Privacy & Fair Processing Notice

What is the aim of the National Audit of Breast Cancer in Older Patients?
This audit was commissioned to evaluate the quality of care provided to women aged 70 years or older by breast cancer services in England and Wales. It will explore why older women with breast cancer appear to have worse outcomes than younger women and investigate apparent differences in the patterns of care delivered to older women. The Audit will examine the care pathway from initial diagnosis to the end of primary treatment, and compare how patterns of breast cancer care observed for women aged 70 years and over with those among women diagnosed aged 50-69 years.

Where is patient data collected from?
The NABCOP uses existing sources of patient data collected by national organisations. No new data will be required to be collected from individual patients or clinical staff. The main source of data will be the national Cancer Registration datasets in England and Wales.
The national Cancer Registration Services collect a limited amount of information on all people diagnosed with cancer. This includes information about the type of cancer and the treatments received, and the information is supplied by the medical staff involved in delivering care.
The information from the Cancer Registration Services will be linked to other routine hospital datasets to provide some additional detail about surgical treatments (English hospitals uses the Hospital Episode Statistics and Welsh hospitals use the Patient Episode Data for Wales). The information will also include data from the Office for National Statistics (ONS) on the dates of death so that the audit can examine duration of survival after cancer diagnosis. The linkage of data from these different sources will be undertaken by the Cancer Registration Services.
Information supplied to the Audit by the Cancer Registration Services is anonymised. Common health care identifiers such as the NHS numbers or other potentially sensitive information that might identify individuals (such as postcode and date of birth) are not included in the supplied data. Data are converted into formats that reduce the risk of identification. For example, date of birth is converted to age at admission. The national Cancer Registration Services, together with the Healthcare Quality Improvement Partnership, are the data controllers for the audit

Data Controller
The NABCOP is commissioned by the Healthcare Quality Improvement Partnership (HQIP) on behalf of NHS England and the Welsh Assembly Government, as part of the National Clinical Audit and Patient Outcomes Programme. HQIP are the data controller for the linked de-identified dataset that is supplied to the NABCOP Project Team for analysis.
The NABCOP team combines the data on individuals with other information held in other national hospital databases. This is detailed in the NABCOP data flow diagram.
The data controllers for the individual national datasets are:
• Public Health England for the cancer information on English patients
• Wales Cancer Network for the cancer information on Welsh patients
• Office for National Statistics for the death register
• Public Health England for the data on chemotherapy and radiotherapy
• NHS Digital for the English hospital data (Hospital Episode Statistics, HES)

Legal basis for processing personal data
The NABCOP has approval for processing health care information under Section 251 (reference number: 16/CAG/0079) for all patients over the age of 50 diagnosed with breast cancer in England and Wales. More information on section 251 is available here: http://www.hra.nhs.uk/about-the-hra/our-committees/section-251/what-is-section-251/

Patient confidentiality and level of data collected
The patient-level information received and managed by the NABCOP team is treated as confidential. We analysing the data to produce the information on patient care and outcomes, the NABCOP team use de-identified data and so individual patients are not identifiable.
The audit is also careful when publishing information to include graphs or tables that do not allow individuals to be identified. To ensure this, the Audit follows guidelines on publishing statistics issued by the Office for National Statistics – Review of the Dissemination of Health Statistics: Confidentiality Guidance.

Management of patient data by the NABCOP team
The NABCOP team are based at the Royal College of Surgeons of England (RCS). The RCS conforms to the General Data Protection Regulation (GDPR) and other legislation that relates to the collection and use of patient data. The RCS has strict security measures in place to safeguard the use and storage of de-identified patient-level information, which is handled in accordance with the GDPR. All de-identified data extracts are stored on a password protected encrypted server at the RCS with restricted access to named analysts in the NABCOP project team.

Who we share data with?
The NABCOP only shares patient-level data following a strict governance procedure to ensure compliance with the General Data Protection Regulation (GDPR).
Researchers may apply to the NABCOP Data Controller (HQIP) if they want to use the patient data for a research study. These requests undergo a stringent approvals process as outlined by HQIP.

What if I do not want my information used by the Audit?
The National Cancer Registration and Analysis Service (NCRAS) in England and the Wales Cancer Network are allowed to collect data on patients diagnosed with cancer. Information about how patients can opt-out of data collection is provided.
NHS Digital also provides information on patient opt-out of sharing their personal confidential health and social care data.

Changes to our privacy policy
We keep our privacy policy under regular review and we will always include the latest version on this web page.
The privacy policy was last updated on 22/05/2018.

How to contact us
Please contact us if you have any questions about our privacy policy or information we hold about you.
Information about the requirements for the Audit to keep personal data secure and what to do to report a data breach, can be found on the website of the Information Commissioners Office: https://ico.org.uk