NHS England Privacy Notice

Purpose of this privacy notice

This privacy notice provides information about how the IMPPP research team will collect and process data provided by NHS England. This data relates to the use of hospital services by participants of the IMPPP trial, during the course of the trial.

Controller

The sole data controller for this project is the University of Bristol, Beacon House, Queens Road, Bristol, BS8 1QU. As the ‘data controller’ for this project, the University of Bristol determines the purposes and means of processing personal data. The University Charter gives researchers the power to make provision for research and for the enhancement and dissemination of knowledge.

Universities in the UK have a duty to ensure that it is in the public interest to collect and use personal details from people who have agreed to take part in research. The University of Bristol will only use data collected as needed to conduct the study.

Dr Deborah McCahon is the data controller’s representative for this project. Dr McCahon can be contacted via email at deborah.mccahon@bristol.ac.uk or via telephone 0117 455 4310.

The University of Bristol has a data protection officer (DPO) who is responsible for overseeing questions in relation to this privacy notice. You can contact our Data Protection Officer at the University of Bristol on data-protection@bristol.ac.uk

The data we collect about you

Personal data, or personal information, means any information about an individual from which that person can be identified. It does not include data where the identity has been removed (anonymous data).

Purposes for which we will use your personal data

The processing of these personal data is for the purposes of the IMPPP study, a clinical trial which aims to evaluate the clinical and cost effectiveness of a new approach for improving the use of medicines in people with polypharmacy attending primary care, compared with usual care.

The research team will use some of these personal data to access information about your use of hospital services during the IMPPP trial. The team will share your NHS number, Date of Birth, Postcode and Gender with NHS England to obtain your hospital service data. The table below provides a summary of the hospital service data that will be provided by NHS England and describes how these data will be used alongside the legal basis we rely on to do so. (for full details of the specific variables from the Hospital Episode Service data provided by NHS England to the IMPPP research team please click here)

Type of data being collected and processed	Specific purpose/activity	Lawful basis for processing
Date of Birth, NHS number, Postcode, Gender Data on A&E attendance Dates, nature of admission (including acuteness and route of attendance e.g. referral by a clinician, emergency call to 999, self referral), problem (including diagnoses), investigations, clinical outcome (including treatment and nature of discharge) Data on in-patient admissions Dates (admission, discharge), nature of admission (e.g. emergency, elective), diagnoses, procedures, nature of discharge Data on out-patient attendances Appointment date, nature of attendance, diagnoses, procedures	Identifying information is required to enable NHS Digital to establish linkage with Hospital Episodes Statistics (HES) identification codes and data relating to hospital usage by IMPPP study participants. Anonymised data for a period of 18 months to include the 6-month period prior to provision of consent up until the point of completion of the final study questionnaire will be collected from NHS Digital. Data will be processed by the University of Bristol. Data provided to the University by NHS England related to hospital admissions (including dates of admission/discharge and description of the diagnosis) alongside NHS number, Date of Birth, gender and postcode will be shared with the participant’s General Practice for the purposes of safety monitoring and reporting. Data will be shared via NHSmail a secure e-mail service accredited to the NHS secure email standard (DCB1596). Information on A&E attendance, in-patient admissions and outpatient attendances, will be used to evaluate the impact of the IMPPP intervention on health service use.	Article 6 (1) (e) necessary for the performance of a task carried out in the public interest Article 9 (2) (i) necessary for reasons of public interest in the area of public health Article 9 (2) (j) necessary for reasons of public interest in the area of scientific research

Type of data being collected and processed

Specific purpose/activity

Lawful basis for processing

Date of Birth, NHS number, Postcode, Gender

Data on A&E attendance

Dates, nature of admission (including acuteness and route of attendance e.g. referral by a clinician, emergency call to 999, self referral), problem (including diagnoses), investigations, clinical outcome (including treatment and nature of discharge)

Data on in-patient admissions

Dates (admission, discharge), nature of admission (e.g. emergency, elective), diagnoses, procedures, nature of discharge

Data on out-patient attendances

Appointment date, nature of attendance, diagnoses, procedures

Identifying information is required to enable NHS Digital to establish linkage with Hospital Episodes Statistics (HES) identification codes and data relating to hospital usage by IMPPP study participants. Anonymised data for a period of 18 months to include the 6-month period prior to provision of consent up until the point of completion of the final study questionnaire will be collected from NHS Digital. Data will be processed by the University of Bristol.

Data provided to the University by NHS England related to hospital admissions (including dates of admission/discharge and description of the diagnosis) alongside NHS number, Date of Birth, gender and postcode will be shared with the participant’s General Practice for the purposes of safety monitoring and reporting. Data will be shared via NHSmail a secure e-mail service accredited to the NHS secure email standard (DCB1596).

Information on A&E attendance, in-patient admissions and outpatient attendances, will be used to evaluate the impact of the IMPPP intervention on health service use.

Article 6 (1) (e) necessary for the performance of a task carried out in the public interest

Article 9 (2) (i) necessary for reasons of public interest in the area of public health

Article 9 (2) (j) necessary for reasons of public interest in the area of scientific research

The research team have a contract with NHS England which enables collection of data from the hospital records of IMPPP study participants. Explicit consent will be sought from IMPPP study participants for sharing of personal data with NHS England. Sharing of personal data with NHS England is necessary to enable data linkage with the Hospital Episodes Statistics dataset and collection of data from hospital records. The researchers will provide NHS England with the participant’s unique study identification code alongside the following personal data: date of birth, NHS number, postcode and gender. The dataset that NHS England return to the research team will be pseudonymised. This means that personal information (date of birth, NHS number, postcode and gender) will be removed. The released data set will contain the participant’s unique study identification code alongside hospital usage data.

The unique study identification code will be used by the study’s analytic team to enable linkage of released data to other study data held at the University of Bristol for the purposes of data analysis. Linkage of the data released by NHS England with the study data held at the University of Bristol is necessary to ensure that the participant’s data are analysed within the study group (e.g. intervention or control group) to which they have been randomly assigned.

Data provided to the University by NHS England relating to hospital usage (including dates of admission/discharge and description of the diagnosis) alongside NHS number, Date of Birth, gender and postcode will be shared with the participant’s General Practice Surgery for the purposes of safety monitoring and reporting. These data will be shared via NHSmail a secure e-mail service accredited to the NHS secure email standard (DCB1596).

Disclosures of IMPPP study participant personal data

Personal data will only be shared with NHS England and your GP surgery. The researchers will not share personal data with any third-party countries or international organisations.

Data security

The researchers have put in place appropriate security measures to prevent personal data from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. In addition, access to personal data is limited to members of the research team who are involved in data analysis. A secure e-mail service (i.e. NHSmail) accredited to the NHS secure email standard (DCB1596) will be used to sharing data with the participant’s General Practice for the purposes of safety monitoring and reporting. Procedures are in place to deal with any suspected personal data breach. IMPPP study participants and any applicable regulator will be notified should a breach arise.

Data retention

The research team will only retain IMPPP study participant personal data (including the associated hospital data) for as long as necessary to fulfil the purposes for which it was collected, including for the purposes of satisfying any legal, accounting, or reporting requirements. All personal information collected from IMPPP study participants will be removed from the study records so that identification is not possible. Personal data will be securely destroyed within 3 months of study completion.

Your legal rights

To safeguard your rights, the researchers will use the minimum personal data possible. The GDPR provides data subjects with a number of rights in relation to their personal data. These include:

Right to withdraw consent: where the lawful basis relied upon by the University is the data subject’s consent, the right to withdraw such consent at any time without having to explain why
Right to be informed: the right to be provided with certain information about how we collect and process the data subject’s personal data
Right to complain: the right to make a complaint to the Information Commissioner’s Office (ICO) or another appropriate supervisory authority.

If you wish to withdraw consent, please contact the research team via email at imppp-study@bristol.ac.uk

To make a complaint about how researchers at the University of Bristol have handled your personal data, you can contact our Data Protection Officer who will investigate the matter. You can contact our Data Protection Officer at the University of Bristol via email at data-protection@bristol.ac.uk or you can complain to the Information Commissioner’s Office via telephone on 0303 123 1113. Please see www.ico.org.uk for further information about making a complaint.

Research exemption

Since this research meets the exemption conditions contained within the GDPR and DPA 2018, the right of individuals to access their personal data and the rights of individuals to rectification, erasure, restriction and objection do not apply. This is because researchers need to manage information in specific ways for the research to be reliable and accurate.

Source of personal data

Personal data will be obtained from the participant contact details form and study questionnaire 1 which IMPPP study participants complete and return to the research team alongside the completed study consent form.

Study participants are not required under a statute or contract to provide personal data and are free to withdraw from the study at any point.

Please note that we do not make use of automated decision making in relation to personal data.