How and why NEQOS process your data in Hospital Episode Statistics (HES)
This page sets out how NEQOS use Hospital Episode Statistics in line with the General Data Protection Regulation (GDPR).
We access Hospital Episode Statistics (HES), collected by NHS Digital, through a secure online portal containing the records of all people who attend hospital in England. These records relate to visits to Accident & Emergency Departments, Outpatient appointments, and in-hospital stays. They contain information on the age, gender and ethnicity of patients, what hospital they went to and what they went to hospital for. They do not contain any information which would accurately identify them, such as their name, address or NHS number.
We are allowed access to this data under a Data Sharing Framework Contract and a Data Sharing Agreement between Cumbria, Northumberland Tyne and Wear NHS Foundation Trust (the organisation which hosts NEQOS) and NHS Digital. Although we are able to view anonymised records for individuals we are only able to download and store tabulated (statistical) data. Any statistical publications produced from the data are not presented in a form which reveals any individual’s identity.
We take very seriously our responsibilities to keep this information secure. The data is downloaded and stored in a safe and secure way. The number of staff accessing and handling such data within NEQOS is limited to those who have signed a Data Access Agreement, and who undertake regular training about data protection and managing personal information.
Purposes of processing
The data is only used for purposes related to healthcare or the promotion of health, in line with the Health and Social Care Act 2012 as amended by the Care Act 2014.
The specific purposes for which we use HES data are to provide our clients with information and intelligence to:
- enable them to effectively monitor, evaluate and improve their services or design new systems and processes;
- help them to better understand the health and care needs of the populations they serve;
- highlight variation in quality and safety of healthcare;
- enable comparison with peers or against recognised standards;
- highlight adherence to or non-compliance with best practice guidance (for example, NICE Quality Standards);
- inform the development of new indicators to monitor health status and the quality of healthcare;
- inform them about the utilisation of hospital services and the uptake of new technologies;
- Inform them about the incidence of certain conditions and treatments, and allow gaps in service provision to be identified.
The data will not be used for automated decision making, including profiling.
Users of the analysis produced using HES data include:
- NHS organisations (both providers and commissioners) across the North East and North Cumbria region, and occasionally further afield (within England)
- The Academic Health Science Network (AHSN) in the North East and North Cumbria
- Health Education England – North East
- NHS England
- Orthopaedic Research UK
- Local Authorities in the North East
Legal basis for processing
For GDPR purposes our basis for lawful processing is
- Article 6(1)(e) – ‘…Public task …’.
The condition for processing health data, which is special category data under the GDPR, is
- Article 9(2)(i) – …public interest in the area of public health…
Cumbria, Northumberland Tyne and Wear NHS Foundation Trust (the organisation which hosts NEQOS) is the Data controller and is registered as required by Data Protection legislation.
Data Protection Officer
Our Data Protection Officer is Angela Faill. Her contact details are as follows:
Head of Information Governance and Medico Legal Department,
St Nicholas Hospital,
Telephone: 0191 246 6890
Sharing information outside of NEQOS
Only statistical data, derived from HES records, is shared outside of NEQOS, and the data is not presented in a form which reveals anyone’s identity.
The data which is downloaded can only be retained for as long as the Data Sharing Agreement with NHS Digital is in place. When the Agreement is terminated, all data provided under this agreement will be securely destroyed.
Data protection laws in the UK give people a number of rights concerning their personal data. You are entitled to access your personal data held in HES. Since NEQOS has only access to an anonymised version of the HES data you will need to contact NHS Digital, the organisation that collects the data at https://digital.nhs.uk/about-nhs-digital/our-work/keeping-patient-data-safe/gdpr/gdpr-register#h
If you wish to raise a concern regarding our or NHS Digital’s processing activity in relation to HES data, you can do so with the Information Commissioner’s Office at any time, via this link https://ico.org.uk/global/contact-us/