NHS Trust FAQs

Under the General Data Protection Regulation (GDPR), CQC is responsible as a data controller for the processing of personal data by the Survey Coordination Centres for the purposes of surveys in the NHS Patient Survey Programme.

Each trust has its own responsibility as data controller for the patient/service user data that they process, or is processed on their behalf by an approved contractor, for the purpose of conducting surveys.

CQC considers that the lawful basis for the processing data for the NHS Patient Survey Programme is Article 6(1) (e) of the GDPR: ‘processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.’

The NHS Patient Survey Programme also includes some special categories of personal data. This is data that under the GDPR is considered more sensitive and needs more protection, examples include, ethnicity and sexual orientation.

CQC considers that the lawful basis for the processing special categories of data is Article 9(2)(h): ‘processing is necessary for the purposes of […] the management of health or social care systems and services’.

Personal data processed by the trust and approved contractor (acting under the trust’s responsibility) takes place under the professional duty of confidentiality. Personal data processed by (or on behalf of) CQC is subject to the protection from disclosure provided by section 76 of the Health and Social Care Act 2008.

CQC and the Survey Coordination Centres obtain section 251 approval for each survey from the Confidentiality Advisory Group (CAG) at the Health Research Agency (HRA). This sets aside the common law duty of confidentiality, to allow patient/service user information to be used to carry out the survey as detailed in the survey instruction manual. If you collect any information outside of this, such as increasing sample size, or additional sample variables, this is not covered by the approval and you are advised to consult your trust’s Caldicott Guardian for advice on whether you should seek additional approval.

We also obtain ethical approval for each survey.

We have identified a lawful basis for the survey under the General Data Protection Regulation, and receive Section 251 approval for each survey. We therefore do not consider that consent is required to include patients/service users in the survey. However, as has always been the case, patients/service users must be given the opportunity to opt-out.

The General Data Protection Regulation strengthens peoples’ rights, and this includes the right to be informed. It is important that trusts meet their legal obligations to notify people of how their personal data will be used. You must take steps to inform people using your services that their contact information may be used for the purpose of carrying out surveys in the NHS Patient Survey Programme, that, where relevant, this will include passing those data to an approved contractor, and that they have the right to opt-out of this.

One way to do this is to ensure that the privacy notice for your trust includes the NHS Patient Survey Programme.

This can also be achieved by following the relevant survey instructions. You should display posters ahead of the fieldwork for each survey which are provided by the Survey Coordination Centre. This will enable people to opt out of the survey before it starts. Any objection to taking part must be respected. The generic instructions on publicising the survey also includes information and ideas for promoting the survey such as through local and social media.

No. The national data opt-out does not currently apply to the surveys running under the NHS Patient Survey Programme  and you must not exclude people on this basis. The programme will continue to use the separate opt-out mechanisms as described in the relevant survey instructions. For further information please see the National Data opt-out operational guidance policy.

The General Data Protection Regulation (GDPR) places further obligations on data controllers (trusts) to ensure contracts with processors (approved contractors) comply with the GDPR. Processors must be able to provide controllers with ‘sufficient guarantees’ that the requirements of the GDPR will be met and the rights of data subjects protected.

The Survey Coordination Centres, and the Approved Contractors have all been through a competitive procurement process as part of which they provided information about their processes for ensuring the confidentiality and security of personal information. They are compliant with the Data Security and Protection Toolkit which enables organisations to demonstrate that the way they hold and process information meets information governance policies and standards.

A ‘model contract’ is provided for use between trusts and approved contractors which have been updated to be GDPR compliant. You are advised to share these with your own legal departments and seek legal advice as required to ensure that they meet all legal requirements.

If you do not use these, you are advised to ensure your own contracts are GDPR compliant.

The General Data Protection Regulation requires personal data to be processed in a manner that ensures its security and must not be processed or accessed unlawfully.

You must take steps to ensure that personal data shared with an approved contractor is done in a secure way. To ensure this trusts should comply with the guidelines on the use and security of the data which are available in the ‘Data protection and confidentiality’ instruction manual.

Once information is no longer required it should be destroyed. Sample information used for the survey, which includes people’s names and address, must be destroyed once the mailing process is complete. This must be done by both the trust and the approved contractor. The paper questionnaires should be destroyed once the data analysis and reporting is complete.

We share data with other organisations to help them with their work. This does not include name and address information. It does include information submitted on the sample file, and demographic information completed by the respondent in the ‘about you’ section of the questionnaire. Information on gender, date of birth, ethnicity and Clinical Commissioning Group (CCG) is obtained in the sample file for each survey. Other information varies by survey, please see the sampling instructions for the relevant survey for details.

The Department of Health and Social Care and NHS England and Improvement may use the results to generate aggregate indicators at local, regional and national level. These indicators form part of the range of the Outcome Frameworks and other publications. The NHS Outcomes Framework is a set of indicators developed by the Department of Health and Social Care to monitor the health outcomes of adults and children in England. This includes indicators on peoples’ experience of care. The data will also be shared with NHS Digital or other organisations, working on behalf of Department of Health and Social Care or NHS England and Improvement for the purpose of generating these indicators.

As stated on all questionnaires, freetext comments provided will be looked at in full by the Care Quality Commission, NHS Trust and researchers analysing the data. This includes sharing the comments with organisations such as the Department of Health and Social Care and NHS England and Improvement.

We also send a heavily abridged version of the survey dataset to the UK Data Archive so data can be used by other researchers. This dataset is heavily anonymised to ensure that no respondents are identifiable through the data. This involves a number of variables being deleted and others being recoded (for example, age is grouped into bands, ethnicity is deleted).

Please see the forward planner available on the CQC website.

CQC write to all trust CEO’s and survey leads to notify them ahead of each survey.