Privacy Policy

What is the aim of the National Audit of Cardiac Rehabilitation?

The National Audit of Cardiac Rehabilitation (NACR) is a national audit, commissioned through NHS Arden & Gem and hosted by the University of York in the Department of Health Sciences, and funded by NHS England. It collects comprehensive audit data used to quality assure programmes, and to support improvement and monitoring of cardiac rehabilitation (CR) services in terms of their uptake, quality and clinical outcomes. NACR’s remit is to support clinical CR teams in auditing their service, under the guidance of a National Steering Committee which is representative of stakeholders and beneficiaries including clinicians, patients, commissioners and NHS England policy team members.

NACR use the data to produce annual reports and ad hoc reports by request for individual programmes. Programmes can also view and download their data for local analyses. NACR runs a joint National Certification Programme for CR with the British Association of Cardiovascular Prevention and Rehabilitation where programmes are assessed on seven standards. It reports regularly to NHS England – including input into FutureNHS and Model Health System dashboards – the All Wales Group and Northern Ireland, plus cardiac networks, and Integrated Care Boards. It also informs research papers focused on service improvement submitted to journals.

Where is patient data collected from?

Data is collected routinely as part of your care whilst accessing the CR service, and covers the patient journey from hospital admission (where appropriate), to inpatient rehab, and through to the outpatient rehab programme. Data collected includes the diagnosis/treatment that led to referral to rehab, any previous events or comorbidities, and the type of rehab received. It also records reasons why patients may not have taken part, or not completed their rehab programme. Data comes from a combination of information obtained via clinical appointments, rehab sessions and assessment questionnaires.

After data collection clinical teams use the secure online database which is hosted by Clinical Audit, NHS England (formerly NHS Digital) to enter data relevant to the rehab the patient receives.

NACR uses patient information collected by CR teams across England, Northern Ireland and Wales.

Legal basis for collecting personal data

Each year, NACR asks the Confidentiality Advisory Group (CAG) at the Health Research Authority for permission to collect and use patient information, such as NHS number, date of birth, address and postcode. CAG can give the audit permission to collect this data, for specific audit purposes, without requiring consent and giving the audit ‘Section 251 Approval’ under Section 251 of the NHS Act 2006. University of York is the Data Controller as defined in the General Data Protection Regulation. We are registered with the Information Commissioner’s Office. Our registration number is Z4855807. The patient identifiable information is held by Clinical Audit, NHS England, the audit’s data processor, who supply pseudonymised downloads to the NACR team for audit analysis and associated research. The audit does not receive any patient identifiable information.

Legal basis for processing personal patient data

Under the General Data Protection Regulation (GDPR), the University has to identify a legal basis for processing personal data and, where appropriate, an additional condition for processing special category data.

In line with our charter which states that we advance learning and knowledge by teaching and research, the University processes personal data for research purposes under Article 6 (1) (e) of the GDPR: Processing is necessary for the performance of a task carried out in the public interest Special category data is processed under Article 9 (2) (j): Processing is necessary for archiving purposes in the public interest, or scientific and historical research purposes or statistical purposes. Research will only be undertaken where there is a clear public interest and where appropriate safeguards have been put in place to protect data. In line with ethical expectations and in order to comply with common law duty of confidentiality, we will seek your consent to participate where appropriate. This consent will not, however, be our legal basis for processing your data under the GDPR.

How we protect your data

Hospital and Community based CR teams enter patient data into a secure web-based database provided by Clinical Audit, NHS England. Only CR and clinical audit staff registered with the Audit can access the database and security and confidentiality is maintained through the use of passwords and person specific logins, authorised by the organisation’s Caldicott Guardian. Clinical Audit, NHS England staff access the data only where necessary, and the NACR team receive data with patient identifiers removed for analysis and to facilitate operational support of the audit.

How do we analyse the data?

Data is processed for the purposes of research, to audit and improve care in CR. We provide aggregate data at a programme, regional and national level to CR teams, Trusts and Health Boards, commissioners, patient groups, NHS England and other stakeholders. Our reports cover service quality, patient outcomes, and look at service provision and inequalities. Data is published in reports, peer reviewed journals and used in presentations. Examples of our reports and research can be found in the ‘Reports’ and ‘Publications’ links above.

Management of patient-level data by the NACR team

The NACR team are based at the University of York and work closely with Clinical Audit, NHS England. Both the University of York and Clinical Audit, NHS England adhere to the General Data Protection Regulation (GDPR) and other legislation that relates to the collection and use of patient data. Both organisations have strict security measures in place to safeguard patient information held in the data collection system and when analysing the de-identified dataset. The data collection IT system has levels of security built into it, such as ID password security which prevents unauthorised users gaining access and data encryption.

How do we transfer your data safely internationally?

Data will be held within the European Economic Area.

Will you be identified in any research outputs?

No. York does not receive any personal identifiers of participants.

How long will we keep your data?

All data submitted to the Clinical Audit, NHS England ‘Clinical Audit Platform’ (CAP) database will be retained for the duration of the audit and for a minimum of 5 years after closure.

It is important for healthcare changes to be monitored over time to ensure that CR programmes are continuing to align their services with the needs of patients.

Who do we share data with?

Patient-level data (with patient identifiers removed) is not shared outside of the University of York network and all staff and students who work on the data for audit work or service improvement research follow strict guidelines and training to meet the terms of the Data Sharing Agreement NACR holds with Clinical Audit, NHS England. If Researchers outside of the university wish to use patient-level data they must contact both the Audit and Clinical Audit, NHS England and complete a Data Access Request Service (DARS) approval application for the specific project.

What if I do not want my information used by the Audit?

All patients can opt to have their information removed from the NACR database by contacting the Clinical Audit, NHS England Enquiries team: Email: enquiries@nhsdigital.nhs.uk or Telephone: 0300 303 5678). Opting out from the Audit is different to registering with National Data Opt-out (NDO). NACR is exempt from the NDO, to minimise the adverse impact on patient safety and reporting health inequalities. For more information on opting out choices please find further information here: Patient Choices

Provider team contact information held by the NACR

Clinical Audit, NHS England holds contact information (name, email address and hospital name) for key members of each extended provider team (Clinical Lead, and primary contact) on behalf of NACR. This information enables Clinical Audit, NHS England/NACR to distribute important updates about the audit, to administer organisational audit updates and contact providers during the outlier process. This information is not shared outside Clinical Audit, NHS England.

NACR also holds individual primary and secondary contact names and emails for each CR programme. These are used solely for the purpose of the audit and are not shared outside of the NACR team. In addition, the Online Register holds a Referral email, address and telephone number for CR programmes, which is publicly available for use by patients, carers, GPs and CR teams enabling them to search for their nearest CR programme.

If you believe that any contact information the audit is holding on you is incorrect or incomplete, please contact us as soon as possible. The NACR team will promptly correct any information found to be incorrect.

Changes to our privacy policy

We keep our privacy policy under regular review and we will always include the latest version on the NACR web page. This privacy policy was last updated in March 2023

How to contact us

If you have any questions about the NACR project or concerns about how your data is being processed, please contact Professor Patrick Doherty, Professor of Cardiovascular Health, Department of Health Sciences (email: nacr-project@york.ac.uk) in the first instance. If you are still dissatisfied, please contact the University’s Data Protection Officer at dataprotection@york.ac.uk

Right to complain

If you are unhappy with the way in which the University has handled your personal data, we ask that you get in touch with us in the first instance, to allow us to resolve your concern. If you are unhappy with our response, you have a right to complain to the Information Commissioner’s Office. For information on reporting a concern to the Information Commissioner’s Office, see Information Commissioner’s Office.