General privacy notice

This Privacy Notice is intended to provide information for patients, clinicians, staff, parents/carers of service users whose information may be used for ICNARC Audits and Research Studies. It explains what type of information we collect, why we collect it and what we do with it.

This privacy notice was last updated on the 07/06/2022. We will update this privacy notice whenever we change the type of processing we carry out. Please regularly come back to here and check this notice for any changes.

We are the Intensive Care National Audit and Research Centre (ICNARC), an independent registered charity (charity number: 1039417).

We provide high quality information:

  • through our national clinical audits, where hospitals/critical care units use information from reports to help them improve care;
  • through our research, where data are collected to answer specific questions or to test theories.

We do not make a profit – all income is spent on delivering a high quality service to the critical care community. Audits are funded by the hospitals we provide audit services to. Research is funded by grants.

The Data Protection Officer at ICNARC is Scott Carnegie. Further information is available by emailing  or by contacting the office on 0207 7831 6878.

We deal with information on participants in our audits and research studies for the purpose of improving the care of future patients. We do this because it is in our legitimate interest. We process this information either with the consent of the participant or with approval from the Confidentiality Advisory Group under Section 251 of the NHS Act 2006. The information may include information from the patients’ hospital medical records, questionnaires completed by patients, their family members or clinicians involved in the patients’ care, and medical records from other doctors and healthcare organisations, such as GPs and NHS Digital. Each audit and study has its own privacy impact assessments giving more details of the data processed.

We deal with information on staff (including, but not limited to, job applicants, honorary and associate staff, current and former employees, trustees, temporary staff employed through employment agencies and freelance staff) for the purposes of administration and recruitment. We do this in most cases because we have a contract with each individual and we need to use the information to perform that contract. However, we are required to process certain information because we have a legal obligation to do so (for example, staff medical information, staff training records, health surveillance records, or other such reasons that employment law, equality law or Health & Safety legislation obliges us to). The information may include (for example) contact details, details of current and previous employment or experience and details about salaries, finances, pensions, roles, sick leave, performance, diversity, ethnicity and disabilities. For job applicants, all of the information provided during the recruitment process will only be used for the purpose of progressing the application, or to fulfil legal or regulatory requirements. The information we ask for is used to assess suitability for employment.

We deal with information relating to our contacts (including staff at healthcare providers participating in our audit and research studies, medical directors, clinical directors and executives) for the purpose of providing them with information relevant to their relationship with us. We do this because it is in our legitimate interests as we need to work with these individuals. The information may include (for example) contact details and details of each individual’s interaction with ICNARC. All these people can always opt out of marketing communications we have with them or they can ask us to delete information we hold for marketing purposes.

We deal with information relating to suppliers for the purpose of administering contracts for supplies of products, goods and services. We do this because we have a contract with those suppliers. The information may include (for example) contact details, insurance details and financial details. We also deal with information relating to suppliers (and individuals employees at suppliers) for the purpose of maintaining contact lists of people we can call on to supply us in future. We do this because it is in our legitimate interests to maximise the availability of suppliers. The information we deal for this purpose are names and contact details.

We deal with information regarding users of our websites for the purpose of improving the information we supply. We do this because it is in our legitimate interest. The information may include (for example) technical information, such as your browsing activity across our website and your IP address. An IP address provides the location of server you are contacting us from. We only use this information to ensure website security.

We collect a large sample of patient cases directly from hospitals for each Audit or Study.

The information we collect for the case note review could include:

  • A questionnaire completed by the clinician involved in the patient’s care
  • Data from your hospital medical records
  • Medical records from other doctors and other health care organisations such as GPs.

Once each study or audit has finished the information is anonymised and we remove any information relating to the identity of the patient including name, address, date of birth, hospital and/or NHS number.

Some Patient identifiable information is collected without obtaining consent from the patient under Section 251 of the NHS Act 2006.

Data collected not related to specific audits or studies;

  • Your name
  • Your contact details
  • Your job role and your organisation
  • Information from other publicly available sources (such as social media)
  • If you apply for a job with us we will collect information about your employment history, qualifications and references
  • If you work for us we will collect and use additional personal information, such as health details and financial details
  • If you fill in any questionnaires, surveys or feedback forms we will collect your experiences, opinions and any health information you are happy to share with us
  • If you interact with our website we may collect certain technical information, such as your browsing activity across our website and your IP address. An IP address provides the location of server you are contacting us from. We only use this information to ensure website security.

The personal data we collect will be used for the following purposes;

Our audits or research or within the scope of operating our day to day organization, in terms of staff, suppliers, events and recruitment.

The legal bases for collecting and using personal data are:

  • Public Task
    • We collect only the information that is necessary to carry out our function and avoid collecting information that will not be used. This is received from healthcare providers, such as NHS Trusts and Health Boards. To see what information is held in your healthcare record please contact your local Trust or Board, or GP.
  • Consent
    • Where people attend events or work with ICNARC consent is received for us to store and process personal data.
  • Contract
    • For example, this is the basis we use when it is necessary for us to take specific steps before entering into a contract with you to supply you a service or vice versa.
  • Legal obligation
    • For example, this is the basis we use when it is necessary for us to comply with the law (not including contractual obligations) because we are required to keep documentation to produce in court proceedings.
  • Legitimate interests
    • This basis is used to allow us to hold and use information in relation to fulling our subscriptions and use of our services in the future.


The legal bases for processing special categories of personal data are:

  • Article 9(2)(a) the data subject has given explicit consent to the processing of those personal data for one or more specified purposes;
  • Article 9(2)(b) processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment and social security and social protection;
  • Article 9(2)(c) processing is necessary to protect the vital interests of the data subject or of another natural person where the data subject is physically or legally incapable of giving consent;
  • Article 9(2)(g) processing is necessary for reasons of substantial public interest;
  • Article 9(2)(i) processing is necessary for reasons of public interest in the area of public health;
  • Article 9(2)(j) processing is necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes.

The special categories of personal data concerned are:

  • Racial
  • Ethnic origin
  • Political opinions
  • Religious beliefs
  • Philosophical beliefs
  • Trade union membership
  • Genetic data
  • Biometric data
  • Health data
  • Data concerning a natural person’s sex life
  • Sexual orientation

ICNARC will process personal data as stated in Compliance & Retention of Records Procedure, please contact our DPO for more information,

Subject to certain conditions, you have the following rights in relation to your personal data:

  • Right of access – you have the right to request a copy of the information that we hold about you.
  • Right of rectification – you have a right to correct data that we hold about you that is inaccurate or incomplete.
  • Right to be forgotten – in certain circumstances you can ask for the data we hold about you to be erased from our records.
  • Right to restriction of processing – where certain conditions apply to have a right to restrict the processing.
  • Right of portability – you have the right to have the data we hold about you transferred to another organisation.
  • Right to object – you have the right to object to certain types of processing such as direct marketing.
  • Right to object to automated processing, including profiling – you also have the right to be subject to the legal effects of automated processing or profiling.
  • Right to judicial review: in the event that ICNARC refuses your request under rights of access, we will provide you with a reason as to why. You have the right to complain as outlined in below.

Where your rights are different for individual research studies compared to the ICNARC privacy policy, the individual research study privacy policy takes priority.

In the event that you wish to make a complaint about how your personal data is being processed by ICNARC, or how your complaint has been handled, you have the right to lodge a complaint directly with the supervisory authority and ICNARC’s data protection representatives Data Protection Officer / GDPR Owner.

The details for each of these contacts are:

Data Protection Officer (DPO) / GDPR Owner contact details

Scott Carnegie, 24 High Holborn, London, WC1V 6AZ, 020 7831 6878

Supervisory authority contact details

ICO – Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF

Tel: 0303 123 1113 (local rate) or 01625 545 745 if you prefer to use a national rate number

If you are a patient, we may collect your NHS number and date of birth early in the study when we collect a list of patients meeting certain criteria from your healthcare provider.

Most of the personal information we collect maybe has been received directly from you. You may give us your name and contact information or other personal data:

  • When you fill out a form on our website
  • When you communicate with us, for example if you make an enquiry
  • When you engage with us on social media
  • When you attend an event
  • When you complete any surveys or feedback forms we send you
  • When you fill in any forms
  • When you apply for a job with us
  • If you work for us or with us
  • If you buy one of our services or products, or if we buy from you
  • We may also receive information about you from third parties, for example our service providers and suppliers, or from third parties who may have gathered your consent on our behalf, or from publicly available sources, such as social media.

The primary purpose of ICNARC’s work is to examine factors that can be changed about the quality of care provided to patients to improve the care of future patients. We publish a report at the end of the Audits and Studies so improvements can be made to improve care for future patients.

In order to carry out this work we have been given permission to collect and use this information under very strict conditions of confidentiality and data security by the Confidentiality Advisory Group in England and Wales. Access to this information is strictly limited to those who need to process it and all information is anonymous in the final reports. Once the study is complete all data are securely destroyed.

Through this process the reviewers identify aspects of care which could be done better in the future to improve care for patients in the study areas. We are careful to ensure that publications does not contain any information that could lead to the identification of any person.

We take the responsibility of holding people’s personal data very seriously. We have internal policies which set out and guide our data security. All staff adhere to this approach and are regularly trained in data protection.

Electronic patient and organisational information (such as databases, questionnaires or health records etc.) are kept on secure servers and only ICNARC staff have access to patient identifiable data. Access to your personal data is password-protected and our servers are regularly monitored for possible vulnerabilities and attacks.

ICNARC holds all records that are supplied by NHS organisations in the strictest confidence.

Information Security and Information Governance requires clear and effective management and accountability structures, governance processes, documented policies and procedures, trained staff and adequate resources. As such we have created the following documentation to clearly detail the policies and procedures we have in place.

We may share your personal information with third parties (example NHS Digital) for Data Linkage purposes under Section 251 and legitimate interest for clinical trials. Data linkage is a process which temporarily brings together two or more sets of research or audit data from different organisations to produce a wealth of information which can be used for research and statistical purposes. This allows for the true value of the data to be realised.

The process is;

  • if it is in the public interest to do so
  • for clearly specified research and statistical purposes
  • for the duration of the work as agreed by the associated data controllers
  • If it is legal to do so.

Also we may share anonymised and processed data with third parties under a data sharing agreement for additional analysis but this never includes personal data, or anything that could identify an individual. Personal data to help improve health care.

Order information: when you place an order for goods and services – including memberships, subscriptions and events – we retain that information for six years following the end of the financial year in which you placed your order, in accordance with our legal obligation to keep records for tax purposes.  To avoid administrative burdens on ICNARC, we will therefore keep memberships, subscriptions and events records and event attendee information for the same amount of time after a member has lapsed or an attendee no longer engages with the organisation.

Correspondence and enquiries: when you make an enquiry or correspond with us. We will retain your information for as long as it takes to respond to and resolve your enquiry, and for a further 3 years after which point we will delete your information. Unless the enquiry or correspond is in connection with an audit or a research study then this would be in line with the audit or study protocols.

Mailing Lists: if you consent to receive information from the ICNARC on certain events, we retain the information you used to sign up for that mailing list so long as you remain subscribed (i.e. you do not unsubscribe) or if we decide to cancel that mailing list service, whichever comes earlier.

Event attendees: We retain your details for the duration of the event you attend and for six years afterwards.  This is because events tickets include a financial transaction for which we are required to keep details of.

In any other circumstances- including audits or research studies, we will retain your information for no longer than necessary, taking into account the following:

  • the purpose(s) and use of your information both now and in the future (such as whether it is necessary to continue to store that information in order to continue to perform our obligations under a contract with you or to contact you in the future);
  • whether we have any legal obligation to continue to process your information (such as any record-keeping obligations imposed by relevant law or regulation);
  • whether we have any legal basis to continue to process your information (such as your consent or Section 251);
  • how valuable your information is (both now and in the future);
  • any relevant agreed industry practices on how long information should be retained; (HRA Health Research Authority and others)
  • the levels of risk, cost and liability involved with us continuing to hold the information;
  • how hard it is to ensure that the information can be kept up to date and accurate; and
  • any relevant surrounding circumstances (such as the nature and status of our relationship with you).

The right to erasure

You can request that we don’t use personal information about you in our studies and we will ensure that any of your information we hold is destroyed. This will need to be done on a study by study basis otherwise the only way we could remove you from all audits and studies would be to hold personal data about you to compare with the patient information that we receive. You also have the right to restriction of processing and to object to processing. We treat these the same way as the right to erasure and remove all information about you. If you decide that you would prefer that your information is not used please let us know by contacting us in writing at the postal address or use this email address link

The right of access

You have the right to see what information is held about you. If you are a patient, generally we don’t use names and addresses so you would have to know your NHS number. You have the right to rectify any data that is incorrect but rectifying it with us would not change the information in your health record and you may want to contact your healthcare provider directly.

We do:

  • Use personal data to help improve health care services;
  • Keep all personal data secure and confidential;
  • Give you the right to opt out of any of our studies or audits.

We do not:

  • Share your personal data with third parties for marketing purposes Use personal or identifiable data in our reports.

Our aim is not to be intrusive, and we undertake not to ask irrelevant or unnecessary questions. Moreover, the information you provide will be subject to rigorous measures and procedures to minimise the risk of unauthorised access or disclosure.

ICNARC at your request, can confirm what information we hold about you and how it is processed. If ICNARC does hold personal data about you, you can request the following information:

  • Identity and the contact details of the person or organisation that has determined how and why to process your data. In some cases, this will be a representative in the EU.
  • Contact details of the data protection officer, where applicable.
  • The purpose of the processing as well as the legal basis for processing.
  • If the processing is based on the legitimate interests of ICNARC or a third party, information about those interests.
  • The categories of personal data collected, stored and processed.
  • Recipient(s) or categories of recipients that the data is/will be disclosed to.
  • If we intend to transfer the personal data to a third country or international organisation, information about how we ensure this is done securely. The EU has approved sending personal data to some countries because they meet a minimum standard of data protection. In other cases, we will ensure there are specific measures in place to secure your information.
  • How long the data will be stored.
  • Details of your rights to correct, erase, restrict or object to such processing.
  • Information about your right to withdraw consent at any time.
  • How to lodge a complaint with the supervisory authority.
  • Whether the provision of personal data is a statutory or contractual requirement, or a requirement necessary to enter into a contract, as well as whether you are obliged to provide the personal data and the possible consequences of failing to provide such data.
  • The source of personal data if it wasn’t collected directly from you.
  • Any details and information of automated decision making, such as profiling, and any meaningful information about the logic involved, as well as the significance and expected consequences of such processing.

ICNARC accepts the following forms of ID when information on your personal data is requested: Passport, driving licence, birth certificate, utility bill (from last 3 months), etc.