NVR Privacy Notice

What is the aim of the National Vascular Registry?

The National Vascular Registry (NVR) was established in 2013 to measure the quality and outcomes of care for patients who undergo major vascular procedures in NHS hospitals, and to support vascular services improve the quality of care for these patients by publishing high-quality benchmark information. The NVR was commissioned by the Healthcare Quality Improvement Partnership (HQIP) as part of the National Clinical Audit and Patient Outcomes Programme (NCAPOP).
Hospital-based vascular services treat patients with conditions that affect blood circulation, and which are part of the broad spectrum of cardiovascular disease. The treatments for these conditions are typically aimed at reducing the risk of cardiovascular events such as a heart attack, stroke or the rupture of an artery.

Where is patient data collected from?

The NVR captures data on adult patients undergoing emergency and elective procedures in NHS hospitals for the following patient groups:

  1. patients who undergo carotid endarterectomy or carotid stenting
  2. patients who have a repair procedure for abdominal aortic aneurysm (AAA), both open and endovascular (EVAR)
  3. patients with peripheral artery disease (PAD) who undergo either (a) lower limb angioplasty/stent, (b) lower limb bypass surgery, or (c) lower limb amputation.

Data Controller

The NVR is commissioned by the Healthcare Quality Improvement Partnership (HQIP) as part of the National Clinical Audit Programme on behalf of NHS England and the Welsh Government.

HQIP are the data controllers for the patient data submitted to the audit directly by NHS hospitals. The NVR team combines the data on individuals with other information held in other national hospital databases. The data controllers for these other national datasets are:

  • NHS Digital for the English hospital data (Hospital Episode Statistics)
  • Office for National Statistics for the death register

Legal basis for collecting personal patient data

The NVR has approval for processing health care information under Section 251 (reference number: CAG 5-07(f)/2013) for patients admitted in emergency requiring vascular procedures in England and Wales. More information on section 251 is available here: http://www.hra.nhs.uk/about-the-hra/our-committees/section-251/what-is-section-251/.

All patients in Scotland and Northern Ireland, and patients in England and Wales undergoing an elective procedure require their consent to be given to collect and process their personal identifiable information.

Legal basis for processing personal patient data

The NVR has approval for processing data under articles 6 (1) (e) and 9 (2) (i) of the GDPR as the data are needed to carry out a task in the public interest to ensure high standards of quality and safety of healthcare.

How we protect your patient data

Local clinical teams enter patient data into a secure web-based tool provided by Northgate Public Services. Only doctors, nurses and clinical audit staff registered with the Audit can access the data collection tool. Security and confidentiality is maintained through the use of passwords and a person specific registration process. Only the NVR project team can access the data collection tool.

Patient confidentiality and level of data collected

The patient information received and managed by the NVR team is treated as confidential. We analysing the data to produce the information on patient care and outcomes, the NVR team use de-identified data and so individual patients are not identifiable.

The audit is also careful when publishing information to include graphs or tables that do not allow individuals to be identified. To ensure this, the Audit follows guidelines on publishing statistics issued by the Office for National Statistics – Review of the Dissemination of Health Statistics: Confidentiality Guidance.

Management of patient data by the NVR team

The NVR team are based at the Royal College of Surgeons of England (RCS). The RCS conforms to the General Data Protection Regulation (GDPR) and other legislation that relates to the collection and use of patient data. The RCS has strict security measures in place to safeguard patient information held in the Data Collection system and when analysing the de-identified dataset. The Data Collection IT system has various levels of security built into it, such as ID password security, which prevents unauthorised users gaining access and data encryption.

Who we share data with?

The NVR only shares patient-level data following a strict governance procedure to ensure compliance with the General Data Protection Regulation (GDPR).

Researchers may apply to the NVR Data Controller (HQIP) if they want to use the de-identified patient data for a research study. These requests undergo a stringent approvals process as outlined on the HQIP website.

What if I do not want my information used by the Audit?

If you do not want your personal identifiable information to be used in the Audit, please tell the people who are treating you. They will make sure this information is not used in the audit.

In some circumstances, an individual has the right to request their data are erased. This does not apply to an individual’s health care record.

Data collected for NVR newsletter mailing list

If you sign up for our newsletter or have an account for the NVR IT system, then we hold your name, email address, GMC code (if applicable) and your place of work. Our legal basis for collecting and processing this information about you is Legitimate Interest.

The contact information that you have provided will be handled in accordance with the General Data Protection Regulation (GDPR), and will not be used for any other purpose, unless consent has been received for other uses.

If you believe that any information we are holding on you is incorrect or incomplete, please contact us as soon as possible. We will promptly correct any information found to be incorrect.

Changes to our privacy policy

We keep our privacy policy under regular review and we will always include the latest version on this web page.

The privacy policy was last updated on 22/05/2018

How to contact us

Please contact us if you have any questions about our privacy policy or information we hold about you.

Information about the requirements for the Audit to keep personal data secure and what to do to report a data breach, can be found on the website of the Information Commissioners Office: https://ico.org.uk