For patients (Wales)

For more information on the CMP please view our patient information leaflet.

For information on the personal information held by ICNARC on patients included in the Case Mix Programme and how we keep it safe, please view our privacy notice.

Privacy Notice

This Privacy Notice is intended to provide information for patients whose information may be used for the ICNARC Audit: Case Mix Programme (CMP), along with clinicians, family and friends and carers of patients. It explains what type of information we collect, why we collect it and what we do with it.

This Privacy Notice was last updated on the 07/05/2024. We will update this Privacy Notice whenever we change the type of processing we carry out. Please regularly come back to here and check this notice for any changes.

In this document, the terms “you/your” refers to the patient.

We are the Intensive Care National Audit and Research Centre (ICNARC), an independent registered charity (charity number: 1039417).

Intensive Care National Audit & Research Centre (ICNARC)
Napier House
24 High Holborn
Tel: 020 7831 6878

The Data Protection Officer at ICNARC is Scott Carnegie. Further information is available by emailing  or by contacting the office on 0207 7831 6878.

For the purposes of the audit, ICNARC will collect information regarding patients admitted to critical care units and their stay in critical care and hospital. This information details the circumstances of admission – for example date, reason for admission/attendance; medical history, severity of illness, stay on the unit and the outcomes for both critical care and hospital.

ICNARC also collects and holds personal information about you. The personal information collected as part of the CMP is your NHS Number, date of birth, postcode, sex and ethnicity.

Your privacy is important to us, and we want to protect your personal information from being seen by anyone who isn’t connected with the audit. One of the ways we do this is by ensuring that each critical care admission is allocated a unique code number, called an ‘Admission number’. This means we can keep a record of the event, without you being identifiable to anyone outside the audit process or directly involved in your care.

Critical care units collect information on all the patients they admit to their unit. They securely submit this information to ICNARC, where the key patient identifiers (NHS Number, date of birth and postcode) are encrypted and stored, with access restricted to staff with the appropriate permission. The CMP team run checks to ensure the information is complete and valid. If there are errors or missing information, the units have the chance to correct and complete the information before analysis reports are run.

The personal information we collect will be used for the following purposes:

  • to conduct an audit of patient outcomes following admission to critical care;
  • to provide a national resource for practising, managing and commissioning critical care in the UK; and
  • to provide reports to participating units, benchmarking them with other providers across the UK and supporting local performance management and quality improvement.


Further information on our audits can be found here.

We may share your personal information in the following circumstances during the course of our activities:

  • Certain ICNARC staff will have access to your personal information. Where appropriate approvals are in place, your personal information may be shared with certain third parties or other researchers for further analysis or to assist in research projects; and
  • Participating critical care units can request additional analyses of their CMP data, or the raw validated data, for the purposes of local quality improvement.

Information collected for the CMP is stored on ICNARC’s secure servers which are owned by an authorised contractor called Exponential-e. ICNARC takes steps to ensure this information is not lost and makes regular back-ups. ICNARC also contract Babble Cloud who provide external desktop and network managed services, including end user and infrastructure support. Employees at Babble Cloud will not access the information, however, they do have remote access to ICNARC servers..

ICNARC processes your personal information for the purposes of the audit, under our legitimate interest of supporting improvements of standards in intensive care as part of our purposes as a charity and under our articles of association. Namely, the advancement of education about the organisation and practice of critical care, in particular through the promotion of audit and research into critical care and the publication of the useful results of such audit and research.

ICNARC processes special category data under the basis of public interest in the area of public health. The special categories of personal data we collect includes:

  • Ethnic origin
  • Health data

In order to carry out this work we have been given permission to collect and use this information under very strict conditions of confidentiality and data security by the Confidentiality Advisory Group in England and Wales.

Electronic patient and organisational information (such as databases, questionnaires or health records etc.) are kept on secure servers and only authorised ICNARC staff have access to patient identifiable information. Access to your personal information is password-protected and our servers are regularly monitored for possible vulnerabilities and attacks.

ICNARC holds all records that are supplied by NHS organisations in the strictest confidence. All staff adhere to our internal policies and procedures and are regularly trained in data protection.

The specific retention requirements for health and care records are listed in the Records Management Code of Practice for Health and Social Care 2021 in its detailed retention schedule.

As the CMP is an ongoing audit, information relating to you and your care will be retained on an indefinite basis by ICNARC.

Subject to certain conditions, you have the following rights in relation to your personal data:

  • Right of access – you have the right to request a copy of the information that we hold about you.
  • Right of rectification – you have a right to correct data that we hold about you that is inaccurate or incomplete.
  • Right to erasure – in certain circumstances you can ask for the data we hold about you to be erased from our records.
  • Right to restriction of processing – where certain conditions apply to have a right to restrict the processing.
  • Right of portability – you have the right to have the data we hold about you transferred to another organisation.
  • Right to object – you have the right to object to certain types of processing such as direct marketing.
  • Right to object to automated processing, including profiling – you also have the right to be subject to the legal effects of automated processing or profiling.

In the event that you wish to make a complaint about how your personal data is being processed by ICNARC, or how your complaint has been handled, you have the right to lodge a complaint directly with the supervisory authority and ICNARC’s Data Protection Officer.

The details for each of these contacts are:

Data Protection Officer (DPO) / GDPR Owner contact details

Scott Carnegie
24 High Holborn
020 7831 6878

Supervisory authority contact details

ICO – Information Commissioner’s Office

Wycliffe House
Water Lane
Tel: 0303 123 1113