Data security

We make every effort to ensure our standards are high in handling specialist categories information as part of our patient safety research. Our privacy policy explains how we use the specialist categories information that we collect, and the rights that you have if you think that we hold information about you as a data subject. Find out more in our data security documents.

Who is responsible for the data we collect?

The National Confidential Inquiry into Suicide and Safety in Mental Health (NCISH) is commissioned by the Healthcare Quality Improvement Partnership (HQIP). HQIP is led by a consortium of the Academy of Medical Royal Colleges, the Royal College of Nursing and National Voices. HQIP’s aim is to promote quality improvement, and it hosts the contract to manage and develop the Clinical Outcome Review Programmes, one of which is the Mental Health Clinical Outcome Review Programme, funded by NHS England, NHS Wales, the Health and Social Care division of the Scottish Government, the Northern Ireland Department of Health, and the States of Jersey and Guernsey. The programmes, which encompass confidential enquiries, are designed to help assess the quality of healthcare, and stimulate improvement in safety and effectiveness by systematically enabling clinicians, managers and policy makers to learn from adverse events and other relevant data. More details can be found here. NCISH and its data are based at The University of Manchester, which was established by Royal Charter. Contact details for our data controllers:

The Healthcare Quality Improvement Partnership (HQIP)

6th Floor
45 Moorfields
London, EC2Y 9AE

Compliance and Risk

Information Governance Office
Room G6, Christie Building
The University of Manchester
Oxford Road
Manchester, M13 9PL

What information do we collect?

We collect information on people who have died by suicide, and some information on people who committed homicide. We receive identifying information about people who have been allocated a suicide or undetermined conclusion at coroner’s inquest from the Office for National Statistics (ONS) (England and Wales), the General Register Office (GRO) (Scotland), the Northern Ireland Statistics and Research Agency (NISRA). We also receive information identifying information about people who have committed homicide from the Home Office (England and Wales), the Scottish Crown Office, the Northern Ireland Courts and Tribunal Service (NICTS), and Greater Manchester Police. The information we initially receive from these organisations includes people’s names, addresses, dates of birth and death or offence, and cause of death or information related to the offence. We share this information securely with healthcare providers who let us know whether the person was in contact with mental health services in the year before death/offence. For the people who died by suicide, we then collect detailed clinical information from the healthcare organisation via an online questionnaire. No identifying information is collected on the questionnaire and any further correspondence with healthcare services uses a unique identifier that we generate in our office. The clinical information is held on a database which is not linked to the personal identifiable information. We do not collect information directly from data subjects, and this information is not part of a statutory obligation.

What rights do we have to hold this information?

Processing of the data that we hold is necessary in the public interest, for scientific and statistical research purposes in accordance with Article 89(1) of the General Data Protection Regulation. We only hold and process data which is proportionate to our aim of improving safety in mental health services. We respect the essence of the right to data protection and we have specific measures in place to safeguard the fundamental rights and interests of the data subjects. Our research has been approved by the NHS Research Ethics Committee. In order to carry out the research, we have:

  • Section 251 approval; this allows us to hold identifiable and special categories information.
  • Data Access Agreements; these are agreements of principals for the release of special categories information.
  • Caldicott Guardian agreements with all mental health providers; this is an agreement between us and health providers about what information we will share, and how we will manage the data.
  • A satisfactory data security & protection toolkit; this is an online assessment against information governance policies and standards, and a requirement of applying for Section 251 approval.
How will we use this information?
We publish annual reports which include analysis of the most recent year of national data on patient suicides, as well as trends over time. In addition to annual reports, we publish project reports investigating specific patient sub-groups. We recommend changes to clinical practice and policy to reduce the risk of suicide and improve the safety of mental health patients. We only publish aggregate figures, and we follow ONS guidance about small numbers – we don’t publish low counts, and we never share information about an individual. Our key audiences are:

  • People who receive care Patients and service users, their families and carers, the general public and press.
  • People who deliver care Mental health professionals, who provide us with our data and whose clinical practice is the main focus of our recommendations, medical/clinical directors, risk managers, trust chief executives and boards.
  • People who commission care Clinical Commissioning Groups, NHS England, devolved governments including policy and practice leaders.
  • People who regulate care and provide national oversight The Care Quality Commission, NICE, Health Education England and equivalent bodies in all UK countries.

There are various retention periods for the differing data we receive, based on the specific requirements of the data providers and our overall Section 251 approval. Once a data destruction date is reached, the data are securely destroyed.

From 25th May 2018 The University of Manchester are collecting and storing this information in accordance with the General Data Protection Regulation (GDPR) and Data Protection Act 2018 which legislate to protect your personal information. The legal basis upon which we are using your personal information is “public interest task” and “for research purposes” if sensitive information is collected. For more information about the way we process your personal information and comply with data protection law please see The University of Manchester Privacy Notice for Research Participants.

How do I get a copy of my personal information held by NCISH?
If you believe that NCISH hold personal information about you, you have a right to ask for a copy of that information. This is commonly called a Subject Access Request (SAR). A request for information from health records has to be made with the organisation that holds your health records – the data controller. For hospital health records, contact the records manager or patient services manager at the relevant hospital trust. You can find a list of hospital trusts on the NHS Choices website. If you would like to receive a copy of other information we hold about you, your request should be made in writing (or email) to:

Please include the words ‘Subject Access Request’ at the beginning of your letter or in the subject line of your email. When making your request, please include the following details:

  • your name, address and postcode
  • the type of information you want to look at including any relevant dates.

We aim to send you a reply as soon as possible and by the latest within 30 calendar days. You may also be asked to provide proof of identity.

Access to the information by people who are not data subjects
Currently, any bespoke data requests must be initiated by the Medical Director of the healthcare organisation. Annually, we provide a Safety Scorecard to the Medical Director of each mental health trust in England. This Scorecard was developed in response to a request from our commissioners for benchmarking data to support quality improvement. We provide information on six indicators that relate to our work: suicide rate, homicide rate, rate of sudden unexplained death (SUD), patients under the Care Programme Approach (CPA), staff turnover and NCISH questionnaire response rate. This information is for trusts to consider internally, and we do not give this data directly to any other organisation. We suggest that trusts may wish refer to our 10 key elements of safer care in mental health services – key safety measures that trusts can implement, available to download from our website. On occasion we collaborate with visiting researchers, who are allowed access to strictly anonymised datasets for analysis to contribute to our outputs. All visiting researchers are bound by the same confidentiality agreements as our contracted members of staff. All of our published outputs can be accessed via our website. We inform people of our work through events, presentations, print and social media. We are bound by the conditions in our permissions which are intended to safeguard the identifiable clinical information we hold, and therefore it may not always be possible to respond to a data request if it risks breaching these agreements.
Right to restrict processing
The right to restrict processing is not an absolute right and applies only in specific circumstances:

  • Where you contest the accuracy of your personal data and we need to verify the accuracy of the data.
  • The personal data were unlawfully processed (ie otherwise in breach of the Data Protection Act 2018 and General Data Protection Regulation), and you request restriction rather than erasure of the data.
  • Where the personal data are no longer necessary in relation to the purpose for which it were originally collected/processed, but you need us to keep the data in relation to a legal claim.
  • When you object to the processing and we are considering whether our legitimate interest for continuing the processing would override this objection.

If you would like to request a restriction of processing of your personal data, your request should be made in writing (or email) to:

Please include the words ‘Request to Restrict Processing’ at the beginning of your letter or in the subject line of your email. When making your request, please include the following details:

  • your name, address and postcode
  • the grounds for your request for erasure.

We aim to send you a reply as soon as possible and by the latest within 30 calendar days. You may also be asked to provide proof of identity.

Right to object to processing
You have the right to object to the processing of your personal data:

  • Based on legitimate interests of the performance of a task in the public interest/exercise of official authority.
  • For direct marketing.
  • Processing for the purposes of scientific/historical research and statistics.

You must have an objection on grounds relating to your particular situation. If you would like to raise an objection to the processing of your data, your objection should be made in writing (or email) to:

Please include the words ‘Object to Processing’ at the beginning of your letter or in the subject line of your email. When making your request, please include the following details:

  • your name, address and postcode
  • details of the grounds for your objection.

We aim to send you a reply as soon as possible and by the latest within 30 calendar days. You may also be asked to provide proof of identity.

Right to correct inaccurate personal information
You have the right to request that any personal data that is inaccurate be rectified. If you would like to request that personal data that we hold about you be corrected, your request should be made in writing (or email) to:

Please include the words ‘Object to Processing’ at the beginning of your letter or in the subject line of your email. When making your request, please include the following details:

  • your name, address and postcode
  • details of the grounds for your objection.

We aim to send you a reply as soon as possible and by the latest within 30 calendar days. You may also be asked to provide proof of identity.

Report a concern to the Information Commissioner’s Office
You can report any concerns you have about our information rights practices to the Information Commissioner’s Office (ICO).
Changes to our privacy policy
We keep our privacy policy under regular review and will place any updates on this webpage. This privacy policy was last updated on 15 June 2018.

How to contact us

Please contact us if you have any questions about our privacy policy or any of the data that we hold.

Information security and management policy

Our policy sets out our data management in light of guidance on information governance, data protection and confidentiality. This policy is reviewed annually.

Data protection impact assessment document

This template and guide is a tool which can help us identify the most effective way to comply with data protection obligations and meet individuals’ expectations of privacy

Our patient data flow

Our chart shows who provides data to us, who we share that data with, and at what stage identifiable data are pseudonymised/anonymised. This chart is updated in line with any new data sharing agreements.

Identification and management of cause for concern

This Healthcare Quality Improvement Partnership (HQIP) policy relates to the rare circumstances in which information submitted to us could reasonably suggest the presence of very serious issues with clinical practice or system failure that presents a risk of harm to patients. Read the policy here