NJR Privacy Notice
Why do we collect data?
The National Joint Registry for England, Wales, Northern Ireland, and the Isle of Man (NJR) collects data about hip, knee, shoulder, elbow, and ankle joint replacement surgery. The purpose of collecting the data is to monitor the performance of orthopaedic implants, surgical teams, and hospitals in order to improve the outcomes of joint replacement surgery and to ensure patient safety. The aims and goals of the NJR are set out in its strategic plan and are summarised on its website at: /njrcentre/AbouttheNJR/tabid/73/Default.aspx
We provide data and evidence to:
- Help surgeons choose the best artificial joints (implants) for patients
- Empower patients by helping them find out more about the implants available to them
- Improve patient safety by showing how well implants, surgeons and hospitals perform; take action when needed
- Give hospitals, surgeons and implant manufacturers feedback about their performance to improve patient care
- Help surgeons decide if patients should return to hospital if there is any reported problem with specific implants
What data is provided?
Your hospital will input specific details of your operation into the NJR. These details include the type of implant you received, which surgical technique was used, which side of your body the implant went into, as well as your age and gender. The NJR asks all patients to give their permission (consent) to have their personal details confidentially recorded with their operation details – this allows the NJR to be more effective in its role. In order to achieve its aims, the NJR needs to collect patient identifiable data so that it can link primary or first operation, joint replacements to revision, or second operation, procedures for the same patient. Being able to link primary and revision operations for the same patient is essential if the NJR is to meet its strategic goals.
The personal data collected by the NJR for each patient includes: Forename, Surname, Gender, Date of Birth, Postcode, Email and NHS Number (or, in Northern Ireland, Health and Care Number). This data is used to link primary and revision procedure records for an individual patient and items, such as gender and date of birth, enable the NJR to undertake additional analysis such as the outcomes of joint replacement surgery for different age groups. The NJR also collects a patient’s address and date of death. The former enables the NJR to invite patients to take part in clinical audits and, where appropriate consent is given, research projects. The date of death, along with the date of any revision procedure, is essential to calculate the outcomes of surgery.
What is our legal basis for processing your data?
The legal basis for us to process your data is that the “processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller” (Section 6.1.e of the General Data Protection Regulation) and “processing is necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health or ensuring high standards of quality and safety of health care and of medicinal products or medical devices”(Section 9.2.i). However, the NJR will always try to obtain patient’s consent to collect your data. Before an operation, patients should be offered an NJR consent form and patient information leaflet, both of which explain why the NJR collects patient data, what data is collected, how it is used, and how it is protected. The consent form and patient information leaflet can be found at:
For patients in England and Wales, the NJR also collects personal details where consent is recorded as unknown, i.e. a patient has not been asked to consent. This does not happen in many cases and the NJR has permission to collect details for these records under Section 251 of the NHS Act 2006 (which does not apply in Northern Ireland and the Isle of Man) in the interests of ensuring patient safety and patient outcomes. If we don’t know whether you have consented or not, you will not be contacted by the NJR nor invited to take part in any follow up study or research project. Any data that we hold about you will not be made available to researchers outside of the NJR.
Patients do not have to give consent for the NJR to hold their personal data and if a patient decides to withdraw previously given consent they can do so at any time by contacting the NJR Centre using the contact details provided below. If a patient withdraws consent, all personal details will be deleted from all records relating to that patient. Whatever you decide, it will not affect the care you will receive in this hospital or any future care and neither will it affect your legal rights. Giving your consent is voluntary; now 9 out of every 10 patients agree to have their details added to the NJR.
How do we process data?
All data collected by the NJR is stored in a secure facility, and personal data encrypted and stored on a secure computing infrastructure. All data is accessible only to a very limited number of NJR Centre staff. Although the NJR will use personal data to create data sets for analysis, those data sets will have all patient personal data removed. All published information uses aggregated or combined data, so that no individual patients could be identified.
The NJR also has permission under Section 251 of the NHS Act 2006 to use patient identifiable data to link to other health datasets. Currently, these include:
- The Hospital Episodes Statistics (HES) service for NHS patients in England.
- The Patient Episode Database Wales (PEDW) service for NHS patients in Wales.
- The NHS England Patient Reported Outcomes Measures (PROMs) service
- Data from the Office of National Statistics
- Data from the Department of Health Information and Analysis Directorate, Northern Ireland.
The purpose of linking to these data sets is to enhance the type of analyses undertaken by the NJR. Linking to data that has already been collected saves hospitals having to provide the same information more than once to different organisations. Hospital Episode Statistics (HES) data is used to calculate whether a hospital has submitted the right number of records to the NJR, this is called compliance. The NJR also use HES data to calculate Best Practice Tariff payments for hospitals in England. This is an NHS initiative where hospitals get extra funding if the care that they deliver to patients is deemed ‘good’ across a number of criteria.
Identifiable information is sent securely to the NJR centre where it is linked to NJR data. The resulting, linked data set that is used for analysis will not include patient identifiable data. Again, the outcomes of the analyses are published as aggregated data so it is not possible to identify individuals.
The NJR submits personal data to the NHS Personal Demographics Service for batch tracing. This will confirm that the NHS number provided is correct and, where it is missing, use the other personal data to provide one. The tracing will also provide a patient’s date of death and their current address. Information about a patient’s death is essential for the calculations used in determining the outcomes of surgery. The NJR will often either undertake or support follow up audits or research and we need to contact patients by mail or email. Patients who have undergone a shoulder replacement, for example, will routinely be sent or emailed a questionnaire and asked to complete it.
A similar tracing process is undertaken for patients within Northern Ireland. This is under a separate data sharing agreement with the Department of Health Information and Analysis Directorate, Northern Ireland.
The release of all NJR data is subject to strict controls and patient identifiable data will only be released for research projects approved by the NHS Health Research Authority and where the NJR Centre has sought a patient’s explicit consent beforehand.
A full list of processing activities is outlined in Appendix 1.
The NJR also undertakes regular data quality audits to ensure that hospitals are submitting all the eligible data from operations that they perform to the NJR. Having complete data means that NJR is able to notify hospitals, surgeons and implant manufacturers more quickly about concerns about the quality of care. The data quality audit involves hospitals submitting data from their local Patient Administration Systems (PAS) to the NJR. Any records that do not match an NJR submission are reported back to the hospital. The personal data on unlinked patients is then deleted from NJR systems.
Information sharing with NHS and non-NHS organisations
The NJR may share non-identifiable patient information with a range of NHS organisations, including:
- Appropriate NHS authorities for the purposes of clinical auditing.
- Medical researchers for research purposes.
- Bodies with statutory regulatory or investigative powers (such as Care Quality Commission or MHRA).
Patient-identifiable information is only shared with other organisations where legal basis is clearly defined, as follows:
- When there is a Court Order or a statutory power to share patient data
- When the patient has given consent for the sharing
- When the sharing of patient data without consent has authorized by the Health Research Authority under Section 251 of the NHS Act 2006
What information does the NJR publish?
The NJR publishes data for a range of different stakeholders in a variety of different places. Some secure services are available for surgeons, suppliers, and hospital management. More information on publications can be found at www.njrcentre.org.uk and http://www.njrreports.org.uk
How is data used for medical research?
Operation and patient information in the NJR may be used for medical research. The purpose of this research is to improve our understanding and treatment of joint problems. The majority of our research uses only anonymised information which means it is impossible to identify individuals.
If the research team require linked datasets, then we do this in one of two ways:
Data Access Portal projects:
- Identifiable data is sent securely from the data controller of the other dataset (normally NHS Digital or the NHS Wales Informatics Service) to Northgate Public Services
- Northgate Public Services link the NJR data with the other datasets using participant identifiers and then remove the identifiers leaving only an NJR study ID
- The pseudonymous, linked dataset is made available to the research applicant via the NJR Data Access Portal - a secure environment which allows the research to operate on the data on NJR systems without NJR having to release it.
Data release projects:
- Identifiable data is sent to the data controller of the other dataset (normally NHS Digital or the NHS Wales Informatics Service) from Northgate Public Services along with an NJR study ID
- The linkage data controller (normally NHS Digital or the NHS Wales Informatics Service) uses the participant identifiers to link the NJR study ID with the other dataset. They then send their data (for example Hospital Episode Statistics) with the NJR study ID to the researcher
- Meanwhile, Northgate Public Services send the NJR data without any participant identifiers, but including the same NJR study ID to the researcher,
- The researcher can then use the NJR study ID to link the two datasets together for their project.
From time-to-time, researchers may wish to gather further information. In these cases, we would seek your approval prior to disclosing your contact details. You do not have to take part in any research study you are invited to participate in and saying no does not affect the care you receive. You can find examples of how we use data for research at www.njrcentre.org.uk .
Please be reassured that the storage, release and use of this data are subject to very strict controls. Patients are not obliged to take part in any follow up study and refusal to do so will not affect a patient’s care. Your personal details will not be passed onto any third party without your permission.
Who controls the use of the data?
The Healthcare Quality Improvement Partnership (HQIP) hosts the NJR and in this role is responsible for NJR's compliance with necessary legal and statutory frameworks. As such HQIP acts as the data controller and is responsible for how the data is used. In deciding who can have access to the data, HQIP has a clearly defined approvals process which involves a group with clinical, information governance, patient confidentiality, data protection and legal expertise.
The release of any data is subject to rigorous controls and, as stated previously, personal data would only be released for research where a project has received the appropriate approvals and individuals have been contacted by the NJR and invited to take part.
For further information about approvals for research projects, please visit www.hra.nhs.uk.
Both HQIP and the NJR comply with the national data opt-out policy. The HQIP privacy notice can be accessed at https://www.hqip.org.uk/about-us/privacy-policy
Who processes the registry data
The registry data is processed by Northgate Public Services (UK) Ltd (NPS). NPS is contracted by NJR (through HQIP) to provide the data collection, aggregation, and reporting services for the NJR. NPS provides the NJR Service Centre staff who oversee the data collection process and is certified to international standards for information security, information management and for data processing. In addition to providing the data entry application and the facilities for storing and protecting the data, NPS also provide the NJR online reporting services. A very limited number of staff have access to the data and it is NPS staff who undertake the linkage of NJR data to other datasets and who provide data for agreed data analysts, following approval from the NJR Management Team (hosted by HQIP). For further information about NPS please visit: https://www.northgateps.com/sectors/healthcare
The other NJR data processor is the University of Bristol whose specialist staff provide statistical and analysis services for the NJR. They are provided with data, both NJR-only and NJR-linked data, by NPS for all analysis projects, including the NJR annual report data set. The data provided to the University does not contain personal information and all published data is aggregated. Even as a data processor, the team at the University of Bristol does not have regular access to patient identifiable information for NJR data and has no access to patient identifiers for linked datasets.
Do I have to provide my personal information to the NJR?
Patients do not have to consent to the NJR holding their personal information. However, we ask you to consider the longer-term benefits to other patients in providing it. The NJR will not be able to meet its aims of improving the outcomes of joint replacement surgery and improving patient safety unless patients continue to provide their consent.
If a patient, having granted consent, wishes to withdraw that consent they can contact the NJR and ask for their personal information to be removed from the NJR database. The NJR will retain a record of the operation which will not include any information that could identify a patient. Such a record cannot be linked to any other procedures for the same patient, will not be used in any analyses, and cannot be used to enable the NJR to identify any patient to a hospital should any issue be later identified with their implant.
How long do we keep the data?
Data will be retained for as long as the NJR exists, plus an additional five years. The data is required to confirm the linkage between all procedures for the same patient and for the same joint. For example, a patient may have a primary right hip replacement that is revised fifteen years later. The data is essential in order to be able to link those two procedures.
Data received by the NJR from other data controllers for the purposes of linkage will be destroyed as required by the Data Sharing Agreement between the NJR and those data controllers. Derived data sets produced from the pseudo-anonymised dataset can be retained. However, with the destruction of the original data containing the identifiers, it is not possible to reconstruct the data such that an individual patient could be identified.
Requesting access to your personal data
Under data protection legislation, you have the right to request access to information about you that we hold. To make a request for your personal information please visit our website at http://www-new.njrcentre.org.uk/njrcentre/Patients/AccessingyourNJRdata/tabid/211/Default.aspx or contact us at: email@example.com
You also have the right to:
- be informed about how your personal data is collected and processed.
- object to processing of personal data that is likely to cause, or is causing, damage or distress.
- prevent processing for the purpose of direct marketing.
- object to decisions being taken by automated means.
- in certain circumstances, have inaccurate personal data rectified, blocked, erased or destroyed.
Should you have a concern or complaint about the way the NJR is collecting or using your personal data, you should raise your concern directly with us in the first instance or directly to the Information Commissioner’s Office at https://ico.org.uk/concerns/
How to find out more:
If a patient should wish to either obtain data about them held by the NJR or withdraw consent they should contact the NJR using the following contact details:
firstname.lastname@example.org Phone: 0845 345 9991
Address: The NJR Service Centre, c/o Northgate Public Services Peoplebuilding 2, Maylands Avenue, Hemel Hempstead, HP2 4NW
Our data protection officer (DPO) can be contacted on: email@example.com
Information about hospital staff
We hold contact details for data entry staff, NJR hospital data managers (HDM), surgeons, and trust Chief Executives and trust medical directors. Information collected includes name, job title, telephone number and email address.
The information that we collect about system users and clinicians are collected in order to allow users to submit data to the NJR. As such the legal basis for the collection of this information is the we have a legitimate interest in obtaining and processing this data in order to carry out the functions of the NJR
Surgeons have to be registered with the NJR so that they can have either have procedures submitted in their name as a Consultant in Charge or be recorded as a Lead Surgeon. Surgeons are associated with one or more hospitals so that they can be selected for procedures submitted by those hospitals. All procedures are associated with a consultant in charge and a lead surgeon who may, or may not be, the same person. This is to enable the monitoring of outcomes at a surgical level. The data provided by surgeons is linked to data provided by the General Medical Council and a surgeon’s GMS number is linked and stored with the surgeon’s record on the NJR database.
Surgeons are also encouraged to provide a valid email address when logging onto the NJR’s secure online service, NJR Clinician Feedback. All provided email addresses are collected and held in the contact database held and maintained by HQIP and are used to provide surgeons with important information, for example, informing them when data intended for publication as part of the Clinical Outcomes Programme is available for validation.
As part of our outlier management process, the personal details of operating surgeons who are identified as being statistically outlying for performance are provided to investigating clinicians and Trust Chief Executives in line with our outlier management policies. For more information about outlier management see /njrcentre/Surgeons/Orthopaedicconsultantoutcomespublication/tabid/356/Default.aspx
For Hospital Data Managers (HDM) and Data Entry Staff, the personal data held will include names and contact information (email address and telephone number). This data is stored securely in the NJR’s database and is necessary to enable staff to enter and manage the data for those hospitals with which they are associated. Without this information, staff will not be able to carry out their duties with respect to the NJR. The details of HDMs are held by the NJR’s Regional Coordinators and they are included in the contacts database held and maintained by HQIP.
NJR Email News Update Bulletins
The provision of name, job title and personal email contact data is needed should the subscriber wish to receive NJR news and events bulletin updates, and other optional information, relevant to their work or interests. The subscriber can also voluntarily opt in by ticking a box to receive information by email on each of NJR’s other information services. The contact data is stored in our password protected email system and used exclusively by our Communication Manager to enable bulletins and these other information updates, where ticked, to be sent. NJR will retain this personal data for as long as NJR is funded or until the person unsubscribes from the bulletin, which they can do at any time.
NJR communication staff control the data and do not share this with any third-parties, but it can also be accessed by our email service supplier Clarity in Marketing (www.clarityinmarketing.com) when servicing our CRM. However, they are bound by a strict confidentiality agreement. If we stop using their services, any personal data used by us to deliver that service will be deleted or rendered anonymous and we will inform you of this.
NJR GDPR Commitment Statement
This statement is supplementary to the Healthcare Quality Improvement Partnership’s GDPR commitment statement which you can find here
and refers only to the activity of the National Joint Registry (NJR)
HQIP is data controller for the National Joint Registry (NJR) and has committed to achieving compliance with the General Data Protection Regulation (GDPR), which took effect on 25th May 2018. HQIP has an internal team, with executive oversight, who have assessed the requirements of the GDPR and planned a programme of work to achieve compliance.
The NJR is working externally with our suppliers and partner organisations to ensure this work programme is delivered to enable HQIP to meet our obligations.
The NJR's work programme falls into the following areas:
- Individuals rights: we have ensured that we have policies and processes in place to implement individual’s rights under GDPR.
- Data Protection Impact Assessments (DPIA): we have ensured that DPIAs are embedded into our processes and will be undertaken where needed for new processing activities.
- Training & awareness: we continue to build awareness and undertake training across HQIP on the GDPR and its implications.
- Supplier & partner relationships: where appropriate, we will be using all reasonable endeavours to ensure that our third party and suppliers are complying with GDPR.
- HQIP will continue to monitor compliance with GDPR.
- Policy development: we continue to develop and review our range of policies to ensure they meet GDPR standards.
Should you have any queries about our commitment to GDPR please contact: firstname.lastname@example.org