NVR Privacy Notice

What is the aim of the National Vascular Registry?

The National Vascular Registry (NVR) was established in 2013 to measure the quality and outcomes of care for patients who undergo major vascular procedures in NHS hospitals, and to support vascular services improve the quality of care for these patients by publishing high-quality benchmark information. The NVR was commissioned by the Healthcare Quality Improvement Partnership (HQIP) as part of the National Clinical Audit and Patient Outcomes Programme (NCAPOP).
Hospital-based vascular services treat patients with conditions that affect blood circulation, and which are part of the broad spectrum of cardiovascular disease. The treatments for these conditions are typically aimed at reducing the risk of cardiovascular events such as a heart attack, stroke or the rupture of an artery.

Where is patient data collected from?

The NVR captures data on adult patients undergoing emergency and elective procedures in NHS hospitals for the following patient groups:

  1. patients who undergo carotid endarterectomy or carotid stenting
  2. patients who have a repair procedure for abdominal aortic aneurysm (AAA), both open and endovascular (EVAR)
  3. patients with peripheral artery disease (PAD) who undergo either (a) lower limb angioplasty/stent, (b) lower limb bypass surgery, or (c) lower limb amputation.

Data Controller

The NVR is commissioned by the Healthcare Quality Improvement Partnership (HQIP) as part of the National Clinical Audit Programme on behalf of NHS England and the Welsh Government.

HQIP, NHS England and NHS Wales are the data controllers for the patient data submitted to the audit directly by hospitals in England and Wales. The data controllers for the patient data from Scotland and Northern Ireland is the Royal College of Surgeons of England. The NVR team combines the data on individuals with other information held in other national hospital databases. The data controllers for these other national datasets are:

  • NHS Digital for the English hospital data (Hospital Episode Statistics)
  • Office for National Statistics for the death register

Legal basis for collecting personal patient data

The NVR has approval for processing health care information under Section 251 (reference number: CAG 5-07(f)/2013) for patients admitted in emergency requiring vascular procedures in England and Wales. More information on section 251 is available here: http://www.hra.nhs.uk/about-the-hra/our-committees/section-251/what-is-section-251/.

All patients in Scotland and Northern Ireland, and patients in England and Wales undergoing an elective procedure require their consent to be given to collect and process their personal identifiable information.

Legal basis for processing personal patient data

The NVR processes data under articles 6 (1) (e) and 9 (2) (i) of the GDPR as the data are needed to carry out a task in the public interest to ensure high standards of quality and safety of healthcare. The NVR also processes data under Schedule 1(1)(3) ‘public health’ underpinned by Health and Social Care Act 2012 Part 1 section 2.

How we protect your patient data

Local clinical teams enter patient data into a secure web-based tool provided by NEC (formally Northgate Public Services). Only doctors, nurses and clinical audit staff registered with the Audit can access the data collection tool. Security and confidentiality is maintained through the use of passwords and a person specific registration process. Only the NVR project team can access the data collection tool. In February 2022, additional clinical data is collected for NHS trusts participating in the Peripheral Arterial Disease Quality Improvement Programme (PAD QIP). This data is collected in the secure data collection platform, REDCap, and follows all of the information security protocols of the main NVR IT system.

Patient confidentiality and level of data collected

The patient information received and managed by the NVR team is treated as confidential. We analyse the data to produce the information on patient care and outcomes, the NVR team use de-identified data and so individual patients are not identifiable.

The audit is also careful when publishing information to include graphs or tables that do not allow individuals to be identified. To ensure this, the Audit follows guidelines on publishing statistics issued by the Office for National Statistics – Review of the Dissemination of Health Statistics: Confidentiality Guidance.

Management of patient data by the NVR team

The NVR team are based at the Royal College of Surgeons of England (RCSEng). The RCSEng conforms to the General Data Protection Regulation (GDPR) and other legislation that relates to the collection and use of patient data. The RCSEng has strict security measures in place to safeguard patient information held in the Data Collection system and when analysing the de-identified dataset. The Data Collection IT system has various levels of security built into it, such as ID password security, which prevents unauthorised users gaining access and data encryption.

These de-identified datasets will be held by the NVR team as long as they remain the contract holder of the National Vascular Registry – currently up until 31st December 2022. HQIP will review how long the data need to be stored when the audit has finished.

Who we share data with?

The NVR only shares patient-level data following a strict governance procedure to ensure compliance with the General Data Protection Regulation (GDPR).

The NVR is linked to the AAA screening programme IT System in England and Northern Ireland. As the NVR and these Screening Programmes are both hosted by NEC, patient identifiers are securely transferred between the two systems. This is done each day in the early hours of the morning. If a man is found to have a AAA via these screening programmes, is referred for surgery, and has given consent for his data to be used, then the NHS number is shared with the NVR. Once the patient record is created and submitted on the NVR, details of the operation are automatically shared back to the man’s record on the screening programme IT system.

Researchers may apply to the NVR Data Controller (HQIP) if they want to use the de-identified patient data for secondary purposes, such as a clinical audit, service evaluation, or a research study. These requests undergo a stringent approvals process as outlined on the HQIP website.

What if I do not want my information used by the Audit?

If you do not want your personal identifiable information to be used in the Audit, please tell the people who are treating you. They will make sure this information is not used in the audit.

Your specific rights are:

  • See the information we hold on you, and confirm what data we are processing about you.
  • Be informed about the collection and use of your personal data.
  • Ask us to correct any inaccurate, out of date or incomplete personal data.
  • Request that we erase the personal information we hold on you. This is also known as the ‘right to be forgotten’. The right is not absolute and only applies in certain circumstances.
  • Request that we restrict or limit the way that we use your personal data.
  • Request a copy of your information and where possible we will provide it to you in a machine-readable format such as .CSV file if you wish. We will do this free of charge and would include only the information you have provided directly to us.
  • Object to the processing of your information.
  • Your right to reject automated decision making and profiling.

If you give consent and then change your mind, please send an email to nvr@rcseng.ac.uk and put “Request to opt-out” in the subject line. On receipt of your email, we will remove your personal details from the NVR IT system. Alternatively, you can notify a member of your local care team that you wish to opt out. They will then ensure that your personal details are removed from the Registry.

The NVR has exemption from the National Data Opt-Out that allows it to use data from other data sources (such as HES) even if a patient has requested their confidential patient information is not used for research and planning via the National Data Opt-Out. This is because the Confidentiality Advisory Group (CAG) feels that there is an overriding public interest in the NVR using patient data to report on how vascular health care is delivered to patients and the outcomes of vascular procedures. The National Data Opt-Out applies to patients whose personal data is collected without consent (under Section 251). It does not apply to patients who have given their consent for their personal identifiable data to be collected and processed by the NVR.

Data collected for NVR newsletter mailing list

If you sign up for our newsletter or have an account for the NVR IT system, then we hold your name, email address, GMC code (if applicable) and your place of work. Our legal basis for collecting and processing this information about you is Legitimate Interest.

The contact information that you have provided will be handled in accordance with the General Data Protection Regulation (GDPR), and will not be used for any other purpose, unless consent has been received for other uses. We will only process this information for as long as you wish us to. Your personal data will be held indefinitely until you notify us that you no longer wish for us to hold your information.

If you give consent and then change your mind, please send an email to nvr@rcseng.ac.uk and put “Request to opt-out” in the subject line. On receipt of your email, we will remove your personal details from the NVR IT system.

If you believe that any information we are holding on you is incorrect or incomplete, please contact us as soon as possible. We will promptly correct any information found to be incorrect.

Changes to our privacy policy

We keep our privacy policy under regular review and we will always include the latest version on this web page.

The privacy policy was last updated on 28/06/2022

How to contact us

Please contact us if you have any questions about our privacy policy or information we hold about you.

The Royal College of Surgeons of England has a data protection officer who can help you with any queries about the information in this privacy notice: dpo@rcseng.ac.uk

HQIP also has a data protection officer and they can be contacted by email: data.protection@hqip.org.uk

Information about the requirements for the Audit to keep personal data secure and what to do to report a data breach, can be found on the website of the Information Commissioners Office: https://ico.org.uk

Hysbysiad Preifatrwydd NVR (PDF – 843kB)