NJR Privacy Notice
Why is the data collected?
The National Joint Registry for England, Wales, Northern Ireland, and the Isle of Man (NJR) collects data about hip, knee, shoulder, elbow, and ankle joint replacement surgery. The purpose of collecting the data is to monitor the performance of orthopaedic implants, surgical teams, and hospitals in order to improve the outcomes of joint replacement surgery and to ensure patient safety. The aims and goals of the NJR are set out in its strategic plan and are summarised on its website at: http://www.njrcentre.org.uk/njrcentre/AbouttheNJR/tabid/73/Default.aspx.
We provide information and evidence to:
· Help surgeons choose the best artificial joints (implants) for patients
· Empower patients by helping them find out more about the implants available to them
· Improve patient safety by showing how well implants, surgeons and hospitals perform and to take action where it is needed
· Give hospitals, surgeons and implant manufacturers feedback about their performance to help them improve patient care
· Help surgeons quickly decide if patients need to return to hospital if there is any reported problem with specific implants
What personal data is collected?
Your hospital will input specific details of your operation into the NJR. These details include the type of implant you received, which surgical technique was used, which side of your body the implant went into, as well as your age and gender. The NJR asks all patients to give their permission (consent) to have their personal details confidentially recorded with their operation details – this allows the NJR to be more effective in its role. In order to achieve its aims, the NJR needs to collect patient identifiable data so that it can link primary or first operation, joint replacements to revision, or second operation, procedures for the same patient. Being able to link primary and revision operations for the same patient is essential if the NJR is to meet its strategic goals. The personal data collected by the NJR for each patient includes: Forename, Surname, Gender, Date of Birth, Postcode and NHS Number (or, in Northern Ireland, Health and Care Number). This data is used to link primary and revision procedure records for an individual patient and items, such as gender and date of birth, enable the NJR to undertake additional analysis such as the outcomes of joint replacement surgery for different age groups. The NJR also collects a patient’s address and date of death. The former enables the NJR to invite patients to take part in clinical audits and, where appropriate consent is given, research projects. The date of death, along with the date of any revision procedure, is essential to calculate the outcomes of surgery.
What is the legal basis for processing?
The legal basis for us to process your data is that the “processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller” (Section 6.1.e of the General Data Protection Regulation) and “processing is necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health or ensuring high standards of quality and safety of health care and of medicinal products or medical devices”(Section 9.2.i). However, the NJR will always try to obtain patient’s consent to collect your data. Before an operation, patients should be offered an NJR consent form and patient information leaflet, both of which explain why the NJR collects patient data, what data is collected, how it is used, and how it is protected. The consent form and patient information leaflet can be found at:
For patient in England and Wales, the NJR also collects personal details where consent is recorded as unknown, i.e. a patient has not been asked to consent. This does not happen in many cases and the NJR has permission to collect details for these records under Section 251 of the NHS Act 2006 (which does not apply in Northern Ireland and the Isle of Man) in the interests of ensuring patient safety and patient outcomes. If we don’t know whether you have consented or not, you will not be contacted by the NJR nor invited to take part in any follow up study or research project. Any data that we hold about you will not be made available to researchers outside of the NJR.
Patients do not have to give consent for the NJR to hold their personal data and if a patient decides to withdraw previously given consent they can do so at any time by contacting the NJR Centre using the contact details provided below. If a patient withdraws consent, all personal details will be deleted from all records relating to that patient. Whatever you decide, it will not affect the care you will receive in this hospital or any future care and neither will it affect your legal rights.
Giving your consent is voluntary. 9 out of 10 patients agree to have their details added to the NJR.
How is the data processed?
All data collected by the NJR is stored in a secure facility, and personal data encrypted and stored on a secure computing infrastructure. All data is accessible only to a very limited number of NJR Centre staff. Although the NJR will use personal data to create data sets for analysis, those data sets will have all patient personal data removed. All published information uses aggregated or combined data, so that no individual patients could be identified.
The NJR also has permission under Section 251 of the NHS Act 2006 to use patient identifiable data to link to other health datasets. Currently, these include:
• The Hospital Episodes Statistics (HES) service for NHS patients in England.
• The Patient Episode Database Wales (PEDW) service for NHS patients in Wales.
• The NHS England Patient Reported Outcomes Measures (PROMs) service
• Data from the Office of National Statistics
• Data from the Department of Health Information and Analysis Directorate, Northern Ireland.
The purpose of linking to these data sets is to enhance the type of analyses undertaken by the NJR. Linking to data that has already been collected saves hospitals having to provide the same information more than once to different organisations.
Identifiable information is sent securely to the NJR centre where it is linked to NJR data. The resulting, linked data set that is used for analysis will not include patient identifiable data. Again, the outcomes of the analyses are published as aggregated data so it is not possible to identify individuals.
The NJR submits personal data to the NHS Personal Demographics Service for batch tracing. This will confirm that the NHS number provided is correct and, where it is missing, use the other personal data to provide one. The tracing will also provide a patient’s date of death and their current address. Information about a patient’s death is essential for the calculations used in determining the outcomes of surgery. The NJR will often either undertake or support follow up audits or research and we need to contact patients by mail. Patients who have undergone a shoulder replacement, for example, will routinely be sent a questionnaire and asked to complete it.
A similar tracing process is undertaken for patients within Northern Ireland. This is under a separate data sharing agreement with the Department of Health Information and Analysis Directorate, Northern Ireland.
The release of all NJR data is subject to strict controls and patient identifiable data will only be released for research projects approved by the NHS Health Research Authority and where the NJR Centre has sought a patient’s explicit consent beforehand.
A full list of processing activities is outlined in Appendix 1.
The NJR also undertakes regular data quality audits to ensure that hospital are submitting all the eligible data from operations that they perform to the NJR. Having complete data means that NJR is able to notify hospitals, surgeons and implant manufacturers more quickly about concerns about the quality of care. The data quality audit involves hospitals submitting data from their local Patient Administration Systems (PAS) to the NJR. Any records that do not match an NJR submission are reported back to the hospital. The personal data on unlinked patients is then deleted from NJR systems.
What information does the NJR publish?
The NJR publishes data for a range of different stakeholders in a variety of different places. Some secure services are available for surgeons, suppliers, and hospital management. Surgeons can only see information about procedures that they have carried out, or patients who have a revision operation for a procedure that they were the operating surgeon for the primary surgery. Suppliers and hospital management do not have access to record level detail that could identify you.
Publicly available information can be found at www.njrcentre.org.uk and http://www.njrreports.org.uk
How is data used for medical research?
Operation and patient information in the NJR may be used for medical research. The purpose of this research is to improve our understanding and treatment of joint problems. The majority of our research uses only anonymised information which means it is impossible to identify individuals.
If the research team require linked datasets, then identifiable data is sent securely from the data controller of the other dataset (normally NHS Digital or the NHS Wales Informatics Service) to Northgate Public Services. The linked data is then pseudonymnised and sent on to the researchers.
From time to time, researchers may wish to gather further information. In these cases we would seek your approval prior to disclosing your contact details. You do not have to take part in any research study you are invited to participate in and saying no does not affect the care you receive.
Please be reassured that the storage, release and use of this data are subject to very strict controls.
You can find examples of how we use data for research at www.njrcentre.org.uk.
Patients are not obliged to take part in any follow up study and refusal to do so will not affect a patient’s care. Your personal details will not be passed onto any third party without your permission.
Who controls the use of the data?
The Healthcare Quality Improvement Partnership (HQIP) acts as ‘host’ to the NJR and in this role is responsible for NJRs compliance with necessary legal and statutory frameworks. As such HQIP acts as the data controller and is responsible for how the data is used. In deciding who can have access to the data, HQIP has a clearly defined approvals process which involves a group with clinical, information governance, patient confidentiality, data protection, and legal expertise.
The release of any data is subject to rigorous controls and, as stated previously, personal data would only be released for research where a project has received the appropriate approvals and individuals have been contacted by the NJR and invited to take part. For further information about approvals for research projects, please visit www.hra.nhs.uk.
Who processes the data?
The data is processed by Northgate Public Services (UK) Ltd (NPS). NPS is contracted by HQIP to provide the data collection, aggregation, and reporting services for the NJR. NPS provides the NJR Centre staff and is certified to international standards for information security, information management, and data processing. In addition to providing the data entry application and the facilities for storing and protecting the data, NPS also provide the online reporting services. A very limited number of staff have access to the data. It is NPS staff who undertake the linkage of NJR data to other datasets and who provide data for analysts following approval from HQIP. For further information about NPS please visit: https://www.northgateps.com/sectors/healthcare/
The other NJR data processor is the University of Bristol whose specialist staff provide statistical and analysis services for the NJR. They are provided with data, both NJR-only and NJR-linked data, by NPS for all analysis projects, including the annual report data set. The data provided to the University does not contain personal information and all published data is aggregated. Even as a data processor, the team at the University of Bristol does not have regular access to patient identifiable information for NJR data and has no access to patient identifiers for linked datasets.
Do I have to provide my personal information to the NJR?
Patients do not have to consent to the NJR holding their personal information. However, the NJR will not be able to meet its aims of improving the outcomes of joint replacement surgery and improving patient safety if patients do not provide their consent.
If a patient, having granted consent, wishes to withdraw that consent they can contact the NJR and ask for their personal information to be removed from the NJR database. The NJR will retain a record of the operation which will not include any information that could identify a patient. Such a record cannot be linked to any other procedures for the same patient, will not be used in any analyses, and cannot be used to enable the NJR to identify any patient to a hospital in the event of issues being identified with their implants.
How long does the NJR keep the data?
Data will be retained for as long as the NJR exists, plus an additional five years. The data is required to confirm the linkage between all procedures for the same patient and for the same joint. For example, a patient may have a primary right hip replacement that is revised fifteen years later. The data is essential in order to be able to link those two procedures.
Data received by the NJR from other data controllers for the purposes of linkage will be destroyed as required by the Data Sharing Agreement between the NJR and those data controllers. Derived data sets produced from the pseudo-anonymised dataset can be retained. However, with the destruction of the original data containing the identifiers, it is not possible to reconstruct the data such that an individual patient could be identified.
Requesting access to your personal data
Under data protection legislation, you have the right to request access to information about you that we hold. To make a request for your personal information please visit our website at http://www-new.njrcentre.org.uk/njrcentre/Patients/AccessingyourNJRdata/tabid/211/Default.aspx or contact us at: email@example.com
You also have the right to:
• object to processing of personal data that is likely to cause, or is causing, damage or distress
• prevent processing for the purpose of direct marketing
• object to decisions being taken by automated means
• in certain circumstances, have inaccurate personal data rectified, blocked, erased or destroyed; and
• a right to seek redress, either through the ICO, or through the courts
If you have a concern or complaint about the way we are collecting or using your personal data, you should raise your concern with us in the first instance or directly to the Information Commissioner’s Office at https://ico.org.uk/concerns/
How to find out more
If patients wish to either obtain data about them held by the NJR or withdraw consent they should contact the NJR using the following contact details:
Phone: 0845 345 9991
Address: The NJR Centre, c/o Northgate Public Services Peoplebuilding 2, Maylands Avenue, Hemel Hempstead, HP2 4NW
Our data protection officer (DPO) can be contacted on: firstname.lastname@example.org
Information about hospital staff
We hold contact details for data entry staff, NJR hospital data managers (HDM), surgeons, and trust Chief Executives and trust medical directors. Information collected includes name, job title, telephone number and email address.
The information that we collect about system users and clinicians are collected in order to allow users to submit data to the NJR. As such the legal basis for the collection of this information is the we have a legitimate interest in obtaining and processing this data in order to carry out the functions of the NJR
Surgeons have to be registered with the NJR so that they can have either have procedures submitted in their name as a Consultant in Charge or be recorded as a Lead Surgeon. Surgeons are associated with one or more hospitals so that they can be selected for procedures submitted by those hospitals. All procedures are associated with a consultant in charge and a lead surgeon who may, or may not be, the same person. This is to enable the monitoring of outcomes at a surgical level. The data provided by surgeons is linked to data provided by the General Medical Council and a surgeon’s GMS number is linked and stored with the surgeon’s record on the NJR database.
Surgeons are also encouraged to provide a valid email address when logging onto the NJR’s secure online service, NJR Clinician Feedback. All provided email addresses are collected and held in the contact database held and maintained by HQIP and are used to provide surgeons with important information, e.g. informing them when data intended for publication as part of the Clinical Outcomes Programme is available for validation.
As part of our outlier management process, the personal details of operating surgeons who are identified as being statistically outlying for performance are provided to investigating clinicians and Trust Chief Executives in line with our outlier management policies. For more information about outlier management see http://www.njrcentre.org.uk/njrcentre/Surgeons/Orthopaedicconsultantoutcomespublication/tabid/356/Default.aspx
For Hospital Data Managers (HDM) and Data Entry Staff, the personal data held will include names and contact information (email address and telephone number). This data is stored securely in the NJR’s database and is necessary to enable staff to enter and manage the data for those hosptials with which they are associated. Without this information, staff will not be able to carry out their duties with respect to the NJR. The details of HDMs are held by the NJR’s Regional Coordinators and they are included in the contacts database held and maintained by HQIP.
NJR Email News Bulletins
The provision of name, job title and personal email contact data is needed should the subscriber wish to receive NJR bulletin updates on news and events, and other optional information, relevant to their work or interests. The subscriber can also voluntarily opt in by ticking a box to receive information by email on each of NJR’s other information services. The contact data is stored in our password protected email system and used exclusively to enable bulletins and these other information updates, where ticked, to be sent. NJR will retain this personal data for as long as NJR is funded or until the person unsubscribes from the bulletin, which they can do at any time.
NJR administrative staff control the data and do not share this with any third-parties, except for our email service supplier Clarity in Marketing (www.clarityinmarketing.com). We provide only the information they need to perform their specific services, in relation to the purposes described above. They are bound by a strict confidentiality agreement. If we stop using their services, any personal data used by them to support that service will be deleted or rendered anonymous and we will inform you of this.
NJR GDPR Commitment Statement
This statement is supplementary to the Healthcare Quality Improvement Partnership’s GDPR commitment statement at https://www.hqip.org.uk/about-us/our-gdpr-statement/#.WuxL8Pkvx8w and refers only to the activity of the National Joint Registry (NJR)
HQIP is data controller for the National Joint Registry (NJR) and has committed to achieving compliance with the General Data Protection Regulation (GDPR), which took effect on 25th May 2018.
HQIP has an internal team, with executive oversight, who have assessed the requirements of the GDPR and planned a programme of work to achieve compliance.
We are working externally with our suppliers and partner organisations to ensure this work programme is delivered to enable HQIP to meet our obligations.
Our work programme falls into the following areas:
• We have appointed a Data Protection Officer (DPO): You can contact them at email@example.com
• Policy Development: We continue to develop and review our range of policies to ensure they meet GDPR standards.
• Individuals Rights: We have ensured that we have policies and processes in place to implement individual’s rights under GDPR.
• Data Protection Impact Assessments (DPIA): We have ensured that DPIAs are embedded into our processes and will be undertaken where needed for new processing activities.
• Training & Awareness: We continue to build awareness and undertake training across HQIP on the GDPR and its implications.
• Supplier & Partner relationships: Where appropriate, we will be using all reasonable endeavours to ensure that our third party and suppliers are complying with the GDPR.
HQIP will continue to monitor compliance with the GDPR.
If you have any further queries about our commitment to GDPR please contact our Associate Director for Research and Governance firstname.lastname@example.org