Privacy Policy

This Privacy Notice is intended to provide information for patients, clinicians, parents/carers of service users whose information may be used for ICNARC Audits and Research Studies. It explains what type of information we collect, why we collect it and what we do with it.

This privacy policy was updated in May 2018 to meet the requirements of the General Data Protection Regulation (GDPR). We will update this privacy policy whenever we change the type of processing we carry out. Please regularly come back to xx and check this policy for any changes.

Our legal basis for collecting information

The legal bases for collecting and using personal data are:

Public Task

We collect only the information that is necessary to carry out our function and avoid collecting information that will not be used. This is received from healthcare providers, such as NHS Trusts and Health Boards. To see what information is held in your healthcare record please contact your local Trust or Board, or GP.


Where people attend events or work with ICNARC consent is received for us to store and process personal data.


For example, this is the basis we use when it is necessary for us to take specific steps before entering into a contract with you to supply you a service or vice versa.

Legal obligation

For example, this is the basis we use when it is necessary for us to comply with the law (not including contractual obligations) because we are required to keep documentation to produce in court proceedings.

Legitimate interests

This basis is used to allow us to hold and use information in relation to fulling our subscriptions and use of our services in the future.

When we collect your information

If you are a patient, we may collect your NHS number and date of birth early in the study when we collect a list of patients meeting certain criteria from your healthcare provider.

Most of the personal information we collect maybe has been received directly from you. You may give us your name and contact information or other personal data:

  • When you fill out a form on our website
  • When you communicate with us, for example if you make an enquiry
  • When you engage with us on social media
  • When you attend an event
  • When you complete any surveys or feedback forms we send you
  • When you fill in any forms
  • When you apply for a job with us
  • If you work for us or with us
  • If you buy one of our services or products, or if we buy from you
  • We may also receive information about you from third parties, for example our service providers and suppliers, or from third parties who may have gathered your consent on our behalf, or from publicly available sources, such as social media.


The information we collect

Studies & Audits Data

We collect a large sample of patient cases directly from hospitals for each Audit or Study.

The information we collect for the case note review could include:

  • A questionnaire completed by the clinician involved in the patient’s care
  • Data from your hospital medical records
  • Medical records from other doctors and other health care organisations such as GPs.

Once each study or audit has finished the information is anonymised and we remove any information relating to the identity of the patient including name, address, date of birth, hospital and/or NHS number.

Some Patient identifiable information is collected without obtaining consent from the patient under Section 251 of the NHS Act 2006.

Data collected not related to specific audits or studies;

  • Your name
  • Your contact details
  • Your job role and your organisation
  • Information from other publicly available sources (such as social media)
  • If you apply for a job with us we will collect information about your employment history, qualifications and references
  • If you work for us we will collect and use additional personal information, such as health details and financial details
  • If you fill in any questionnaires, surveys or feedback forms we will collect your experiences, opinions and any health information you are happy to share with us
  • If you interact with our website we may collect certain technical information, such as your browsing activity across our website and your IP address. An IP address provides the location of server you are contacting us from. We only use this information to ensure website security.

How and why we use the information

The primary purpose of ICNARC’s work is to examine factors that can be changed about the quality of care provided to patients to improve the care of future patients. We publish a report at the end of the Audits and Studies so improvements can be made to improve care for future patients.

In order to carry out this work we have been given permission to collect and use this information under very strict conditions of confidentiality and data security by the Confidentiality Advisory Group in England and Wales. Access to this information is strictly limited to those who need to process it and all information is anonymous in the final reports. Once the study is complete all data are securely destroyed.

Through this process the reviewers identify aspects of care which could be done better in the future to improve care for patients in the study areas. We are careful to ensure that publications does not contain any information that could lead to the identification of any person.

How we protect your information

We take the responsibility of holding people’s personal data very seriously. We have internal policies which set out and guide our data security. All staff adhere to this approach and are regularly trained in data protection.

Electronic patient and organisational information (such as databases, questionnaires or health records etc.) are kept on secure servers and only ICNARC staff have access to patient identifiable data. Access to your personal data is password-protected and our servers are regularly monitored for possible vulnerabilities and attacks.

ICNARC holds all records that are supplied by NHS organisations in the strictest confidence.

Information Security and Information Governance requires clear and effective management and accountability structures, governance processes, documented policies and procedures, trained staff and adequate resources. As such we have created the following documentation to clearly detail the policies and procedures we have in place.

Who we share your personal data with

We may share your personal information with third parties (example NHS Digital) for Data Linkage purposes under Section 251 and legitmate interest for clinical trials. Data linkage is a process which temporarily brings together two or more sets of research or audit data from different organisations to produce a wealth of information which can be used for research and statistical purposes. This allows for the true value of the data to be realised.

The process is;

  • if it is in the public interest to do so
  • for clearly specified research and statistical purposes
  • for the duration of the work as agreed by the associated data controllers
  • If it is legal to do so.

Also we may share anonymised and processed data with third parties under a data sharing agreement for additional analysis but this never includes personal data, or anything that could identify an individual. Personal data to help improve health care.

How long we retain your information

Order information: when you place an order for goods and services – including memberships, subscriptions and events – we retain that information for six years following the end of the financial year in which you placed your order, in accordance with our legal obligation to keep records for tax purposes.  To avoid administrative burdens on ICNARC, we will therefore keep memberships, subscriptions and events records and event attendee information for the same amount of time after a member has lapsed or an attendee no longer engages with the organisation.

Correspondence and enquiries: when you make an enquiry or correspond with us. We will retain your information for as long as it takes to respond to and resolve your enquiry, and for a further 3 years after which point we will delete your information. Unless the enquiry or correspond is in connection with an audit or a research study then this would be in line with the audit or study protocols.

Mailing Lists: if you consent to receive information from the ICNARC on certain events, we retain the information you used to sign up for that mailing list so long as you remain subscribed (i.e. you do not unsubscribe) or if we decide to cancel that mailing list service, whichever comes earlier.

Event attendees: We retain your details for the duration of the event you attend and for six years afterwards.  This is because events tickets include a financial transaction for which we are required to keep details of.

In any other circumstances- including audits or research studies, we will retain your information for no longer than necessary, taking into account the following:

  • the purpose(s) and use of your information both now and in the future (such as whether it is necessary to continue to store that information in order to continue to perform our obligations under a contract with you or to contact you in the future);
  • whether we have any legal obligation to continue to process your information (such as any record-keeping obligations imposed by relevant law or regulation);
  • whether we have any legal basis to continue to process your information (such as your consent or Section 251);
  • how valuable your information is (both now and in the future);
  • any relevant agreed industry practices on how long information should be retained; (HRA Health Research Authority and others)
  • the levels of risk, cost and liability involved with us continuing to hold the information;
  • how hard it is to ensure that the information can be kept up to date and accurate; and
  • any relevant surrounding circumstances (such as the nature and status of our relationship with you).

What are your rights over your personal data?

The right to erasure

You can request that we don’t use personal information about you in our studies and we will ensure that any of your information we hold is destroyed. This will need to be done on a study by study basis otherwise the only way we could remove you from all audits and studies would be to hold personal data about you to compare with the patient information that we receive. You also have the right to restriction of processing and to object to processing. We treat these the same way as the right to erasure and remove all information about you. If you decide that you would prefer that your information is not used please let us know by contacting us in writing at the postal address or use this email address link

The right of access

You have the right to see what information is held about you. If you are a patient, generally we don’t use names and addresses so you would have to know your NHS number. You have the right to rectify any data that is incorrect but rectifying it with us would not change the information in your health record and you may want to contact your healthcare provider directly.

We do:

Use personal data to help improve health care servicesKeep all personal data secure and confidentialGive you the right to opt out of any of our studies or audits.

We do not:

Share your personal data with third parties for marketing purposesUse personal or identifiable data in our reports.

Data Protection Officer

The Data Protection Officer at ICNARC is Sasha Korniak. Further information is available by

emailing  or by contacting the office on 0207 7831 6878

Contact the Information Commissioner’s Office

If you are unhappy with the way we handle your data or have dealt with a request, you have the

right to lodge a complaint with the Information Commissioner’s Office at or telephone 0303 123 1113.

Contact ICNARC

If you have any questions or want to request that your data is not included in a study please contact:

Sasha Korniak Data Protection Officer.

Address: 24 High Holborn, London WC1V 6AZ

Telephone 020 7831 6878


This animation is based on guidance produced by the MRC Regulatory Support Centre, which was written in consultation with the UK Information Commissioner's Office.