Registry Participants Privacy Notice

This privacy notice should be read in conjunction with the Privacy Statement found at: https://ibdregistry.org.uk/privacy-policy/

The purposes of the processing and recipients of personal data

The IBD Registry (the Registry/we/us) processes the personal data of individuals living with IBD in the UK for the purposes of improving care and treatments for people with IBD, improving their outcomes and widening knowledge about IBD, enabled through the collection and analysis of data relating to IBD on a national scale.  The data processed is used to:

 

  • Drive continuous improvement in patient care and access to care across the UK
  • Support clinical quality improvement and audit through analysing data against national benchmarks
  • Inform commissioning and IBD service design
  • Improve our understanding of long-term outcomes for people with IBD
  • Provide local, regional & national data in order to better define the epidemiology (understanding of the disease) and understanding of care and treatments provided
  • Provide analyses designed to inform people with IBD and the general public
  • Support policy decisions and campaigning for people with IBD through the analysis of our data
  • Support research through the provision of appropriate data

Categories of personal data

The data we process is personal data and includes health data which is classed as special category personal data as defined by data protection law.  Health data is also subject to a common law duty of confidentiality. The data we receive is outlined at https://ibdregistry.org.uk/data-submission-framework/ 

Source

We collect personal data directly from individuals that agree to participate in the Registry via our registration process.

We also receive personal data (health data) from NHS Trusts which provide care and treatment to individuals living with IBD in the UK.

Recipients

We will not ordinarily or routinely share any of your confidential personal data with any third-party data controllers without your consent.  Data which has been de-identified, so that it is no longer confidential and it is not possible to identify you directly from it, will be shared with authorised recipients for the purposes of analysis and research.

The lawful basis for the processing

Under data protection law the following lawful bases apply to the processing of personal data:

  • Article 6(1)(f) – ‘processing is necessary for the purposes of the legitimate interests pursued by the controller…’
    • For our processing of personal data which enables analysis.
    • For our processing of personal data which enables research which has received approval via an internal ethical approval process.
  • Article 6(1)(e) – ‘processing is necessary for the performance of a task carried out in the public interest…’
    • For the transfer of personal data to us by Trusts.
    • For our processing of personal data which enables research which has received independent ethical approval.

Under data protection law the following lawful bases apply to the processing of special categories of personal data:

  • Article 9(2)(j) – ‘processing is necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes…’
    • For the transfer of special categories of personal data to us by Trusts
    • For our processing of special categories of personal data which enables analysis and research.

Under the common law duty of confidentiality, the following lawful bases apply:

  • For individuals who provide consent via our registration process, this permits healthcare providers and other data controllers that hold confidential healthcare data about participants to release this to us. The consent also allows us to process the confidential data we receive for the purposes of operating the Registry.
  • For individuals who have not provided their agreement to participate in the Registry, we hold an approval from the Confidentiality Advisory Group under S.251 of the NHS Act 2006 (18/CAG/0131). This supports the processing of confidential patient information for the purposes of operating the Registry by setting aside the Common Law Duty of Confidentiality.
    • You can find out more about the Confidentiality Advisory Group and Section 251 support here.
    • We do not receive any data under Section 251 relating to individuals who have registered a National Data Opt Out.

Third Party Processors

We will use EmailOctopus, a UK company, to provide email updates to Registry participants.

International Transfers

Data will only be stored within the UK and the European Economic Area (“the EEA”). (The EEA consists of all EU members states, plus Norway, Iceland, and Liechtenstein.

Retention

Personal data processed within the IBD Registry will be retained indefinitely. The Registry employs both technical and organisational measures to ensure the security of personal data and respect for the principle of data minimisation in accordance with data protection law which requires safeguards to be in place where processing is undertaken for scientific or historical research purposes or statistical purposes.

Automated decision-making or profiling

We do not undertake any automated decision-making or profiling in relation to your personal data processed within the IBD Registry.