For patients (Scotland)

For more information on NCAA please view our patient information leaflet.

For information on the personal information held by ICNARC on patients included in the National Cardiac Arrest Audit (NCAA) and how we keep it safe, please view our privacy notice.

Privacy Notice

This Privacy Notice is intended to provide information for patients whose information may be used for the ICNARC Audit: National Cardiac Arrest Audit (NCAA), along with clinicians, family and friends and carers of patients. It explains what type of information we collect, why we collect it and what we do with it. NCAA is a collaboration between the Resuscitation Council UK (RCUK) and ICNARC.

This Privacy Notice was last updated on the 07/05/2024. We will update this Privacy Notice whenever we change the type of processing we carry out. Please regularly come back to here and check this notice for any changes.

In this document, the terms “you/your” refers to the patient.

We are the Intensive Care National Audit and Research Centre (ICNARC), an independent registered charity (charity number: 1039417).

Intensive Care National Audit & Research Centre (ICNARC)
Napier House
24 High Holborn
Tel: 020 7831 6878

The Data Protection Officer at ICNARC is Scott Carnegie. Further information is available by emailing  or by contacting the office on 0207 7831 6878.

For the purposes of the audit, ICNARC collect information regarding any resuscitation event commencing in-hospital where an individual receives chest compression(s) and/or defibrillation and is attended by the hospital-based resuscitation team (or equivalent). The information will include details of: the admission to hospital – for example date, reason for admission/attendance; the cardiac arrest event – for example the date and time, location of patient when they went into cardiac arrest, first recorded heart rhythm during cardiac arrest; and the outcome – both of the initial cardiac arrest event and at hospital discharge.

To help us manage and meet the objectives of the audit, ICNARC collects and holds personal information about you (your date of birth, NHS number or CHI number, sex, ethnicity and other health data) is collected by the resuscitation team at the hospital where you became involved in the audit and securely submitted to ICNARC.

Your privacy is important to us, and we want to protect your personal information from being seen by anyone who isn’t connected with the audit. One of the ways we do this is by allocating each cardiac arrest event a unique code number, called a ‘Team visit number’. This means we can keep a record of the event, without you being identifiable to anyone outside the audit process or directly involved in your care.

A trained member of staff from the hospital collects the information about each in-hospital cardiac arrest event responded to by the resuscitation team. They then enter that information onto a secure website which can only be accessed using a username and password.

The personal information we collect will be used for the following purpose:

  • To conduct an audit of patient outcomes following in-hospital cardiac arrest;
  • To provide reports to participating hospitals, benchmarking them with other providers across the UK and supporting local performance management and quality improvement and:
    • improve patient outcomes;
    • provide information to identify and decrease the incidence of avoidable cardiac arrests; and
    • provide information to decrease the incidence of inappropriate resuscitation.

Further information on the audit can be found on our website.

We may share your personal information in the following circumstances during the course of our activities:

  • Only certain ICNARC staff will have access to your personal information. Where appropriate approvals are in place, your personal information may be shared with certain third parties or other researchers for further analysis or to assist in research projects;
  • Participating hospitals can request additional analyses on data for cardiac arrest events in their hospital, or the raw validated data, for the purposes of local quality improvement; and non-participating hospitals or other third parties can request NCAA data or analysis. Any such requests are subject to approval by the NCAA Steering Group. These data are used to assist in other research or audits relating to in-hospital cardiac arrest.

Information collected during NCAA is stored on ICNARC’s secure servers which are owned by an authorised contractor called Exponential-e. ICNARC takes steps to ensure this information is not lost and makes regular back-ups. ICNARC also contract Babble Cloud who provide external desktop and network managed services, including end user and infrastructure support. Employees at Babble Cloud will not access the information, however, they do have remote access to ICNARC servers.

ICNARC processes your personal information for the purposes of the audit, under our legitimate interest of supporting improvements of standards in resuscitation as part of our purposes as a charity.

ICNARC processes special category data under the basis of public interest in the area of public health. The special categories of personal data we collect includes:

  • Ethnic origin
  • Health data

In order to carry out this work we have been given permission to collect and use this information under very strict conditions of confidentiality and data security by the Confidentiality Advisory Group in England and Wales. For Scotland, the Caldicott Guardians for the participating hospitals provide approval of security assurance.

Electronic patient and organisational information (such as databases, questionnaires or health records etc.) are kept on secure servers and only authorised ICNARC staff have access to patient identifiable information. Access to your personal data is password-protected and our servers are regularly monitored for possible vulnerabilities and attacks.

ICNARC holds all records that are supplied by NHS organisations in the strictest confidence. All staff adhere to our internal policies and procedures and are regularly trained in data protection.

The specific retention requirements for health and care records are listed in the Records Management Code of Practice for Health and Social Care 2021 in its detailed retention schedule.

As NCAA is an ongoing audit, information relating to you and your care will be retained on an indefinite basis by ICNARC.

Subject to certain conditions, you have the following rights in relation to your personal data:

  • Right of access – you have the right to request a copy of the information that we hold about you.
  • Right of rectification – you have a right to correct data that we hold about you that is inaccurate or incomplete.
  • Right to erasure – in certain circumstances you can ask for the data we hold about you to be erased from our records.
  • Right to restriction of processing – where certain conditions apply you have a right to restrict the processing.
  • Right of portability – you have the right to have the data we hold about you transferred to another organisation.
  • Right to object – you have the right to object to certain types of processing such as direct marketing.
  • Right to object to automated processing, including profiling – you also have the right to be subject to the legal effects of automated processing or profiling.

In the event that you wish to make a complaint about how your personal data is being processed by ICNARC, or how your complaint has been handled, you have the right to lodge a complaint directly with the supervisory authority and ICNARC’s Data Protection Officer.

The details for each of these contacts are:

Data Protection Officer (DPO) / GDPR Owner contact details

Scott Carnegie
24 High Holborn
020 7831 6878

Supervisory authority contact details

ICO – Information Commissioner’s Office

Wycliffe House
Water Lane
Tel: 0303 123 1113