NVR Privacy Notice

What is the aim of the National Vascular Registry?

The National Vascular Registry (NVR) was established in 2013 to measure the quality and outcomes of care for patients who undergo major vascular procedures in NHS hospitals. The aim of the NVR is to support the NHS to improve the quality of care for these patients by publishing high-quality information. The NVR is commissioned by the Healthcare Quality Improvement Partnership (HQIP) as part of the National Clinical Audit and Patient Outcomes Programme (NCAPOP).
Hospital-based vascular services treat patients with conditions that affect blood circulation. The treatments for these conditions are typically aimed at reducing the risk of cardiovascular events such as a heart attack, stroke or the rupture of an artery.

Who do we collect information about?

The NVR captures data on adult patients undergoing emergency and elective procedures in NHS hospitals for the following patient groups:

  1. patients who undergo carotid endarterectomy or carotid stenting
  2. patients who have a repair procedure for abdominal aortic aneurysm (AAA), both open and endovascular (EVAR)
  3. patients with peripheral artery disease (PAD) who undergo either (a) lower limb angioplasty/stent, (b) lower limb bypass surgery, or (c) lower limb amputation.

The NVR collects information about the vascular surgery patients have whilst in hospital. Only information related to the procedure is collected, such as the severity of the patients’ condition, the types of investigations and treatment they receive. Participation in the NVR does not require any extra appointments or medical tests. It does not affect the care received and it uses only information collected by hospital staff. The types of personal information captured by the NVR are your patient name, NHS/CHI number, date of birth, sex and postcode.
For more information, please see our datasets and full data dictionary.

Data Controller

The NVR is commissioned by the Healthcare Quality Improvement Partnership (HQIP) as part of the National Clinical Audit Programme on behalf of NHS England and the Welsh Government.

The ‘core NVR’ data (which is all data except device data) submitted by NHS hospitals is stored securely in the National Vascular Registry on behalf of HQIP and NHS England (who are joint data controllers for the English data) and HQIP and Digital Health and Care Wales (who are joint data controllers for the Welsh data).

Where the NVR collects device data which could potentially identify an individual in England, the data is under the sole data controllership of NHS England. Where the NVR collects device data which could potentially identify an individual in Wales, the data is under the sole data controllership of Digital Health and Care Wales.

The data controller for all the patient data from Scotland and Northern Ireland is the Royal College of Surgeons of England.

The NVR team combines the data on individuals with other information held in other national hospital databases. The data controllers for these other national datasets are:

  • NHS England for the English administrative hospital data (Hospital Episode Statistics, HES)
  • Office for National Statistics for the death register

Legal basis for collecting personal patient data

The NVR has approval for processing health care information under Section 251 (reference number: CAG 5-07(f)/2013) for patients admitted in emergency requiring vascular procedures in England and Wales. More information on section 251 is available here: http://www.hra.nhs.uk/about-the-hra/our-committees/section-251/what-is-section-251/.

All patients in Scotland and Northern Ireland, and patients in England and Wales undergoing an elective procedure require their consent to be given to collect and process their personal identifiable information.

Legal basis for processing personal patient data

The NVR processes data under articles 6 (1) (e) and 9 (2) (i) of the UK GDPR as the data are needed to carry out a task in the public interest to ensure high standards of quality and safety of healthcare. The NVR also processes data under Schedule 1(1)(3) ‘public health’ of the UK DPA 2018 underpinned by Health and Social Care Act 2012 Part 1 section 2.

How we protect your patient data

Local clinical teams enter patient data into a secure web-based tool provided by NEC Software Solutions (formally Northgate Public Services). Only doctors, nurses and clinical audit staff registered with the Audit can access the data collection tool. Security and confidentiality is maintained through the use of passwords and a person specific registration process.

Only the NVR project team and the NEC service desk can access the admin side of the data collection tool, which is used to create and manage the accounts of users of the NVR. There is more about the protections we have in place in the sections below.

Patient confidentiality and level of data collected

The patient information received and managed by the NVR team is treated as confidential. We analyse the data. The data we analyse to produce the information on patient care and outcomes is de-identified data and so individual patients are not identifiable..

We are also careful when publishing information to include graphs or tables that do not allow individuals to be identified. To ensure this, we follow guidelines on publishing statistics issued by the Office for National Statistics – Review of the Dissemination of Health Statistics: Confidentiality Guidance.

Management of patient data by the NVR team

The NVR team are based at the Royal College of Surgeons of England (RCSEng). The RCSEng conforms to the UK GDPR and other legislation that relates to the collection and use of patient data, such as the Data Protection Act 2018. The RCSEng has strict security measures in place to safeguard patient information held in the Data Collection system and when analysing the de-identified dataset. The Data Collection IT system has various levels of security built into it, such as ID password security, which prevents unauthorised users gaining access and data encryption..

These de-identified datasets will be held by the NVR team as long as they remain the contract holder of the National Vascular Registry – currently up until 31st December 2025. HQIP will review how long the data need to be stored when the audit has finished.

Who we share data with?

The NVR only shares patient-level data following a strict governance procedure to ensure compliance with the UK General Data Protection Regulation.

The NVR is linked to the AAA screening programme IT System in England and Northern Ireland. As the NVR and these Screening Programmes are both hosted by NEC, patient identifiers are securely transferred between the two systems. This is done each day in the early hours of the morning. If a man is found to have a AAA via these screening programmes, is referred for surgery, and has given consent for his data to be used, then the NHS number is shared with the NVR. Once the patient record is created and submitted on the NVR, details of the operation are automatically shared back to the man’s record on the screening programme IT system.

Researchers may apply to the NVR Data Controller (HQIP) if they want to use the de-identified patient data for secondary purposes, such as a clinical audit, service evaluation, or a research study. These requests undergo a stringent approvals process as outlined on the HQIP website.

What if I do not want my information used by the Audit?

If you do not want your personal identifiable information to be used in the Audit, please tell the people who are treating you. They will make sure this information is not used in the audit.

Your specific rights are:

  • See the information we hold on you, and confirm what data we are processing about you.
  • Be informed about the collection and use of your personal data.
  • Ask us to correct any inaccurate, out of date or incomplete personal data.
  • Request that we erase the personal information we hold on you. This is also known as the ‘right to be forgotten’. The right is not absolute and only applies in certain circumstances.
  • Request that we restrict or limit the way that we use your personal data.
  • Request a copy of your information and where possible we will provide it to you in a machine-readable format such as .CSV file if you wish. We will do this free of charge and would include only the information you have provided directly to us.
  • Object to the processing of your information.
  • Your right to reject automated decision making and profiling.

If you give consent and then change your mind, please send an email to nvr@rcseng.ac.uk and put “Request to opt-out” in the subject line. On receipt of your email, we will remove your personal details from the NVR IT system. Alternatively, you can notify a member of your local care team that you wish to opt out. They will then ensure that your personal details are removed from the Registry.

The NVR has exemption from the National Data Opt-Out that allows us to use data from other data sources (such as HES) even if a patient has requested their confidential patient information is not used for research and planning via the National Data Opt-Out. The request to defer application of the National Data Opt-Out was reviewed by the Confidentiality Advisory Group (CAG). CAG is an independent group of lay people and professionals which provides expert advice on the use of confidential patient information without consent. CAG recommended that our request should be supported and the Secretary of State for Health and Social Care approved this. The National Data Opt-Out would have only applied to patients whose personal data is collected without consent (under Section 251). It does not apply to patients who have given their consent for their personal identifiable data to be collected and processed by the NVR.

Data collected for NVR newsletter mailing list

If you sign up for our newsletter or have an account for the NVR IT system, then we hold your name, email address, GMC code (if applicable) and your place of work. Our legal basis for collecting and processing this information about you is Legitimate Interest.

The contact information that you have provided will be handled in accordance with the UK GDPR, and will not be used for any other purpose, unless consent has been received for other uses. We will only process this information for as long as you wish us to. Your personal data will be held indefinitely until you notify us that you no longer wish for us to hold your information.

If you believe that any information we are holding on you is incorrect or incomplete, please contact us as soon as possible. We will promptly correct any information found to be incorrect.

Changes to our privacy policy

We keep our privacy policy under regular review and we will always include the latest version on this web page.

The privacy policy was last updated on 01/12/2023

How to contact us

Please contact us if you have any questions about our privacy policy or information we hold about you.

The Royal College of Surgeons of England has a data protection officer who can help you with any queries about the information in this privacy notice: dpo@rcseng.ac.uk

HQIP also has a data protection officer and they can be contacted by email: data.protection@hqip.org.uk

Information about the requirements for the Audit to keep personal data secure and what to do to report a data breach, can be found on the website of the Information Commissioners Office: https://ico.org.uk

Hysbysiad Preifatrwydd NVR (PDF – 843kB)