Effective date: 1 February 2024

Who is this document for?

This document is for all people who have been a patient at an NHS hospital in England or have interacted with Community services in the NHS in England over the past five years.

What type of personal information we hold

We hold and process data that is pseudonymised prior to being sent to us, meaning that parts of the data that could be used to identify someone are replaced with a key. We do not hold that key and so are not able to identify anyone using that pseudonymised id.

We receive pseudonymised data from NHSE England that covers acute services, (Hospital Episode Statistics and the Emergency Care Data Set ), community services (Community Services Data Set) and diagnostic data (Diagnostic Imaging Dataset)

This covers a broad range of NHS activity including, inpatient and day case admissions, outpatient appointments, critical care, accident and emergency attendances and community contacts.

You will be included in this database if you have been a patient at a NHS hospital in England, or have interacted with community care through the NHS in England, and you have not opted out of your data being sent to NHS Digital or used in healthcare research and planning. These data sets, although they contain your personal information, are always pseudonymised such that we would not be able to identify you, nor would we try to identify you in any instance unless specifically requested to do so by the data controller. You are able to manage your personal data choices within the NHS by following this link.

How we use your personal information

We process patient data for the purpose of helping healthcare organisations to identify areas of opportunity in performance or efficiency and work with them to improve population health. Customers use our services for a number of different purposes including:

  • To benchmark performance and spend against similar health systems in England
  • Identify improvements in operational efficiency and monitor the impact of implemented changes
  • Understand the drivers of activity and spend in a system and use this to develop a forward plan
  • Analyse patient outcomes, quality and activity metrics and use this to develop plans to improve

We act as a data controller along with NHS England through signing a Data Sharing Framework Contract and a Data Sharing Agreement. These data are provided to us by NHS England under licence and under sections 261(1) and 261(2)(b)(ii) of the Health and Social Care Act 2012.

Moreover, under General Data Protection Regulation (GDPR) we have specified the legal bases for collecting and processing your data; this is as follows:

  • Article 6 (1) (f) – It is necessary for our legitimate interests in being able to provide tools and services that will benefit healthcare organisations.
  • Article 9 (2) (j) – It is necessary for reasons that are in the public interest in the area of public health. We provide tools and services to public healthcare organisations that help them to monitor and improve the standards and quality of care that they offer. Our processing is thus designed to benefit patients and society as a whole through facilitating better healthcare in the UK

Some of our NHS clients provide us with pseudonymised patient-level healthcare data that we use for our analyses; here we act as the data processor and our NHS client acts as the data controller who is acting in the public interest. The legal basis for processing the data here is, through the data controller, article 6(1)(e) and 9(2)(j) of GDPR, which state that it is necessary for reasons in the public interest.

How we share your personal information

Your personal data will be used only for specific client work and for research in the public interest. The data we share with our NHS clients will not be identifiable unless specifically requested to do so by the data controller. Data provided to us by NHS England will always be shared in an aggregated format, and never in a form that could be identifiable. Indeed, in most cases, we will share aggregated analysis with its NHS clients in presentations, reports or cloud-based visualisation tools, in full compliance with the small numbers guidance in the HES Analysis Guide and ONS statistical disclosure principles. In general, all outputs can be grouped into one of several categories detailed below:

  • We provide detailed reports to clients, which contain data in table format containing aggregated, non-patient identifiable data with small numbers suppressed in line with the HES Analysis Guide;
  • These reports may also contain visualisations created using data based on aggregated, non-patient identifiable results of quantitative analysis;
  • We present the aggregated, non-patient identifiable results with small numbers suppressed, in the form of tables and visualisations, at meetings with NHS client stakeholders;
  • We provide interactive visualisations to NHS clients in the form of cloud-based tools;
  • National benchmarks will be derived from the national data sets provided to us by NHS Digital and may be shared with our NHS clients

Where we process your personal information

The patient data we receive from NHS England is only ever processed in the UK. We never send or process your personal data outside of the UK.

How long we keep your personal information

When acting as a data controller, we only keep the historical data in our data warehouse for as long as our agreement with NHS England exists. When acting as a data processor, we keep pseudonymised data provided to us by our NHS clients for a maximum of 5 months after the end of our contract of work.

How to contact us

If you have any query about your personal information rights then please contact our Information Governance lead, Kevin Atkin, on [email protected], call us on +44 (0)20 3770 7535, or write to us at CF, 12th Floor, 1 Lyric Square, Hammersmith, London, W6 0NB.

How to complain

If you feel that we have let you down in relation to your information rights, then please contact Information Governance using the details above.

You can also make complaints directly to the Information Commissioner’s Office (ICO). The ICO is the independent authority upholding information rights for the UK. Their website is ico.org.uk and their telephone helpline number is 0303 123 1113.


Carnall Farrar Ltd Proprietary Information

The information contained in this document is Carnall Farrar Ltd proprietary information and is disclosed in confidence. It is the property of Carnall Farrar Ltd and shall not be copied or disclosed to others, in full or in part, or used for any other purpose without the prior written consent of Carnall Farrar Ltd.