Purposes for processing
NHS England is committed to the improvement of quality and delivery of services and uses incident events, investigation, evidence and reports relating to incidents under various policy and procedural structures.
An incident requiring investigation is defined as an incident that occurred in relation to NHS-funded services and care resulting in unexpected or avoidable death, harm or injury to patient, carer, staff or visitor. In order to promote quality and compliance, NHS England has several reporting protocols for incidents and provides investigation and learning to improve systems and services across the organisation.
Sources of the data
Incident events are recorded across the organisation, and within systems and services commissioned by NHS England. Under various protocols including Serious Incidents Requiring Investigation (SIRI), Never Events, Deaths In Custody, Neonatal Death, these incidents will be investigated and reviewed with a view to ensuring improvement in outturn and performance.
Categories of personal data
The data received by NHS England includes a record for each incident including (if relevant) patient or staff name, NHS Number and other personal details, including relevant healthcare records and information about the incident, including others involved or impacted by the event.
Categories of recipients
The information is used by the relevant team or department together with Nursing and Quality, and Improving Health and Quality teams in NHS England. Anonymised “lessons learned” will be cascaded to relevant parties within (or outside) NHS England to ensure that improvements are delivered.
Legal basis for processing
For the GDPR purposes NHS England’s lawful basis for processing is Article 6(1)(e) ‘…exercise of official authority…’. For the processing of special categories data the basis is Article 9(2)(h) ‘…health or social care…’.