Putting security and confidentiality first
We know that many people are concerned about the security of data collection. Data about an individual’s health is highly sensitive, and so great care is taken over the way it is collected, stored, and analysed. For example, when we published data, making sure that we do not use small numbers which could lead to an individual being identified.
There is an obligation to the National Data Guardian to ensure all sensitive data is strongly encrypted and stored on NHS compliant secure servers. The data is only accessible by staff who have been vetted and operate under the strictest of controls. Security procedures are regularly reviewed to make sure that all systems use the most up to date and effective ways to protect patient data.
We are aware that some people do not want their information held by the National Disease Registration Service (NDRS) and we uphold the individual’s right to opt out of cancer registration. Information is provided to Trusts and other locations such as GP surgeries and radiotherapy centres, to help inform patients about cancer registration and their right to opt-out should they wish.
Anyone can opt-out of disease registration at any time. It will not affect the care you receive from the NHS.
Collection of personal data
If you have been diagnosed with cancer, a rare disease or a congenital anomaly, the NHS team looking after you will record information about the care and treatment you receive. This information is shared with NDRS. This applies to children as well as adults.
The NHS shares the following information with NDRS:
- your name and date of birth
- your gender and ethnicity
- your address and NHS number
- information about your diagnosis and treatment
This information comes from many sources.
Everyone working with patient data is trained in information governance and follows strict rules to make sure patient information stays safe.
When is my data collected, and how long is it kept for?
We start collecting data as soon as you are being investigated for cancer, a rare disease or a congenital anomaly. Depending on the condition, we will follow your treatment for the rest of your life. We do this because we need to see if the disease comes back or if there are any side-effects from the treatment you receive.
It is important we hold patient data indefinitely so that we can spot long term trends and carry out research. For example, some forms of cancer can be inherited. For those families with this genetic risk, long term monitoring is important.
Where is the data processed?
The data is held safely and securely in England and is never processed outside the UK.
Can I see my own data?
You can ask to see your data by making what is known as a Subject Access Request to [email protected]
We will need to check your identity before we can give you your data and so we ask for copies of
- your passport or driving licence
- and proof of address (e.g. bank statement or utility bill)
Once we have these, we will search for your data on our registration system and other datasets linked to it.
If we find that we have your data, we will send a copy of it to your GP or another medical person involved in your care. We do this to make sure that your data is only given to you and no one else.
Find out more out more about Subject Access Requests on the NHS Digital website.
NDRS and the law
Information is provided under the requirements of the General Data Protection Regulation and the Data Protection Act 2018.
NHS England is the data controller for all information collected and processed as part of disease registration. The data protection officer can be contacted on [email protected].
The NDRS has legal permission to collect patient data to use it to protect the health of the population. Previously this permission was granted to Public Health England under section 251 of the National Health Services Act 2006.
From 1 October 2021, permission was granted to NHS Digital. under legal instructions known as Directions, from the Secretary of State for Health and Social Care, under section 254 of the Health and Social Care Act 2012 (2012 Act). The Directions are called the National Disease Registries Directions 2021. They instructed NHS Digital to collect and use confidential patient information to operate the NDRS.
Building on the huge progress made on digital transformation during the pandemic, on the 1 February 2023, NHSD and NHSX merged into NHS England. NHS England is now therefore the controller of the personal data held by the NDRS under data protection law.
Under UK GDPR we can only collect and use personal data if we have a legal basis under Articles 6 and 9 of the UK GDPR.
Our legal basis to collect and use your personal data is:
- Article 6(1)(c) – legal obligation – as we are required to do this to operate the National Disease Registration Services under the National Disease Registries Directions 2021.
- Article 9(2)(g) – substantial public interest – because the processing of the data is substantially in the public interest and in accordance with the law, for the purposes of NHS England exercising its statutory functions under the National Disease Registries Directions 2021. It is substantially in the public interest to improve NHS cancer treatment and care, improve patient outcomes and to understand the prevalence of congenital anomalies and rare diseases in England and how these are affected by gender, ethnicity, disease type and geographic region. This is also permitted under paragraph 6 of Schedule 1 of the Data Protection Act 2018 (DPA)
NDRS and patient confidentiality
The National Disease Registries Directions 2021 provides NHS England with a legal obligation to process confidential patient information, setting aside the common law duty of confidence.
Where we disseminate confidential patient information, organisations requesting the data must have a legal basis under the common law to receive the information such as:
- evidence you have given them your explicit consent to the sharing of your data with them
- they have been granted specific legal approval from the Health Research Authority’s Confidentiality Advisory Group to use confidential patient information without your consent and who also have ethical approval to do so, or
- we have a legal obligation to share confidential patient information without consent, e.g. where there is a Court Order, or where this is necessary for public health purposes under Regulation 3 of Health Service (Control of Patient Information) Regulations 2002 (COPI)
- this includes the COPI Notices issued by the Secretary of State for Health and Social Care in relation to COVID-19.
Last edited: 4 August 2023 11:19 am