication, psychological therapies), processes of care;
  • Outcome data including date of discharge, re-admission, discharge destination and clinical improvements (e.g. scores on outcome measures such as HoNOS).

Use of data processors 

Data processors are third parties who process data for us.  We have contracts in place with our data processors.

This means that they cannot do anything with the information unless we have instructed them to do it.

All the information provided to our data processors is pseudonymised and they will not share your personal information with any organisation apart from us.

They will hold it securely and retain it for the period we instruct. 

The data processors we use are:

  • Software providers/hosts for databases which hold the data (Snap Surveys Ltd and Formic);
  • External statisticians for detailed analysis of anonymised sections of data.

How long is the information retained for?

The College contract with HQIP for the national clinical audits lasts for three years with a possible two year extension.

Pseudonymised data collected as part of a national clinical audit is retained for the duration of the audit and for five years after it is completed. 

Legal basis for processing

The national clinical audits process data under Article 6(1)(e) of the General Data Protection Regulation (GDPR) which allows for the processing of data where this is carried out in the public interest or in the exercise of official authority vested in our data controller, HQIP.

Confidentiality

Service user, family member, friend and carer information received and managed by the national clinical audit teams is treated as confidential. 

The information is available to the audit teams in a pseudonymised format, individual patients are only identifiable by the submitting NHS Trust/organisation using their coded service user lists which are held by them.

The national clinical audit teams do not have access to these lists. 

The audit teams will not publish information that can enable individual service users, family, friends or carers, or staff to be identified, nor allow third parties to access the data.

The confidentiality and security of information is maintained in the following ways:

  • All reports include aggregated data at the relevant level (national, regional, CCG, NHS Trust/organisation);
  • In all audit publications, the statistical information is reviewed to ensure the risk of identification is minimised, and where necessary, small numbers are suppressed. This assessment follows guidelines issued by the Office for National Statistics - Review of the Dissemination of Health Statistics: Confidentiality Guidance.

Your rights

Under the Data Protection Act 1998, and incoming General Data Protection Regulation (GDPR) you have rights as an individual which you can exercise in relation to the information we hold about you.

What if I do not want my information used by the audit?

Service users can choose to opt-out of the audit.  Opting out of the audit will not affect the care a service user receives. 

For more information about how to opt-out of the audit, please contact your local NHS Trust/organisation directly as the audit teams do not hold service user identifiable information. 

Complaints or queries

The College takes any complaints we receive about the way in which we use personal data very seriously.

We encourage people to bring it to our attention if they think that our collection or use of information is unfair, misleading or inappropriate.

If you want to make a complaint about the way we have processed your personal information you can contact us using the details at the bottom of this notice.

You can also complain to the Information Commissioner’s Office directly:

Wycliffe House Waterlane Wilmslow Cheshire SK9 5AF

Website: http://www.ico.org.uk/

Tel: 0303 123 1113

Changes to this privacy notice

We keep our privacy notice under regular review. This Privacy Notice was last updated in April 2018.

How to contact us

If you want to request information about our privacy policy you can email us at dataprotection@rcpsych.ac.uk or at the below address:

Data Protection Officer

Royal College of Psychiatrists

21 Prescot Street

London

E1 8BB

Please read our disclaimer.