Privacy notice for patients participating in surgical site infection surveillance.
Applies to England
About UK Health Security Agency
The UK Health Security Agency (UKHSA) exists to protect and improve the nation’s health and wellbeing, and to reduce health inequalities. It is an executive agency of the government, sponsored by the Department of Health and Social Care (DHSC). Find out more about UKHSA and its work.
UKHSA’s responsibilities include running the Surgical Site Infection Surveillance Service (SSISS). This has been set up to help hospitals monitor surgical patients and record the numbers that develop a wound infection after surgery. The work of the SSISS enables hospitals to see how their infection rates compare with other hospitals and help them make improvements.
This privacy notice explains what personal information about patients at risk of surgical wound infections is shared with UKHSA by hospitals across England. It also explains what UKHSA does with this information, how we protect it, how long we keep it, who we sometimes share it with, what your rights are, and how you can find out more or raise a concern.
DHSC is the data controller for the personal information we collect, store and use to fulfil our remit. UKHSA is listed under the DHSC’s registration with the Information Commissioner’s Office (ICO). You can find more information in the UKHSA general privacy notice.
The information hospitals share with UKHSA
Hospitals are required by law to participate in surgical site infection surveillance for several categories of orthopaedic surgery, including hip and knee replacement. They are also encouraged to undertake voluntary surveillance in other categories of surgical procedures such as heart and bowel surgery.
If you have undergone one of these types of surgery, your personal information is shared with UKHSA by your hospital as part of this surveillance.
The information shared includes:
- your full name
- your date of birth
- your sex
- your NHS number
- information about your risk of developing an infection, including your general level of health before the operation and information about your operation
- information about any infections following your surgery
Your hospital may also share your email address and mobile phone number, or those for someone acting on your behalf, with UKHSA. This is so we can send you a wound healing questionnaire by email or text for you to complete and return to UKHSA. These questionnaires provide us with valuable information on any infections which may develop after your discharge from hospital.
How UKHSA uses your information
Your personal information shared with UKHSA is used to calculate rates of surgical wound infections for different types of operation for hospitals across England. This allows hospitals to see how their infection rates compare with other hospitals and how they change over time. This information helps them make improvements to reduce their infection rates.
UKHSA needs to use personal information to check the quality and accuracy of the information we receive from your hospital and make sure we don’t count patients more than once. We also use this information to link to NHS records to see if you are readmitted to hospital after your surgery, the reasons why, the treatments and procedures you receive for your infection, and whether you have other risk factors for surgical wound infection such as diabetes. We obtain this information from NHS Digital, which provides information and technology services to the health and care system, and collects information on all hospital admissions, outpatient appointments and A&E visits in England. You can find out more in Privacy and cookies – NHS Digital.
In addition, we also link the records we receive to mortality records to see if any patients with a surgical infection die from this infection. We obtain this information from NHS Digital and the Office for National Statistics, which is responsible for collecting information on all deaths in England.
The records may also be linked to microbiology laboratory data held by UKHSA to look at further clinical information on infections patients may have. We may also link your information to the records held by other clinical registries which contain more detailed clinical information such as the types of surgical implants used.
To help the NHS reduce the number of surgical wound infections, UKHSA produces confidential local reports for hospitals concerning their own patients every 3 months. We also publish a report each year showing the rates across the country and how these are changing. No information that could identify you will ever be included in the reports published by UKHSA.
How UKHSA protects your information
Your personal information is protected by us in a number of ways. It is stored on computer systems that have been tested to make sure they are secure and which are kept up-to-date to protect them from viruses and hacking. Where we share your personal information with your hospital and other organisations, we only ever do so using secure computer systems or encrypted email.
Your information used by the SSISS can only be seen by UKHSA staff who have been specifically trained to protect your privacy. Strong controls are in place to make sure all these staff can only see the minimum amount of personal information they need to do their job.
Whenever possible, we only use your information in a form that does not directly identify you. We do need to use your name, date of birth and NHS number to link together your surgical records with other information about you, including if you are readmitted to hospital for further treatment and your outcomes. For most of the analyses we then do to monitor surgical site infections, we use information that does not directly identify you. For example, we replace your name and NHS number with pseudonyms (that is, codes that do not include information that identifies you) and substitute your date of birth with age in years. We do this to help protect your confidentiality.
We hold your information in the UK only.
No information that could identify you will ever be published by us.
How long UKHSA keeps your information
The personal information of surgical patients is kept by UKHSA for 25 years after which time we review it to decide if we need to continue to keep it. If we don’t, then we securely delete your personal information. The exception to this is your phone number and email address, which we only keep for 12 months and then securely delete. If we need to keep your personal information for longer than this, then we will revise this privacy notice to explain the reasons why.
This information needs to be kept for this long because infections and related complications that affect patients’ health can sometimes take many years to develop after surgery. UKHSA needs to keep personal information so that it can link to other hospital and mortality records in the future.
Patients’ phone numbers and email addresses are only used for the specific purpose of sending automated emails or texts containing the post-discharge wound healing questionnaire, which is why they are only kept for 12 months and then securely deleted.
Does UKHSA share your information with anyone else?
UKHSA may share the personal information of surgical patients with researchers outside UKHSA.
This only happens if the researcher has approval from a medical ethics committee and special permission from the Health Research Authority’s Confidentiality Advisory Group. This group provides independent advice to the Secretary of State for Health and Social Care on whether the use of confidential patient information is in the interests of patients and the public. This is known as ‘Section 251’ approval. The part of the law that applies here is section 251 of the National Health Service Act 2006 and the associated Health Service (Control of Patient Information) Regulations 2002. UKHSA never shares personal information with researchers without these approvals.
Sharing information helps scientists to make recommendations for hospitals to reduce their infection rates, but patients can opt out of their personal information being shared by PHE with other researchers if they choose.
Further information and details on how to register an opt out choice can be found online.
On this web page you will:
- see what is meant by confidential patient information
- find examples of when confidential patient information is used for individual care and examples of when it is used for purposes beyond individual care
- find out more about the benefits of sharing data
- understand more about who uses the data
- find out how your data is protected
- be able to access the system to view, set or change your opt out setting
- find the contact telephone number if you want to know any more or to set or change your opt out by phone
- see the situations where the opt out will not apply
UKHSA will ensure that no personal information about you will be shared with other researchers if you register a choice to opt out.
A register providing details of the information that UKHSA has shared with other researchers is published on GOV.UK.
Surgical site infection surveillance and the law
The law on protecting personal information, known as the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018, allows UKHSA to use the surgical wound infection information shared with us by hospitals.
The sections of the law that apply here are:
- UK GDPR Article 6(1)(e) ‘processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller’
- UK GDPR Article 9(2)(i) ‘processing is necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health or ensuring high standards of quality and safety of healthcare’
- Data Protection Act Schedule 1 Part 1 (3) ‘public health’
As part of the SSISS, we may need to use your confidential patient information such as your surgical records without asking directly for your consent.
We have ‘section 251’ approval from the Secretary of State for Health and Social Care to do this for the purpose of diagnosing, recognising trends, controlling and preventing, and monitoring and managing risks to health such as surgical wound infections.
The part of the law that applies here is section 251 of the National Health Service Act 2006 and regulation 3(3) of the associated Health Service (Control of Patient Information) Regulations 2002.
Surgical site infection surveillance and your rights
If your personal information is used by UKHSA’s SSISS, you have a number of rights under data protection law.
Your right to get copies of your information
You have the right to ask for a copy of any information about you that is held.
Your right to get your information corrected
You have the right to ask for any information held about you that you think is inaccurate to be changed.
Your right to limit how your information is used
You have the right to ask for the use of any information held about you to be restricted. For example, you can ask this where you think the information we are using is inaccurate.
Your right to object to your information being used
You can ask for any information held about you not to be used. This is not an absolute right and we may need to continue to use your information. We will tell you why if this is the case.
Your right to get your information deleted
You can ask for any information held about you to be deleted. This is not an absolute right unless the legal basis for us to process your information is consent. If we need to continue to use your information we will tell you the reason why.
Your right to data portability
You can ask for any information held about you to be provided to you in a commonly used electronic format. This right is only available where the legal basis for processing your information is consent or for the purposes of a contract between you and UKHSA.
Your rights in relation to automated individual decision-making, including profiling
You can object to your personal information being used to make a significant decision that affects you based solely on automated processing, including profiling. We will tell you in this privacy notice if we use your information in this way at any point.
You can exercise any of these rights by contacting us at:
Information Rights Team
17 Smith Square
You will be asked to provide proof of your identity so that we can be sure we only provide you with your personal information.
How to find out more or raise a concern
You can find out more about surgical wound infections online at Surgical site infection (SSI): guidance, data and analysis.
If you would like to find out more about UKHSA’s SSISS, you can contact us at email@example.com
UKHSA does not have access to the full medical records of patients so if you have had a surgical wound infection and want to see your full medical records you will need to contact the hospital that treated you.
If you have any concerns about how your personal information is used and protected by UKHSA, you can contact our Data Protection Officer at firstname.lastname@example.org or by writing to:
Office of the Data Protection Officer
Department of Health and Social Care
1st Floor North
39 Victoria Street
London SW1H 0EU
You also have the right to contact the ICO if you have any concerns about how we use and protect your personal information.
You can do so by calling the ICO’s helpline on 0303 123 1113, visiting the ICO’s website or by writing to:
Customer Contact Information Commissioner’s Office Wycliffe House Water Lane Wilmslow SK9 5AF
About this privacy notice
If the way the SSISS uses your personal information changes, we will update the privacy information provided in this notice.