Prescribing observatory for mental health (POMH) privacy notice

Information is submitted to POMH from a number of sources. NHS Trusts or organisations submit information on organisational processes and patients' care as part of their participation. Some of this information is collected from hospital records, although most of the information on organisational processes is collected specifically for their participation in the project.

Data is submitted via a secure, third-party web-based tool. Security and confidentiality is maintained through the use of passwords and registration processes.

Where NHS Trusts or organisations submit data about patients’ care, the data is pseudonymous or anonymous. The POMH team cannot identify the individual patient from the information they receive.

Where the data is pseudonymised, the individual NHS Trusts or organisations, hold the information needed to link a patient to the information submitted about the individuals care.

POMH also gathers registration information directly from NHS Trusts or organisations to support the management of the project, such as contact details for the local individuals responsible for the Trust or organisation in the project.

Most CCQI projects collect information from other sources, such as staff providing care and treatment, or organisations and individuals who work closely with the Trust/organisation in question.

All of the information you provide will only be used for the purpose for which you provided it or to fulfil business, legal or regulatory requirements if necessary.

POMH will not share any of the information provided to us with any third parties for marketing purposes.

Information is held in secure data centres in the EU and US which comply with ISO 27001 and Cyber Essential Plus security standards.

The information you provide will be held securely by us and/or our data processors whether the information is in electronic or physical format.

All the data is accessible only to staff members working on the individual project and data processors by approval.

All data is held within restricted areas, is password protected and encrypted.

POMH may produce public reports showing aggregated data at national level at specific points during the project.

Customised reports are also produced for participating NHS Trusts or organisations containing data at national, Trust/organisation and team/service levels, which are only made available to the NHS Trust or organisation who provided the data. NHS Trusts and organisations appear anonymously within all POMH-UK reports.

POMH may publish aggregated data on its website and in appropriate scientific journals.

Aggregated data may also be shared in limited circumstances where there is clear scientific or public benefit, such as in the development of national, evidence-based treatment guidelines.

POMH occasionally works in collaboration with other groups or organisations on specific topics that are not part of POMH quality improvement programmes. NHS Trusts and organisations choose to participate in data collection for all topics and retain control of their data. Individual datasets of participating NHS Trusts and organisations will not be shared with third parties. Anonymous and aggregated data may be shared with collaborators and published.

We will use the staff contact details at the NHS Trust or organisation provided to us at registration to contact you and in connection with the ongoing working relationship with POMH.

You can request for the information to not be used to communicate with you about events or other communications such as newsletters.

POMH does not collect more information than we need to fulfil our stated purposes and will not retain it for longer than is necessary.

The information we ask for is used to either maintain a record of you and to contact you, or for the purpose of assessing compliance against the agreed standards and providing reports on performance.

We process:

• patient information such as age, gender, ethnicity, diagnosis, legal status
• care data including date of admission, treatment and interventions received (e.g. medication, psychological therapies), processes of care such as medication reviews
• outcome data including date of discharge, re-admission, discharge destination and clinical improvements
• data on organisational processes and procedures.

Data processors are third parties who process data for us. We have contracts in place with our data processors. This means that they cannot do anything with the information unless we have instructed them to do it.

All the information provided to our data processors is pseudonymised and they will not share your personal information with any organisation apart from us. They will hold it securely and retain it for the period we instruct.

The data processors we use are:

• software providers/hosts for databases which hold the data
• external statisticians for detailed analysis of anonymised sections of data.

The CCQI adheres to the timescales specified in the College’s Record Retention Schedule.

If you wish to learn more about our retention periods, please contact us using the details below.

POMH process data under the contract the NHS Trust or organisation has entered into with us.

The information received and managed by the project team is treated as confidential.

The information is available to the project team in an anonymous or pseudonymised format.

In the case of pseudonymised data, individual patients are only identifiable by the submitting NHS Trust/organisation using their coded patient lists which are held by them.

The project team do not have access to these lists.

The project team will not publish information that can enable individual patients or staff to be identified, nor allow third parties to access the data.

The confidentiality and security of information maintained in the following ways:

• all reports include aggregated data at the relevant level (national, NHS Trust/organisation)
• reports with data on individual teams/services within NHS trusts or organisations are only shared with the relevant organisation concerned
• in all reports, NHS Trusts/organisations are assigned codes for benchmarking performance against others
• individual teams/services are assigned codes by the NHS Trust/organisation that supplied their data and cannot be identified by the POMH-UK team.

We do not routinely share information with Regulatory or Public Authorities, for example: the Care Quality Commission or other equivalent bodies. We will share information where we have a statutory or regulatory requirement to do so, for example where we identify that staff or patients may be in imminent danger, where there are concerns about unsafe practices or where they may be breaches of human rights.

Under the Data Protection Act 2018, including the General Data Protection Regulation (GDPR) you have rights as an individual which you can exercise in relation to the information we hold about you.

POMH does not collect identifiable patient information.

If you have concerns about your information being used in POMH audits, please contact the person responsible in your local NHS Trust/healthcare organisation directly.

The College takes any complaints we receive about the way in which we use personal data very seriously.

We encourage people to bring it to our attention if they think that our collection or use of information is unfair, misleading or inappropriate.

If you want to make a complaint about the way we have processed your personal information you can contact us using the details at the bottom of this notice.

You can also complain to the Information Commissioner’s Office directly:

Information Commissioner's Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF

Tel: 0303 123 1113

You can also find more information on the Information Commissioner's Office website.

We keep our privacy notice under regular review. This Privacy Notice was last updated in October 2021.