Data protection and confidentiality


CQC consider the lawful basis for processing data for the NHS Patient Survey Programme (NPSP), is Article 6(1) (e) of the General Data Protection Regulation (GDPR): ‘processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.’

The NPSP includes some special categories of personal data. This is data that under the GDPR is considered more sensitive and needs more protection, examples include, ethnicity and sexual orientation. CQC consider the lawful basis for the processing special categories of data is Article 9(2)(h): ‘processing is necessary for the purposes of […] the management of health or social care systems and services’.

When carrying out your survey, you will need to ensure that you comply with the General Data Protection Regulation. You can do this by carefully following these survey instructions, as well as the relevant survey handbook, and sampling instructions, as published on this website.

If you have not already done so, please ensure that you include research in your data protection registration.

You must take steps to inform people using your services that their contact information may be used for the purpose of the NHS Patient Survey Programme that, where relevant, this will include passing those data to an approved contractor, and that they have the right to opt-out of this. One way to do this is to ensure that your privacy notice includes the NPSP.

To meet your obligation to inform people using your services of their right to opt-out, you must continue to put up posters and leaflets during the sampling period and fieldwork; and these must provide people with contact information to opt out of the survey. Any objection to taking part must be respected. Another way to inform people is to publicise the survey locally. Please see the survey instructions on publicising the survey for more information.

GDPR requires personal data to be processed in a manner that ensures its security and must not be processed or accessed unlawfully. You must ensure that all responses are kept confidential.

You will also need to comply with the NHS Code of Practice on Confidentiality (2003), which incorporates the Caldicott Principles. You should take particular care to ensure that your use of patient/service user data complies with these principles. In particular, you should be aware of the flows of patient/service user data, and the issues which these present.

It is your legal responsibility to ensure that you meet any guarantees of anonymity or confidentiality made in covering letters and on the questionnaire.

Working with an approved contractor

It will be necessary to establish appropriate contractual arrangements with any contractor. Your trust’s Caldicott Guardian and legal advisors should advise you on these matters. The use of the approved contractor, and the processes for their work on behalf of your trust in the NPSP, should be reviewed and approved by your Caldicott Guardian. We recommend that your Caldicott Guardian should consult your Data Protection Officer prior to approval, so as to obtain their advice on compliance with GDPR.

GDPR places further obligations on data controllers (trusts) to ensure contracts with processors (approved contractors) comply with the GDPR. Processors must be able to provide controllers with ‘sufficient guarantees’ that the requirements of the GDPR will be met and the rights of data subjects protected.

The Approved Contractors who have been appointed for the NPSP have all been through a competitive procurement process as part of which they provided information about their processes for ensuring the confidentiality and security of personal information. The framework agreement between the approved contractors and the Care Quality Commission contains clauses stating that the approved contractor will comply with the General Data Protection Regulation.

The model service contracts provided by CQC for use between trusts and approved contractors are GDPR compliant. You are advised to check these with your own legal department to ensure that they fulfil your requirements and amend as needed. If you do not use these, you are advised to ensure your own contracts are GDPR compliant.

Guidelines on the use and security of the data collected have been agreed by the Care Quality Commission (CQC) and the Survey Coordination Centres for the NPSP. These guidelines will help to ensure that data are handled in a manner most in keeping with the spirit of the GDPR and the Social Research Association and Market Research Society’s Guidelines for social research (2005). They have implications for approved contractors and for NHS trusts conducting surveys in-house.

Information about the GDPR can be found at the Information Commissioner’s Office (ICO), and the Market Research Society provides further guidance on data protection. It is your legal responsibility to ensure that you meet any guarantees of anonymity or confidentiality made in covering letters and on the questionnaire.

Statements of compliance with data protection (In-house trusts only)

If you are conducting the survey in-house, that is, you are undertaking the survey yourself and have not employed the services of an approved contractor, you must ensure that a Declaration of Compliance with the General Data Protection Regulation is completed for all staff working with the data which must be signed off by your trust’s Caldicott Guardian. Only trust staff who have completed this declaration will be authorised to view this restricted data. If the trust’s Caldicott Guardian does not authorise this, the trust must carry out the survey using an approved contractor.

Sample Declaration Form

Each NHS trust has a Caldicott Guardian responsible for overseeing the proper use of patient/service user data. Under Section 251 approval, both the Caldicott Guardian and the person drawing the sample must complete their respective sections of the Sample Declaration Form. We recommend that your Caldicott Guardian should consult your Data Protection Officer prior to signing the form, so as to obtain their advice on compliance with GDPR.

The Sample Declaration Form constitutes a legal document whereby the trust authorises the sample to be transferred outside the trust.

If you are conducting the survey in house, you will need to send your Sample Declaration Form to the Survey Coordination Centre, Picker Institute Europe.

If you are using an approved contractor to run the survey on your behalf, please send your Sample Declaration Form to your approved contractor. 

Approval under section 251 of the NHS Act 2006

Approval for surveys in the NPSP are sought under Section 251 of the NHS Act 2006. This approval allows the common law duty of confidentiality to be put aside in order to enable the processing of patient identifiable information without consent. The survey methods are reviewed by the Health Research Authority (HRA), and the Confidentiality Advisory Group (CAG) of the Health Research Authority grants a recommendation of support. Although the support is for the transfer of names and addresses to contractors, which does not apply to in-house trusts, it is still expected that in-house trusts follow the instructions in full.

  • Patients/service users who have indicated they want to be excluded from surveys or do not want their address details shared for any reason other than clinical care must be excluded.
  • This should be done by referring to your local records.

Processing Opt Outs

Following the requirements of the Section 251 approval for the NPSP, trusts are required to process any opt outs from patients/service users as follows:

  1. Any objection is to be recorded immediately and checks made to determine whether a mailing is underway. If a mailing is underway the caller will need to be advised that it might not be possible to prevent this mailing but assured that they will receive no future mailings.
  2. People wishing to receive no further questionnaires can be identified with a flag/code/number on the mailing file.
  3. When speaking to callers wishing to opt-out of future survey mailings, it is not appropriate to try and dissuade them from their intent. Even a well-intentioned discussion around the benefits of the survey could be perceived as applying pressure to participate. The benefits of the survey should only be mentioned by call-takers in response to queries from callers. If someone feels strongly enough about the survey that they initiate contact to object, this needs to be respected and acted upon immediately to avoid upset and misunderstanding.
  4. Callers are advised they are being removed from the mailing list for this survey only and that if they wish to register their dissent against wider research participation at their trust, they need to speak to their trust (via PALS or the trust’s Information Governance Team). We expect trusts will have their own systems in place for reflecting this in patient/service user records.

Additionally, you are required to discuss this issue with your Caldicott Guardian to ensure that any patients/service users who have indicated that they do not wish to have their details shared for purposes such as this survey, yet may have sufficient address details visible in PAS, are not included in the sample that is submitted to the Survey Coordination Centre.

Please note that the national data opt-out does not currently apply to the surveys running under the NHS Patient Survey Programme and you must not exclude people on this basis. The programme will continue to use the separate opt-out mechanisms described in this document. For further information please see the National Data opt-out operational guidance policy.