NCEPOD's Information Governance policies and procedures
Click here to download our information governance leaflet about the regulations and processes NCEPOD complies with.
We have also created the following documentation to clearly detail the policies and procedures we have in place:
To view our Data Protection Policy please click here.
To view our Information Security Procedures please click here.
To view our Information Governance Framework please click here.
To view our Data Protection Impact Assessment please click here.
To view our Privacy Notice please click here
To view our Data Flow Diagram please click here.
There are two Government Acts, related to confidentiality, that NCEPOD are required to comply with. The first is the Data Protection Act 2018. The second is the NHS Act 2006. We are also required to comply with the General Data Protection Regulation 2016.
The General Data Protection Regulation 2016
NCEPOD is committed to maintaining a recognised level of best practice for its information security procedures. In 2016 we undertook an external audit of our information security procedures and will undertake another by 2020. Recommendations from the audit were acted upon and our information security procedures have been formulated in conjunction with the International Standard ISO/IEC 27001:2013. 'Information technology – Code of practice for information security management'.
All NCEPOD staff manage data according to the information security procedures as a means of ensuring integrity and confidentiality of data submitted to NCEPOD. The procedures apply to both physical and electronic data formats.
Although the GDPR 2016 does not apply to deceased patients. NCEPOD will apply its standards to all data regardless of patient outcome.
Our legal basis for collecting informationThe legal bases for collecting and using personal data are:
Public TaskWe collect only the information that is necessary to carry out our function and avoid collecting information that will not be used. This is received from healthcare providers, such as NHS Trusts and Health Boards. To see what information is held in your healthcare record please contact your local Trust or Board.
Article 6(1)(e) processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
Where people sign up to receive newsletters and updates, attend events or work with NCEPOD consent is received for us to store and process personal data.
For example, this is the basis we use when it is necessary for us to take specific steps before entering into a contract with you to supply you a service or vice versa.
For example, this is the basis we use when it is necessary for us to comply with the law (not including contractual obligations) because we are required to keep documentation to produce in court proceedings.
This basis is used to allow us to hold information as evidence should we need it in the future, for example, if you ask us to unsubscribe you from our newsletter.
Common Law Duty of Confidentiality
We apply the Common Law Duty of Confidentiality to all data we hold.
Article 9 condition for processing special category data:
• 2(i) - processing is necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health or ensuring high standards of quality and safety of health care and of medicinal products or medical devices, on the basis of Union or Member State law which provides for suitable and specific measures to safeguard the rights and freedoms of the data subject, in particular professional secrecy.
NCEPOD is registered with the Information Commissioner's office for the purpose of data protection: number Z5442652.
To view our registration document plese click here.
The NHS Act 2006 – Section 251 - England & WalesWhilst the Government has stated that consent is the fundamental principle governing the use of patient identifiable information by any part of the NHS or research community they have recognised that in some instances that this approach may be difficult. Section 251 of this Act therefore provides the Secretary of State for Health with a power to authorise that patient identifiable data can be used and provides support for the breach in confidentiality. Section 251 approval has been granted to NCEPOD through the Health Research Authority Confidentiality Advisory Group (HRA-CAG). An annual review ensures our method remains acceptable.
The current status of all applications can be viewed on online at http://www.hra.nhs.uk/about-the-hra/our-committees/section-251/cag-advice-and-approval-decisions/.
- For the Medical & Surgical studies follow the 2001-2008 approved applications link and look for A0077.
- For the Child Health studies follow the April 2013 award approved non-research applications link and look for A0902.
- Annual Review outcome letter 2017-2018
- Annual Review outcome letter 2016-2017
- Annual Review outcome letter 2015-2016
- Acute Bowel Obstruction
- In Hospital Management of Out Of Hospital Cardiac Arrests
- Physical Healthcare in Mental Health Hospitals
- Child Health
- Long Term Ventilation
Scottish ApprovalPublic Benefit and Privacy Panel for Health and Social Care (for NHS Scotland) has reviewed our work programme, and approval for our applications can be viewed online at http://www.informationgovernance.scot.nhs.uk/pbpphsc/application-outcomes/.
- For Medical & Surgical studies follow the April 2016-2017 approvals link and see App. No. 1516-0522.
- For Child Health studies follow the April 2016-2017 approvals link and see App. No. 1516-0294.
- Long Term Ventilation Programme approval letter 2018
- Medical and Surgical Clinical Outcome Review Programme approval letter 2017
- Child Health Clinical Outcome Review Programme approval letter 2016
Health Research Authority (HRA) – Ethics ApprovalAt the present time the HRA have agreed that it is not necessary for NCEPOD to obtain ethics approval for our work, the reasons are listed below:
- Our work is a ‘confidential enquiry’ and not research or audit – we do not interact directly with patients or have influence in the treatment of an individual.
- We have approval to continue without consent under Section 251 of the NHS Act 2006.
- Some of the cases we investigate are deceased patients.
- Our work is supported by Government Departments and the GMC.
NHS - Data Security and Protection Toolkit
Every year we complete this online assessment tool for the purposes of improving our internal information governance procedures and policies.