Privacy Notice
GDPR

Why do we collect data?

The National Joint Registry which is operational in England, Wales, Northern Ireland, and the Isle of Man and Guernsey (NJR) collects data about hip, knee, shoulder, elbow, and ankle joint replacement surgery. The purpose of collecting the data is to monitor the performance outcomes of orthopaedic implants, surgeons and hospitals in order to ensure patient safety and support the improvement of patient outcomes. The aims and goals of the NJR are set out in our strategic plan and are summarised on the website at: https://www.njrcentre.org.uk/njr-strategic-plan/

We provide data and evidence to:

• Help surgeons choose the best artificial joints (implants) for patients
• Empower patients by helping them find out more about the implants available to them
• Improve patient safety by showing how well implants, surgeons and hospitals perform; take action when needed
• Give hospitals, surgeons and implant manufacturers feedback about their performance to improve patient care
• Help surgeons decide if patients should return to hospital if there is any reported problem with specific implants

What data is provided?

Your hospital will input specific details of your operation into the NJR. These details include the type of implant you received, which surgical technique was used, which side of your body the implant went into, as well as your age and gender.  The NJR asks all patients to give their permission (consent) to have their personal details confidentially recorded with their operation details – this allows the NJR to be more effective in its role. In order to achieve its aims, the NJR needs to collect patient identifiable data so that it can link primary or first operation, joint replacements to revision, or second operation, procedures for the same patient. Being able to link primary and revision operations for the same patient is essential if the NJR is to meet its strategic goals.

The personal data collected by the NJR for each patient includes: Forename, Surname, Gender, Date of Birth, Postcode, Email and NHS Number (or, in Northern Ireland, Health and Care Number). This data is used to link primary and revision procedure records for an individual patient and items, such as gender and date of birth, enable the NJR to undertake additional analysis such as the outcomes of joint replacement surgery for different age groups. The NJR also collects a patient’s address and date of death. The former enables the NJR to invite patients to take part in clinical audits and, where appropriate consent is given, research projects. The date of death, along with the date of any revision procedure, is essential to calculate the outcomes of surgery. If you have a shoulder operation and complete a questionnaire before or after your operation (called a patient-reported outcome measure [PROM]), that data will also be collected by the NJR.

Data that is collected about your time in hospital (Hospital Episode Statistics (HES), data around date and cause of death (Civil Registrations mortality data) and questionnaires that you complete before and after your hip or knee operation (NHS England National PROMs) are all collected by NHS Digital. The NJR will link to this data and have permission from NHS Digital to sublicense sections of this linked dataset to researchers that have received full approval. Researchers will not receive data that contains any of the personal data listed above and instead will receive data that has been pseudonymised (where personal data is removed a code is used in place).       

What is our legal basis for processing your data?

The NJR processes data under the lawful basis condition ‘public health’ where processing is necessary for the reasons of public interest in the area of public health.[Data Protection Act 2018 Schedule 1 Part 1 (3)] underpinned by the Health and Social Care Act 2012 Part 1 section 2. Under the General Data Protection Regulation (GDPR) the legal basis for us to process your data is that the “processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller” (GDPR Section 6.1.e) and “processing is necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health or ensuring high standards of quality and safety of health care and of medicinal products or medical devices”(GDPR Section 9.2.i)However, the NJR will always try to obtain patient consent to collect your data. Before an operation, patients should be offered an NJR consent form and patient information leaflet, both of which explain why the NJR collects patient data, what data is collected, how it is used, and how it is protected. The consent form and patient information leaflet can be found at:

For patients in England and Wales, the NJR also collects personal details where consent is recorded as unknown, i.e. a patient has not been asked to consent. This does not happen in many cases and the NJR has permission to collect details for these records under Section 251 of the NHS Act 2006 (which does not apply in Northern Ireland, the Isle of Man or Guernsey) in the interests of ensuring patient safety and patient outcomes. If we don’t know whether you have consented or not, you will not be contacted by the NJR nor invited to take part in any follow up study or research project. Any data that we hold about you will not be made available to researchers outside of the NJR.

Patients do not have to give consent for the NJR to hold their personal data and if a patient decides to withdraw previously given consent they can do so at any time by contacting the NJR Service Desk using the contact details provided below. If a patient withdraws consent, all personal details will be deleted from all records relating to that patient. Whatever you decide, it will not affect the care you will receive in this hospital or any future care and neither will it affect your legal rights. Giving your consent is voluntary; now 9 out of every 10 patients agree to have their details added to the NJR.

How do we process data?

All data collected by the NJR is stored in a secure facility, and personal data encrypted and stored on a secure computing infrastructure. All data is accessible only to a very limited number of NJR Service Desk staff. Although the NJR will use personal data to create datasets for analysis, those datasets will have all patient personal data removed.  All published information uses aggregated or combined data, so that no individual patients could be identified.

The NJR also has permission under Section 251 of the NHS Act 2006 to use patient identifiable data to link to other health datasets. Currently, these include:

• The Hospital Episodes Statistics (HES) service for NHS patients in England.
• The Patient Episode Database Wales (PEDW) service for NHS patients in Wales.
• The NHS England National Patient Reported Outcomes Measures (PROMs) service
• Data from the Office of National Statistics
• Data from the Department of Health Information and Analysis Directorate, Northern Ireland. 

The purpose of linking to these data sets is to enhance the type of analyses undertaken by the NJR. Linking to data that has already been collected saves hospitals having to provide the same information more than once to different organisations. Hospital Episode Statistics (HES) data is used to calculate whether a hospital has submitted the right number of records to the NJR, this is called compliance. The NJR also use HES data to calculate Best Practice Tariff payments for hospitals in England. This is an NHS initiative where hospitals get extra funding if the care that they deliver to patients is deemed ‘good’ across a number of criteria. 

Identifiable information is sent securely to the NJR centre where it is linked to NJR data.  The resulting, linked data set that is used for analysis will not include patient identifiable data. Again, the outcomes of the analyses are published as aggregated data so it is not possible to identify individuals.

The NJR submits personal data to the NHS Personal Demographics Service for batch tracing.  This will confirm that the NHS number provided is correct and, where it is missing, use the other personal data to provide one.  The tracing will also provide a patient’s date of death and their current address.   Information about a patient’s death is essential for the calculations used in determining the outcomes of surgery.  The NJR will often either undertake or support follow-up audits or research and we need to contact patients by mail or email.  Patients who have undergone a shoulder replacement, for example, will routinely be sent or emailed a questionnaire and asked to complete it.

A similar tracing process is undertaken for patients within Northern Ireland.  This is under a separate data sharing agreement with the Department of Health Information and Analysis Directorate, Northern Ireland.

The release of all NJR data is subject to strict controls and patient identifiable data will only be released for research projects approved by the NHS Health Research Authority and where the NJR Service Desk has sought a patient’s explicit consent beforehand.

Researchers requesting access to NJR data that has been linked to HES/Civil Registration/PROMs data will not receive patient identifiers. Following full scrutiny and approval of the research project, the researcher will be granted access to linked data via the secure NJR Data Access Portal. All processing of pseudonymous data will occur within this secure domain and a request to release anonymous aggregate data will need to be approved before this is permitted.

The NJR also undertakes regular data quality audits to ensure that hospitals are submitting all the eligible data from operations that they perform to the NJR. Having complete data means that NJR is able to notify hospitals, surgeons and implant manufacturers more quickly about concerns about the quality of care. The data quality audit involves hospitals submitting data from their local Patient Administration Systems (PAS) to the NJR. Any records that do not match an NJR submission are reported back to the hospital. The personal data on unlinked patients is then deleted from NJR systems.                            

Information sharing with NHS and non-NHS organisations

The NJR may share non-identifiable patient information with a range of NHS organisations, including:

• Appropriate NHS authorities for the purposes of clinical auditing.
• Medical researchers for research purposes.
• ​Bodies with statutory regulatory or investigative powers (such as Care Quality Commission or MHRA).

Patient-identifiable information is only shared with other organisations where legal basis is clearly defined, as follows:

• When there is a Court Order or a statutory power to share patient data
• When the patient has given consent for the sharing
• When the sharing of patient data without consent has authorised by the Health Research Authority under Section 251 of the NHS Act 2006

What information does the NJR publish?

The NJR publishes data for a range of different stakeholders in a variety of different places. Some secure services are available for surgeons, suppliers, and hospital management. More information on publications can be found at www.njrcentre.org.uk and https:\\reports.njrcentre.org.uk.

How is data used for medical research?

Operation and patient information in the NJR may be used for medical research. The purpose of this research is to improve our understanding and treatment of joint problems. The majority of our research uses only anonymised information which means it is impossible to identify individuals.

If the research team require linked datasets, then we do this in one of two ways:

Data Access Portal projects:

1. Identifiable data is sent securely from the data controller of the other dataset (normally NHS Digital or Digital Health and Care Wales) to NEC Software Solutions.
2. NEC Software Solutions link the NJR data with the other datasets using participant identifiers and then remove the identifiers leaving only an NJR study ID
3. The pseudonymous, linked dataset is made available to the research applicant via the NJR Data Access Portal – a secure environment which allows the research to operate on the data on NJR systems without NJR having to release it.

Data release projects:

1. Identifiable data is sent to the data controller of the other dataset (normally NHS Digital or Digital Health and Care Wales) from NEC Software Solutions along with an NJR study ID
2. The linkage data controller (normally NHS Digital or Digital Health and Care Wales) uses the participant identifiers to link the NJR study ID with the other dataset. They then send their data (for example Hospital Episode Statistics) with the NJR study ID to the researcher
3. Meanwhile, NEC Software Solutions send the NJR data without any participant identifiers, but including the same NJR study ID to the researcher,
4. The researcher can then use the NJR study ID to link the two datasets together for their project.

From time-to-time, researchers may wish to gather further information. In these cases, we would seek your approval prior to disclosing your contact details. You do not have to take part in any research study you are invited to participate in and saying no does not affect the care you receive. You can find examples of how we use data for research at https://www.njrcentre.org.uk/research/.

Please be reassured that the storage, release and use of this data are subject to very strict controls. Patients are not obliged to take part in any follow up study and refusal to do so will not affect a patient’s care.  Your personal details will not be passed onto any third party without your permission.

Who controls the use of the data?

The Healthcare Quality Improvement Partnership (HQIP) act as data controller for the NJR and is responsible for how the data is used. Where NJR data are collected in hospitals in England, NHS England act as joint data controller with HQIP. For NJR data collected in NHS hospitals in Wales, Digital Health and Care Wales (DHCW) act as joint data controller with HQIP. HQIP hosts the NJR and in this role is responsible for NJR’s compliance with necessary legal and statutory frameworks. In deciding who can have access to the data, HQIP has a clearly defined approvals process which involves a group with clinical, information governance, patient confidentiality, data protection and legal expertise.                                                                                   

The release of any data is subject to rigorous controls and, as stated previously, personal data would only be released for research where a project has received the appropriate approvals and individuals have been contacted by the NJR and invited to take part.

For further information about approvals for research projects, please visit www.hra.nhs.uk.

Both HQIP and the NJR comply with the national data opt-out policy. The NJR has exemption from the Confidentiality Advisory Group (CAG) from the National Data Opt-Out (NDO) for non-research activities. NDO applies for data sent to external research groups and data files are screened and opted out patients removed prior to data transfer. The HQIP privacy notice can be accessed at https://www.hqip.org.uk/about-us/privacy-policy

Who processes the registry data

The registry data is processed by NEC Software Solutions (UK) Ltd (NEC). NEC is contracted by NJR (through HQIP) to provide the data collection, aggregation, and reporting services for the NJR. NEC provides the NJR Service Centre staff who oversee the data collection process and is certified to international standards for information security, information management and for data processing. In addition to providing the data entry application and the facilities for storing and protecting the data, NEC also provide the NJR online reporting services. A very limited number of staff have access to the data and it is NEC staff who undertake the linkage of NJR data to other datasets and who provide data for agreed data analysts, following approval from the NJR Management Team (hosted by HQIP). For further information about NEC please visit: https://www.necsws.com/sectors/healthcare

The other NJR data processor is the University of Bristol whose specialist staff provide statistical and analysis services for the NJR. They are provided with data, both NJR-only and NJR-linked data, by NEC for all analysis projects, including the NJR annual report dataset. The data provided to the University does not contain personal information and all published data is aggregated. Even as a data processor, the team at the University of Bristol does not have regular access to patient identifiable information for NJR data and has no access to patient identifiers for linked datasets.

Do I have to provide my personal information to the NJR?

Patients do not have to consent to the NJR holding their personal information. However, we ask you to consider the longer-term benefits to other patients in providing it. The NJR will not be able to meet its aims of improving the outcomes of joint replacement surgery and improving patient safety unless patients continue to provide their consent.

If a patient, having granted consent, wishes to withdraw that consent they can contact the NJR Service Desk and ask for their personal information to be removed from the NJR database. The NJR will retain a record of the operation which will not include any information that could identify a patient. Such a record cannot be linked to any other procedures for the same patient, will not be used in any analyses, and cannot be used to enable the NJR to identify any patient to a hospital should any issue be later identified with their implant.

How long do we keep the data?

Data will be retained for as long as the NJR exists, plus an additional five years.  The data is required to confirm the linkage between all procedures for the same patient and for the same joint. For example, a patient may have a primary right hip replacement that is revised fifteen years later.  The data is essential in order to be able to link those two procedures.

Data received by the NJR from other data controllers for the purposes of linkage will be destroyed as required by the Data Sharing Agreement between the NJR and those data controllers.  Derived data sets produced from the pseudo-anonymised dataset can be retained.  However, with the destruction of the original data containing the identifiers, it is not possible to reconstruct the data such that an individual patient could be identified.

Requesting access to your personal data

Under data protection legislation, you have the right to request access to information about you that we hold. To make a request for your personal information please visit our website at Accessing your NJR Data or contact us at: enquiries@njrcentre.org.uk

You also have the right to:

• be informed about how your personal data is collected and processed.
• object to processing of personal data that is likely to cause, or is causing, damage or distress.
• prevent processing for the purpose of direct marketing.
• object to decisions being taken by automated means.
• ​in certain circumstances, have inaccurate personal data rectified, blocked, erased or destroyed.

Should you have a concern or complaint about the way the NJR is collecting or using your personal data, you should raise your concern directly with us in the first instance or directly to the Information Commissioner’s Office at https://ico.org.uk/concerns/

How to find out more:

If a patient should wish to either obtain data about them held by the NJR or withdraw consent they should contact the NJR using the following contact details:enquiries@njrcentre.org.uk    Phone: 0845 345 9991Address: The NJR Service Desk, c/o NEC Software Solutions 1^st Floor iMex Centre, 575-599 Maxted Road, Hemel Hempstead, HP2 7DX

Our data protection officer (DPO) can be contacted at: data.protection@hqip.org.uk

Information about hospital staff

We hold contact details for data entry staff, NJR hospital data managers, surgeons, and trust chief executives and trust medical directors. Information collected includes name, job title, telephone number and email address.

The information that we collect about system users and clinicians are collected in order to allow users to submit data to the NJR. As such the legal basis for the collection of this information is that we have a legitimate interest in obtaining and processing this data in order to carry out the functions of the NJR

Surgeons have to be registered with the NJR so that they can either have procedures submitted in their name as a consultant in charge or be recorded as a lead surgeon.  Surgeons are associated with one or more hospitals so that they can be selected for procedures submitted by those hospitals.  All procedures are associated with a consultant in charge and a lead surgeon who may, or may not be, the same person.  This is to enable the monitoring of outcomes at a surgical level.  The data provided by surgeons is linked to data provided by the General Medical Council and a surgeon’s GMC number is linked and stored with the surgeon’s record on the NJR database.

Surgeons are also encouraged to provide a valid email address when logging onto the NJR’s secure online service, NJR Clinician Feedback.  All provided email addresses are collected and held in the contact database held and maintained by HQIP and are used to provide surgeons with important information, for example, informing them when data intended for publication as part of the Clinical Outcomes Programme is available for validation.

As part of our outlier management process, the personal details of operating surgeons who are identified as being statistically outlying for performance are provided to investigating clinicians and Trust Chief Executives in line with our outlier management policies. For more information about outlier management see https://www.njrcentre.org.uk/surgeons/surgeon-and-hospital-outcome-publication/

For Hospital Data Managers (HDM) and Data Entry Staff, the personal data held will include names and contact information (email address and telephone number).  This data is stored securely in the NJR’s database and is necessary to enable staff to enter and manage the data for those hospitals with which they are associated.  Without this information, staff will not be able to carry out their duties with respect to the NJR.  The details of HDMs are held by the NJR’s Regional Coordinators and they are included in the contacts database held and maintained by HQIP.

NJR Email News Update Bulletins

The provision of name, job title and personal email contact data is needed should the subscriber wish to receive NJR news and events bulletin updates, and other optional information, relevant to their work or interests.  The subscriber can also voluntarily opt in by ticking a box to receive information by email on each of NJR’s other information services. The contact data is stored in our password protected email system and used exclusively by our Communication Manager to enable bulletins and these other information updates, where ticked, to be sent. NJR will retain this personal data for as long as NJR is funded or until the person unsubscribes from the bulletin, which they can do at any time. 

NJR communication staff manage the collection of data from interested stakeholders and do not share this with any third parties.

NJR GDPR Commitment Statement

This statement is supplementary to the Healthcare Quality Improvement Partnership’s GDPR commitment statement which you can find here
and refers only to the activity of the National Joint Registry (NJR)

HQIP is data controller for the National Joint Registry (NJR) and has committed to achieving compliance with the General Data Protection Regulation (GDPR), which took effect on 25th May 2018. HQIP has an internal team, with executive oversight, who have assessed the requirements of the GDPR and planned a programme of work to achieve compliance.

The NJR is working externally with our suppliers and partner organisations to ensure this work programme is delivered to enable HQIP to meet our obligations.

The NJR’s work programme falls into the following areas:

• Privacy policy and transparency: we have undertaken a systematic review of the data we process and control and have updated our documentation to be as open and clear to individuals about how their personal data is used.
• Individuals’ rights: we have ensured that we have policies and processes in place to implement individuals’ rights under GDPR.
• Data Protection Impact Assessments (DPIA): we have ensured that DPIAs are embedded into our processes and will be undertaken where needed for new processing activities.
• Training & awareness: we continue to build awareness and undertake training across HQIP on the GDPR and its implications.
• Supplier & partner relationships: where appropriate, we will be using all reasonable endeavours to ensure that our third party and suppliers are complying with GDPR.
• ​HQIP will continue to monitor compliance with GDPR.
• Policy development: we continue to develop and review our range of policies to ensure they meet GDPR standards.

NJR Patient Network membership

Any person wishing to join the NJR Patient Network as a volunteer member will be asked to complete an expression of interest. The provision of name, telephone number (optional) and personal email contact data is requested so they can be contacted about joining the network. This data is collected via our website and stored on Mailchimp servers in the United States until we download it to our own servers and at this point it can be deleted from the Mailchimp system. Downloaded contact data is stored on the NJR’s secure file server in the UK and is used exclusively for related work to enable direct communication and information to be sent.

Once you have expressed an interest, we will email you a more detailed form that will ask questions about your gender, age, ethnicity, disability status and your experience of joint replacement surgery. This will allow us to ensure that the network reflects a diverse range of patient voices. This form will be returned to us by email and will be stored on our secure file server.

If you subsequently join the network then we will include you in our mailing list, which is stored on Mailchimp servers in the United States and used so that you can receive associated network communication and materials as a valued volunteer member.

If you do not subsequently join the network, then your data will be destroyed after 12 months. If you do join the network, then your data will be retained for as long as you are a member of the network, plus an additional 12 months. Each volunteer member, or their representative, may request that they stop receiving NJR Patient Network communication or have their personal data permanently destroyed at any time by contacting patient.network@njr.org.uk. 

All volunteer member data is processed for the sole use of the NJR Patient Network activity and will not be shared with any third party.

Should you have any queries about our commitment to GDPR please contact: chris.boulton@njr.org.uk

Last updated: 10 August 2023