National clinical audit privacy notice
The Royal College of Psychiatrists (the College) hosts several national clinical audits which collect data on compliance with agreed standards and provide local NHS Trusts/organisations with benchmarked reports on compliance and performance.
The audits aim to improve the quality of care provided for an identified group of service users (patients), such as those with dementia in general hospitals. At present, the College hosts the following audits:
- National Audit of Dementia
- National Clinical Audit of Psychosis (please note that there are separate privacy notices for sites in England for the previous EIP 2020/2021 audit and the EIP 2020/2021 audit for under 18s as well as for the upcoming EIP 2024 audit and the EIP 2024 audit for under 18s).
The College is the data processor for the information you provide to us as part of a national clinical audit. The Healthcare Quality Improvement Partnership (HQIP), is the funder for the audits. HQIP is the joint data controller with NHS England for the data submitted to national clinical audits.
If you have any queries about the process or how we handle your information, please contact us at dataprotection@rcpsych.ac.uk.
Information about a service users care is submitted to the relevant audit by the NHS Trusts or organisations providing NHS-funded care, providing care to the service user.
The majority of the information is collected from hospital records, although some may be collected specifically for the purpose of the audit. Data is submitted via a secure web-based tool.
Security and confidentiality is maintained through the use of passwords and registration process.
Information submitted about service users’ care is pseudonymised.
The national clinical audit teams cannot identify the individual service user from the information they receive.
The individual NHS Trusts or organisations providing NHS-funded care, hold the information needed to link a particular service user to the information submitted about the individuals care.
The national clinical audits also gather registration information directly from NHS Trusts or organisations providing NHS-funded care to support the management of the audit, such as contact details for the individuals responsible for the local implementation of the audit.
Some national clinical audits collect information from other sources such as staff providing care and treatment, and in some cases from service users, their family members, friends or carers.
Data is submitted via a third party secure web-based tool or paper questionnaires received by pre-paid post.
The data collected from service users, their family members, friends or carers is anonymous.
All of the information you provide will only be used for the purpose for which you provided it or to fulfil business, legal or regulatory requirements if necessary.
The national clinical audits will not share any of the information provided to us with any third parties for marketing purposes.
Information is held in secure data centres in the EU and US which comply with ISO 27001 security standards.
The information you provide will be held securely by us and/or our data processors whether the information is in electronic or physical format.
All of the data is accessible only to staff members working on the individual audit and data processors by approval.
All audit data is held within restricted areas, is password protected and encrypted.
The national clinical audits publish reports on the aggregated data at NHS Trust/organisation, Clinical Commissioning Group (CCG), regional and national levels at specific points during the audit programme.
We will use the staff contact details at the NHS Trust or organisation providing NHS-funded care you provide to us at registration to contact you and in connection with any ongoing relationship with the relevant national clinical audit.
You can request for the information to not be used to communicate with you about events or other communications such as newsletters.
The national clinical audits do not collect more information than we need to fulfil our stated purposes and will not retain it for longer than is necessary.
The information we ask for is used to either maintain a record of you and to contact you, or for the purpose of assessing compliance against the agreed audit standards and providing benchmarked reports on compliance and performance.
We process:
- demographic data including age, sex, ethnicity
- equal opportunities information. This is not mandatory information – if you don’t provide it, it will not affect your status with the College. This information will not be made available to any staff outside of the College in a way which can identify you. Any information you do provide, will be used only to produce and monitor anonymous equal opportunities statistics and to promote diversity and equality.
- care data including date and time of admission, interventions received (e.g. medication, psychological therapies), processes of care
- outcome data including date of discharge, re-admission, discharge destination and clinical improvements (e.g. scores on outcome measures such as HoNOS).
Data processors are third parties who process data for us. We have contracts in place with our data processors.
This means that they cannot do anything with the information unless we have instructed them to do it.
All the information provided to our data processors is pseudonymised and they will not share your personal information with any organisation apart from us.
They will hold it securely and retain it for the period we instruct.
The data processors we use are:
- software providers/hosts for databases which hold the data (Net Solving LTD, Egress Software Technologies LTD and Microsoft LTD)
- external statisticians for detailed analysis of anonymised sections of data.
The College contract with HQIP for the national clinical audits lasts for three years with a possible two-year extension.
Pseudonymised data collected as part of a national clinical audit is retained for the duration of the audit and for five years after it is completed.
The national clinical audits process data under Data Protection Act DPA 2018 Schedule 1(1)(3) ‘public health’ underpinned by Health and Social Care Act 2012 Part 1 Section 2, which allows for data processing for health or social care purposes.
Article 6(1)(e) of the General Data Protection Regulation (GDPR) which allows for the processing of data where this is carried out in the public interest or in the exercise of official authority vested in our joint data controllers, HQIP and NHS England.
Article 9(2)(i) of the General Data Protection Regulation (GDPR) which allows for the processing of personal data for reasons of public interest in the area of public health, such as ensuring high standards of quality and safety of health care.
Addtionally, the National Clinical Audit of Psychosis (NCAP) has Section 251 approval to collect patient-identifiable data without consent (ref: 20/CAG/0105).
Service user, family member, friend and carer information received and managed by the national clinical audit teams is treated as confidential.
The information is available to the audit teams in a pseudonymised format, individual patients are only identifiable by the submitting NHS Trust/organisation using their coded service user lists which are held by them.
The national clinical audit teams do not have access to these lists.
The audit teams will not publish information that can enable individual service users, family, friends or carers, or staff to be identified, nor allow third parties to access the data.
The confidentiality and security of information is maintained in the following ways:
- All reports include aggregated data at the relevant level (national, regional, CCG, NHS Trust/organisation).
- In all audit publications, the statistical information is reviewed to ensure the risk of identification is minimised, and where necessary, small numbers are suppressed. This assessment follows guidelines issued by the Office for National Statistics - Review of the Dissemination of Health Statistics: Confidentiality Guidance.
Under the Data Protection Act 2018, including the General Data Protection Regulation (GDPR) you have rights as an individual which you can exercise in relation to the information we hold about you.
Currently, only the National Clinical Audit of Psychosis (NCAP) collects identifiable information. NCAP has Section 251 approval to collect patient-identifiable data without consent (ref: 20/CAG/0105). If you would like more information on how to opt out of the audit please see the documents below:
NCAP EIP Pilot Audit 2023
NCAP EIP Audit 2024
If you have concerns about your information being used in the National Audit of Dementia (NAD), please contact your local NHS Trust/healthcare organisation directly.
The College takes any complaints we receive about the way in which we use personal data very seriously.
We encourage people to bring it to our attention if they think that our collection or use of information is unfair, misleading or inappropriate.
If you want to make a complaint about the way we have processed your personal information you can contact us using the details at the bottom of this notice.
You can also complain to the Information Commissioner’s Office directly:
Wycliffe House
Waterlane
Wilmslow
Cheshire
SK9 5AF
Tel: 0303 123 1113
We keep our privacy notice under regular review. This privacy notice was last updated in June 2022.
If you want to request information about our privacy policy you can email us at dataprotection@rcpsych.ac.uk or at the below address:
Data Protection Officer
Royal College of Psychiatrists
21 Prescot Street
London
E1 8BB