Using patient information
Getting It Right First Time (GIRFT) is a national programme designed to improve care for patients within the NHS, by reducing unwarranted variations. Our evaluation of the NHS Getting it Right First Time programme couldn’t happen without access to patients’ data and this will play a vital role in our ability to get a picture of how the programme is working and the difference it is making to patient care. We want to be clear about how your data is stored, used and protected in our research. One aspect of this study looks at ‘what works and at what cost?’
We are trying to look at whether the Getting it Right First Time programme in orthopaedic surgery has reduced variations in orthopaedic practice and costs, and improved outcomes for patients. To do this, we are requesting confidential patient data for a group of patients who have undergone elective orthopaedic surgery between 1st April 2009 and 31st March 2018.
The data we would like to use include Hospital Episode Statistics (HES), a database containing details of all admissions to NHS hospitals in England, which is collected so that hospitals can be paid for the care they deliver. We would also like to include Patient Reported Outcome Measures (PROMs) for patients who have had hip or knee replacements. NHS patients who have had these procedures have been invited to fill in Patient Reported Outcome Measures (PROMs) questionnaires as part of the Department of Health’s PROMs programme. The NHS asks patients about their health and quality of life before they have their operation, and about their health and the effectiveness of the operation afterwards at six months. These data can also be processed and used for other purposes, such as research and planning health services. We would also like to use data from the National Joint Registry (NJR). The NJR was set up by the Department of Health to collect information on all hip, knee, ankle, elbow and shoulder replacement operations across the NHS, to make sure joint replacement implants were working and to also ensure the different types of surgery for these operations were safe and effective.
Secure storage and processing of patient information
This study has already received research ethics approval – a process designed to make sure researchers’ can benefit from accessing data while minimising risk of any harm to patients – and Health Research Authority Confidential Advisory Group Section 2.51 approvals. The legal basis for processing are covered under Article 6 (1)(e) and Article 9 (2)(j).
Personal data of patients – including NHS number, date of birth, sex, postcode and the study ID will only be securely transferred between two organisations – Northgate Public Services (who control NJR data) and NHS Digital (who control HES and PROMs data). This is considered to be personal data according to European data protection rules – the General Data Protection Regulation (or GDPR). As these two organisations currently hold and control the data, and are involved in processing, they are called data controllers. The purpose of sending this personal data between the two organisations is so NHS Digital can link these data together for the same patients, to provide more accurate and complete information for researchers who can track a patient’s journey through the NHS system. However, researchers will not have access to any personal identifiable data, and will not be able to identify patients, using the information that they are given by the two organisations (Northgate Public Services and NHS Digital).
Both organisations will securely transfer pseudonymised data to researchers at UCL. Pseudonymisation means the most identifying fields within a database are replaced with artificial identifiers, or pseudonyms so patient information can be processed without researchers being able to identify patients. This means that UCL will be the final data controller for the data that is disseminated for the purposes of looking at ‘what works and at what cost?’ All pseudonymised patient information will be stored on a secure network that is password-protected, and can only be accessed by those with specialised training and access for the duration of the study.
The data will be stored by researchers at UCL until 2021 for analysis and dissemination purposes, and thereafter will be securely destroyed.
UCL Data Protection:
UCL is required by law to comply with data protection legislation. The UK’s regulator for the legislation is the Information Commissioner’s Office. It is the commitment of the university to ensure that every current employee and registered student complies with this Act to ensure the confidentiality of any personal data held by UCL, in whatever medium. This Act came into force on 25 May 2018.
UCL processes the personal data of living individuals such as its staff, students, contractors, research subjects and customers. UCL has a data protection policy as a commitment to the safeguarding of personal data processed by its staff and students, and to ensure compliance with the legislation. It is the duty of data controllers such as UCL to comply with the data protection principles with respect to personal data. This policy describes how UCL will discharge its duties in order to ensure continuing compliance with the Act in general and the data protection principles and rights of data subjects in particular.
Data Protection Officer Contact details:
Research Department Administrator
PA to Professor Rosalind Raine and Professor Naomi Fulop
Department of Applied Health Research, UCL
Visiting Address: 1-19 Torrington Place, London WC1E 7HB, Rm 112
Postal Address: UCL, Gower Street, London WC1E 6BT
Tel: 020 3108 3256
We are happy to discuss your rights to protect your data, and how exactly it will be used in our research. If you would like further information about the use of your data in this research study, or would like to lodge a complaint to a supervisory authority – please contact us on the details given below. If you would like to request that your confidential patient information is not included in this study, please aim to contact us between 1st May – 24th August 2018 to discuss.
Dr Sarah Jasim
NIHR CLAHRC North Thames
Department of Applied Health Research
University College London
1-19 Torrington Place
London WC1E 7HB
Tel: 020 3105 3233
How will this be operated?
To ensure feasible and practical methods of opt-out, we will offer patients a 1-month window to be able to contact us. For those patients who require further information about how their confidential patient information will be used, we will provide this via e-mail or arrange telephone conversations to provide further information and reassurance. For those patients who would like their data to be removed from the cohort included in our research – we will ask for the minimum variables necessary to first correctly identify patients, and then to enable NHS Digital to remove these specific patients for the linkable NJR and HES-PROMs dataset they are preparing for us. We will then provide these variables securely in one spreadsheet to NHS Digital, so they can remove these patient records from the dataset they will send us. The spreadsheet containing this patient information will be deleted as soon as this process is complete. As patients are providing us with this sensitive information for the purposes of the opt-out mechanism, we will also explain that this will be shared with NHS Digital for them to be able to remove their records from the dataset.