Data security

We make every effort to ensure our standards are high in handling specialist categories information as part of our patient safety research. Here we explain how we use the specialist categories information that we collect, and the rights that you have if you think that we hold information about you as a data subject. Find out more in our data security documents.

Who is responsible for the data we collect?

The National Confidential Inquiry into Suicide and Safety in Mental Health (NCISH) is commissioned by the Healthcare Quality Improvement Partnership (HQIP). HQIP is led by a consortium of the Academy of Medical Royal Colleges, the Royal College of Nursing and National Voices. HQIP’s aim is to promote quality improvement, and it hosts the contract to manage and develop the Clinical Outcome Review Programmes, one of which is the Mental Health Clinical Outcome Review Programme, funded by NHS England/Improvement, NHS Wales, the Health and Social Care division of the Scottish Government, the Northern Ireland Department of Health, and the States of Jersey and Guernsey. The programmes, which encompass confidential enquiries, are designed to help assess the quality of healthcare, and stimulate improvement in safety and effectiveness by systematically enabling clinicians, managers and policy makers to learn from adverse events and other relevant data. More details can be found here.

NCISH and its data are based at The University of Manchester, which was established by Royal Charter.

Contact details for our data controllers:

The Healthcare Quality Improvement Partnership (HQIP)
6th Floor
Dawson House
5 Jewry Street
London
EC3N 2EX

 

Compliance and Risk
Room MLG.006
John Owens Building
The University of Manchester
Oxford Road
Manchester
M13 9PL

What information do we collect?

We collect information on people who have died by suicide, and some information on people who committed homicide.

We receive identifying information about people who have been allocated a suicide or undetermined conclusion at coroner’s inquest from the Office for National Statistics (ONS) (England and Wales), the National Register Office (NRS) (Scotland), and pseudonymised data from  the Regulation and Quality Improvement Authority (RQIA), who manage identifying information from the Northern Ireland Statistics and Research Agency (NISRA).

We also receive identifying information about people who have committed homicide from the Home Office (England and Wales), the Scottish Crown Office, and Greater Manchester Police.

The information we initially receive from these organisations includes people’s names, addresses, dates of birth and death or offence, and cause of death or information related to the offence. We share this information securely with healthcare providers who let us know whether the person was in contact with mental health services in the year before death/offence. National opt-out is applied by the responding healthcare provider, so we do not collect information on people who have opted out of their records being used for anything other than care and treatment. For the people who died by suicide, we collect detailed clinical information from the healthcare organisation they had contact with before death via an online questionnaire. No identifying information is collected on the questionnaire and any further correspondence with healthcare services uses a unique identifier that we generate in our office. The clinical information is held on a database which is not linked to the personal identifiable information.

We do not collect information directly from data subjects, and this information is not part of a statutory obligation.

What rights do we have to hold this information?

Processing of the data that we hold is necessary in the public interest, for scientific and statistical research purposes in accordance with Article 89(1) of the General Data Protection Regulation. We only hold and process data which is proportionate to our aim of improving safety in mental health services. We do not hold health records of people who opted out of their health data being used for anything other than care and treatment (i.e. people who have applied the national data opt-out). We respect the essence of the right to data protection and we have specific measures in place to safeguard the fundamental rights and interests of the data subjects.

Our research has been approved by the NHS Research Ethics Committee. In order to carry out the research, we have:

  • Section 251 approval; this allows us to hold identifiable and patient sensitive data;
  • Data Access Agreements; these are agreements of principals for the release of sensitive data;
  • Caldicott Guardian agreements with all mental health providers; this is an agreement between us and health providers about what information we will share, and how we will manage the data;
  • A satisfactory Data Security and Protection Toolkit (DPST); this is an online assessment against Information Governance policies and standards, and a requirement of applying for Section 251 approval.
How will we use this information?

We publish annual reports which include analysis of the most recent year of national data on patient suicides, as well as trends over time. In addition to annual reports, we publish project reports investigating specific patient sub-groups. We recommend changes to clinical practice and policy to reduce the risk of suicide and improve the safety of mental health patients. We only publish aggregate figures, and we follow ONS guidance about small numbers – we don’t publish low counts, and we never share information about an individual. If you have opted out of you health data being used for anything other that care and treatment, your opt-out will be applied by the relevant health organisation, and your health records will not be shared.

Our key audiences are:

  • People who receive care: Patients & service users, their families & carers, the general public & press
  • People who deliver care: Mental health professionals, who provide us with our data and whose clinical practice is the main focus of our recommendations, medical/clinical directors, risk managers, trust chief executives & boards
  • People who commission care: CCG’s, NHS England/Improvement, devolved governments including policy and practice leaders
  • People who regulate care and provide national oversight: CQC, NICE, Health Education England and equivalent bodies in all UK countries.

There are various retention periods for the differing data we receive, based on the specific requirements of the data providers and our overall Section 251 approval. Once a data destruction date is reached, the data are securely destroyed. 

How do I get a copy of my personal information held by NCISH?

If you believe that NCISH hold personal information about you, you have a right to ask for a copy of that information. This is commonly called a Subject Access Request (SAR).

Requests for medical (health) records

A request for information from health records has to be made with the organisation that holds your health records – the data controller. For hospital health records, contact the records manager or patient services manager at the relevant hospital trust. You can find a list of hospital trusts on the NHS Choices website.

If you would like to receive a copy of other information we hold about you, your request should be made in writing (or email) to:

Please include the words ‘Subject Access Request’ at the beginning of your letter or in the subject line of your email.

When making your request, please include the following details:

  • Your name, address and postcode;
  • The type of information you want to look at including any relevant dates.

We aim to send you a reply as soon as possible and by the latest within 30 calendar days. You may also be asked to provide proof of identity.

Access to the information by people who are not data subjects

Currently, any bespoke data requests must be initiated by the Medical Director of the healthcare organisation. Annually, we provide a Safety Scorecard to the Medical Director of each mental health trust in England. This Scorecard was developed in response to a request from our commissioners for benchmarking data to support quality improvement. We provide information on indicators that relate to our work: suicide rate, homicide rate, patients under the Care Programme Approach (CPA), staff turnover and NCISH questionnaire response rate. This information is for trusts to consider internally, and we do not give this data directly to any other organisation. We suggest that trusts may wish refer to our 10 key elements of safer care in mental health services – key safety measures that trusts can implement, available to download from our website.

On occasion we collaborate with visiting researchers, who are allowed access to strictly anonymised datasets for analysis to contribute to our outputs. All visiting researchers are bound by the same confidentiality agreements as our contracted members of staff.

All of our published outputs can be accessed via our website. We inform people of our work through events, presentations, print and social media.

We are bound by the conditions in our permissions which are intended to safeguard the identifiable clinical information we hold, and therefore it may not always be possible to respond to a data request if it risks breaching these agreements.

Right to restrict processing

If you have opted out of your health data being used for anything other than care and treatment, your opt-out will be applied by the relevant health organisation, and your health records will not be shared. The right to restrict processing is not an absolute right and applies only in specific circumstances:

  • Where you contest the accuracy of your personal data and we need to verify the accuracy of the data;
  • The personal data were unlawfully processed (i.e. otherwise in breach of the DPA2018 and GDPR), and you request restriction rather than erasure of the data;
  • Where the personal data are no longer necessary in relation to the purpose for which it were originally collected/processed, but you need us to keep the data in relation to a legal claim;
  • When you object to the processing and we are considering whether our legitimate interest for continuing the processing would override this objection.

If you would like to request a restriction of processing of your personal data, your request should be made in writing (or email) to:

Please include the words ‘Request to Restrict Processing’ at the beginning of your letter or in the subject line of your email.

When making your request, please include the following details:

  • Your name, address and postcode;
  • The grounds for your request for erasure.

We aim to send you a reply as soon as possible and by the latest within 30 calendar days. You may also be asked to provide proof of identity.

How the NHS and care services use your information

NCISH is one of many organisations working in the health and care system to improve care for patients and the public.

Whenever you use a health or care service, such as attending Accident & Emergency or using Community Care services, important information about you is collected in a patient record for that service. Collecting this information helps to ensure you get the best possible care and treatment.

The information collected about you when you use these services can also be used and provided to other organisations for purposes beyond your individual care, for instance to help with:

  • Improving the quality and standards of care provided;
  • Research into the development of new treatments;
  • Preventing illness and diseases;
  • Monitoring safety;
  • Planning services.

This may only take place when there is a clear legal basis to use this information. All these uses help to provide better health and care for you, your family and future generations. Confidential patient information about your health and care is only used like this where allowed by law.

Most of the time, anonymised data is used for research and planning so that you cannot be identified in which case your confidential patient information isn’t needed.

You have a choice about whether you want your confidential patient information to be used in this way. If you are happy with this use of information you do not need to do anything. If you do choose to opt out your confidential patient information will still be used to support your individual care.

To find out more or to register your choice to opt out, please visit www.nhs.uk/your-nhs-data-matters. On this web page you will:

  • See what is meant by confidential patient information;
  • Find examples of when confidential patient information is used for individual care and examples of when it is used for purposes beyond individual care;
  • Find out more about the benefits of sharing data;
  • Understand more about who uses the data;
  • Find out how your data is protected;
  • Be able to access the system to view, set or change your opt-out setting;
  • Find the contact telephone number if you want to know any more or to set/change your opt-out by phone;
  • See the situations where the opt-out will not apply.

You can also find out more about how patient information is used at:

https://www.hra.nhs.uk/information-about-patients/ (which covers health and care research); and

https://understandingpatientdata.org.uk/what-you-need-know (which covers how and why patient information is used, the safeguards and how decisions are made)

You can change your mind about your choice at any time.

Data being used or shared for purposes beyond individual care does not include your data being shared with insurance companies or used for marketing purposes and data would only be used in this way with your specific agreement.

Health and care organisations have until 2020 to put systems and processes in place so they can be compliant with the national data opt-out and apply your choice to any confidential patient information they use or share for purposes beyond your individual care. Our organisation is currently compliant with the national data opt-out policy.

Right to object to processing

If you have opted out of you health data being used for anything other than care and treatment, your opt-out will be applied by the relevant health organisation and your records will not be shared. You have the right to object to the processing of your personal data:

  • Based on legitimate interests of the performance of a task in the public interest/exercise of official authority;
  • Direct marketing;
  • Processing for the purposes of scientific/historical research and statistics.

You must have an objection on grounds relating to your particular situation.

If you would like to raise an objection to the processing of your data, your objection should be made in writing (or email) to:

Please include the words ‘Object to Processing’ at the beginning of your letter or in the subject line of your email. When making your request, please include the following details:

  • Your name, address and postcode;
  • Details of the grounds for your objection.

We aim to send you a reply as soon as possible and by the latest within 30 calendar days. You may also be asked to provide proof of identity.

Right to correct inaccurate personal information

You have the right to request that any personal data that is inaccurate be rectified.

If you would like to request that personal data that we hold about you be corrected, your request should be made in writing (or email) to:

Please include the words ‘Object to Processing’ at the beginning of your letter or in the subject line of your email.

When making your request, please include the following details:

  • Your name, address and postcode;
  • Details of the inaccuracy.

We aim to send you a reply as soon as possible and by the latest within 30 calendar days. You may also be asked to provide proof of identity.

Report a concern to the Information Commissioner’s Office

You can report any concerns you have about our information rights practices to the Information Commissioner’s Office (ICO): https://ico.org.uk/concerns

Changes to our privacy policy

We keep our privacy policy under regular review and will place any updates on this webpage. This privacy policy was last updated on 28 September 2021.

Policy documents and related information

Information security and management policy

Our policy sets out our data management in light of guidance on information governance, data protection and confidentiality. This policy is reviewed annually.

Data protection impact assessment document

This template and guide is a tool which can help us identify the most effective way to comply with data protection obligations and meet individuals’ expectations of privacy

Our patient data flow

Our chart shows who provides data to us, who we share that data with, and at what stage identifiable data are pseudonymised/anonymised. This chart is updated in line with any new data sharing agreements.

Identification and management of cause for concern

This Healthcare Quality Improvement Partnership (HQIP) policy relates to the rare circumstances in which information submitted to us could reasonably suggest the presence of very serious issues with clinical practice or system failure that presents a risk of harm to patients.

Understanding practice in clinical outcome review programmes tool: UPCORP-tool guidance and checklist

A protocol to describe the key features of clinical outcome review programmes.

NCISH quality improvement plan

This plan sets out how we are promoting quality improvement within our work.

 

How to contact us

Please contact us if you have any questions about our privacy policy or any of the data that we hold.