Meditrends Privacy Statement
What data are processed by Meditrends?
Meditrends processes Hospital Episode Statistics (HES) data that is a record of accident & emergency, in-patient and out-patient care provided to NHS patients in England. HES data is collected by NHS Digital from hospitals that provide NHS services. This data is provided to us under contract by NHS Digital.
HES data contains details of hospital admissions and out-patient attendances including diagnoses made and treatments given. It also contains details of patients' age (but not full date of birth), sex, and area of residence (the first section of postcodes, but not full postcodes) and ethnic origin.
The HES data we receive is "pseudonymized" by NHS Digital, this means that some personal identifiers such as names are omitted, and other such as dates of birth and addresses are provided in an incomplete form. As a result, we aren’t able to identify individuals from HES Data.
Who is the Data Controller?
The data controller is:
Meditrends Ltd trading as Beacon Consulting
Registered in England, company number 08544025
27 Broad Street,
Wokingham, Berkshire, RG40 1AU
Telephone: +44 (0) 1252 75 89 88
Who is HES data shared with and why?
We do not share data on individuals with anyone. All data that is shared is aggregated in accordance with the HES Analysis Guide. Aggregated data is used for the Meditrends website and to provide custom analysis to our customers. Under our contract with NHS Digital we may only provide aggregated data to the following types of organisations.
Public Sector Organisations responsible for the planning, evaluation, commissioning or provision of health and social care including:
- GPs Practices
- Acute Trusts
- Area & Regional Teams
- Strategic Clinical networks
- Department of Health
- NHS England
- Academic Health Science Networks (AHSNs)
- NHS England Commissioning Support Units (CSUs)
Life Science Companies (pharmaceutical, medical technology, and medical biotechnology), members of:
- The Association of British Pharmaceutical Companies (ABPI)
- The UK BioIndustry Association
- The Association of British Healthcare Industries (ABHI)
Data shared must be for the benefit of the provision of health care or adult social care or the promotion of health and cannot be shared for solely commercial purposes.
HOW IS PROCESSED DATA SHARED?
HES data processed by us may be shared in aggregated form in the following formats:
- Through the Meditrends website
This website is available to our customer organisations (as listed above) and provided records of NHS activity and performance indicators
- Through custom analyses of specific disease areas
These may take the form of reports to our customers; abstracts, posters and presentations at scientific meetings; papers in scientific journals; and tools and models for use with NICE, NHS Commissioning bodies and health care professionals.
What is your basis for processing HES data?
As HES data is potentially identifying it is "personal data" and we need a legal basis under the General Data Protection Regulations (GDPR) for processing it. Our legal basis is that processing HES data is a legitimate interest of Meditrends Ltd pursuing its business as a data analysis organisation and which is not overridden by the interests or fundamental rights and freedoms of data subjects.
Because HES data contains information on health and ethnic origin, it is sensitive data, and can only be processed for specific permitted purposes. Meditrends Ltd processes HES data for the following purposes:
- The provision of health or social care or treatment
- The management of health or social care systems
- Ensuring high standards of quality and safety of health care and of medicinal products or medical devices
- Scientific or historical research purposes or statistical purposes
We have completed a Legitimate Interest Assessment and a Data Privacy Impact Assessment for the data processing we carry out.
How long does Meditrends retain HES data for?
We keep HES data for 10 years. However, we only process data that is less than 5 years old, except for limited purposes related to the Meditrends website or with specific permission from NHS Digital.
Are decisions made about my healthcare because of your processing?
No. Decisions about your healthcare are decided between you and your health care provider. No automated decision-making about your healthcare takes place because of our processing.
How do I opt-out of sharing my data?
If you don't wish to have your confidential patient information used for research and planning then please visit the NHS national opt-out programme website for run by NHS Digital for further information. It is not possible to opt-out of using your data for your own treatment and care and in certain other specified circumstances. For details see here.
We are unable to process opt-out requests ourselves as the HES data we hold is pseudonymised and we can't identify you (or any other individual) to process your opt-out.
How do I access, rectify or transfer my data?
If you want to see or correct your HES data you should contact NHS Digital.
We are unable to process access or rectification requests ourselves as the HES data we hold is pseudonymised and we can't identify you (or any other individual) to process your request. For the same reason we can't process requests to access your data in a particular format or transfer it to someone else (also known as data portability)
Where is my data stored and processed?
HES data is stored and processed in England only.
How does Meditrends protect my confidentiality?
It is possible that if patient level HES data was combined with other data some individuals may be identified. However, we don't hold the other data required for this type of re-identification, and we take steps to ensure that no one else has is able do this by only releasing aggregated data to authorised customers and ensuring that no one outside Meditrends has access our patient level HES data. We operate a comprehensive Information Security Policy which is accredited to ISO 27001, the international standard for information security management systems and is subject to annual independent review.
Who to contact if you are unhappy with the way we process your data or have further questions?
We have a Data Protection Officer ("DPO") who monitors internal compliance with our data protection obligations and acts as a contact point for questions from the public, including objections to the way we process your data. To contact the DPO please email us and include "DPO" in your header.
If you are unsatisfied with the way we deal with your query or request you can complain to the Information Commissioners Office ("ICO").