Keeping your data safe

We follow best practices to keep your information secure and confidential.


Protecting your data during the IBD closure process

We continue to maintain strict data security measures including encryption to protect all personal data until it is securely transferred or deleted.

We perform data protection risk assessments for all data processing, which includes the closure of the Registry. This process includes considering where we can use privacy-enhancing technologies at any point in the process, to better protect the confidentiality of personal records.

Our Closure FAQs provide more information.

If you wish to exercise your rights to data access and deletion, review our FAQs and use our Data Subjects Rights Portal


We follow the data security standards set down by NHS Digital

Each year the IBD Registry completes NHS Digital’s Data Security and Protection Toolkit. This enables relevant organisations to measure their performance against the data security and information governance requirements mandated by the Department of Health and Social Care.

We are formally assessed by NHS Digital on these data security standards every year.

You can see our assessment results at NHS Digital (our number is 8JX66).


We set out clear rules and procedures on how we handle information

We have an overarching Information Governance Framework, under which there is a set of policies which includes data security, data protection and confidentiality.

We also have careful policies to govern in what circumstances we can share data, who we can share data with, and what types of data can be shared.

There is an annual review of our data security and protection procedures that reinforce these policies to ensure the Registry runs smoothly and securely.


We follow best technical practice in how we handle information

We keep data in a secure data centre – also used by some NHS organisations – it is both physically secure against intruders, and electronically secure against hackers.  It is completely separate from our office IT systems, so that if (in the worst case) we suffer an intrusion, there is no connecting route to your data.

We are very careful about which staff members can access what types of data. Staff will only see your personal details if their job role requires it

We train our staff carefully, so they know what they need to do to keep information safe. We update their training and assess them every year.

We conduct our analysis on a de-identified form of your data (where your personal identifying details have been removed)


We design data protection in from the start

We undertake Data Protection Impact Assessments (DPIAs) to ensure we build in data protection from the very start of any new project or significant changes. View a list of our DPIAs completed for approved projects here.