This website is in beta development. We are still working on it. Your feedback will help us improve it.

How we use your data

What data do we collect?

Claims Management

We collect the following information, in some cases we will not collect all of the information outlined below, only the information we need to know:

  • *Claimants/*patients: contact details, name, gender, date of birth, date of death, occupation, National Insurance number, incident date, information concerning your physical or mental health or condition (this includes your medical records), details about your care, information concerning your involvement in the situation which is the subject of the claim, complaints correspondence, financial information in relation to your claim (including your bank details) and all of the previous categories of information for any injured party who is being represented by a litigation friend.
  • We collect information on patients before they become claimants for pre-action and inquests.
  • Staff employed by our members: contact details, employment status, professional registration numbers, information concerning your care of a patient, formal statements, incident or accident reports, information concerning your handling of a claim.
  • Witnesses: contact details, information concerning your involvement in the situation which is the subject of the claim.
  • Experts: contact details, your opinions concerning a claim, financial information in relation to your fees.
  • Service providers (lawyers, barristers, mediators): contact details, information concerning your involvement in the handling of a claim, financial information in relation to your fees, your opinions concerning a claim.

*For the purposes of this notice, “Claim” means any actual or potential tortious liability of NHS Resolution members.  “Claimant” includes anyone pursuing a Claim including deceased patients on behalf of whom Claims are made

Practitioner Performance Advice

We will collect personal and special categories of information. We collect this information where it is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the data controller.

We will collect the following information in each of the situations set out below:

  • Practitioners and self-referring practitioners about whom we have been approached for advice (information as reported to us): name; gender; professional registration number; post/grade; specialty; length of time in post; contract type; age group at referral; ethnic group; disability status; place of first professional qualification (UK, European Economic Area (EEA) or Outside EEA); number of years worked in UK; and details of the reported performance concerns and the local management of the case (including investigation reports)
  • Employing/contracting organisations: name; work position; work address; contact details; and information about concerns and proposed management of cases
  • Practitioners referred for consideration of assessment: (in addition to information referred to in ‘Practitioners and self-referring practitioners about whom we have been approached for advice’ above.) contact details; qualifications; contract/employment status; work experience; scope of practice; information about investigations undertaken; information about occupational health assessments completed; equality and diversity details; and recommendations in relation to consideration of assessment
  • Practitioners engaging in assessment or professional support and remediation: (in addition to information in ‘Practitioners referred for assessment’ above)

Contact details; qualifications, contract/employment status; additional posts; work experience; scope of practice; workload; information about health; job plan; timetable; continuing professional activities; and equality and diversity details.

Information generated as part of the assessment process including: information about your health (if consent is given to share this with us); information collected as part of the assessment of behavioural concerns; information collected as part of colleague multi-source feedback; information generated as part of patient feedback; and information collected as part of the observation of clinical practice.  As part of the assessment process, information about the practitioner being assessed will be shared with assessors undertaking the assessment on behalf of our service, which will include the information listed above.

  • Practitioners participating in Assisted Mediation: practitioner name; specialty; documentation of concerns; personal statements; mediation agreements; and correspondence explaining the outcome of mediation
  • Patients: details about care and information about a compliment or complaint made in relation to a practitioner about whom we have been approached for advice. (This information will often be anonymised or pseudonymised, and it is our normal practice to seek prior written consent, or the agreement of a parent/guardian, to use personal data in any assessment activity)
  • Colleagues of the practitioner: details about involvement in a case; colleague multi-source feedback about an assessed practitioner (including:  name; professional registration number; gender; grade; length of working relationship; and, in the cases of nurses and allied health professionals, length of time since qualification)
  • Suspended/excluded practitioners: (in addition to information listed in ‘Practitioners referred for assessment’ above) start and end dates of suspensions or exclusions of individual practitioners from work and, thereby, information as to the duration of episodes and copies of suspension letters
  • Healthcare professionals who are subject to Healthcare Professional Alert Notices: the request for the alert notice (including full name and last known address, national insurance number); (where applicable) professional body registration number; the gender and ethnic origin of the individual; a description of the capacity in which the individual was employed or engaged to provide services and in which it is thought possible they may seek work in the NHS. (Note: the reason for the request will include: a summary of all relevant information about the individual which supports the request; an assessment of the relevant risks; any advice taken; and any action already taken in respect of the individual concerned including copies of investigations/reviews (including any referral to the regulatory body)
  • Performers List: practitioner name; practitioner role; professional registration number; and practitioner address
  • Team reviews: practitioner names; personal details; specialty; any documents detailing concerns; and details of organisation requesting the review (name, work position, work address and contact details)

Primary Care Appeals

We collect the following information:

  • Primary care contractors: name, and address, appeals or disputes you have lodged and associated submissions and evidence, including financial, performance and health-related matters with regard to said appeal or dispute. For Performers List matters, the name, address, date of birth and professional registration number and any associated documents provided by the commissioning body. This information also includes the names of any Directors and, where relevant, professional registration number
  • NHS staff members: contact details, submissions with regard to any appeals or disputes
  • Consultant advisors: contact details, advice as to appeals or disputes, financial information in relation to fees
  • Panel members: contact details, professional qualifications, registration or membership numbers, training records, financial information in relation to fees
  • Service providers (solicitor): contact details, information concerning involvement in the handling of an appeal or dispute, financial information in relation to fees
  • Public feedback on pharmacy applications: name, address, postcode, email address and consultation feedback

Safety and Learning

To support learning, the Safety and Learning team will review data from the Claims Management team (which is held on the Claims Management System) in depth and for certain specialties or causes for the purpose of sharing this in an aggregated non identifiable way for learning from claims.

We also use claims information to enable staff and patients to learn from claims. We do this by feeding back to members, or through publications of themes or illustrative case stories.

Specifically for the information we collect, we use this information for the following purposes to:

  • Support the administration and organisation of conferences and workshops
  • Keep subscribers to our mailing lists informed of news about NHS Resolution and updating them on our services and events

Human Resources (HR) and Organisational Development (OD)

We collect the following information:

  • Applicants: Name, gender, date of birth, contact details, contact details of referees, qualifications, professional memberships, employment history, National Insurance Number, monitoring information such as gender, marital status, ethnic origin, sexual orientation, religion or belief and whether you consider yourself as having a disability.  We will also hold information on your right to live and work in the United Kingdom of Great Britain.
  • Employees: Name, gender, date of birth, contact details, emergency contact/next of kin details, contact details of referees, qualifications, professional memberships, employment history, National Insurance Number, bank details (for processing your salary), monitoring information such as gender, marital status, ethnic origin, sexual orientation, religion or belief and whether you consider yourself as having a disability.  We will also hold information on your right to live and work in the United Kingdom of Great Britain.  In accordance with our local policies we will also keep audio recordings of formal meetings and hearings which may be held during the course of your employment.

Membership and Stakeholder Engagement

We collect the following information:

  • Internal survey responders: age, gender, term of employment, department, name, email address, opinions of employment
  • External survey responders: Name, job tile, organisation name, email address, telephone number, opinions about, and quality of previous interaction with, NHS Resolution, type of organisation
  • Training and event delegates: name, email address, payment details, special needs including dietary requirements, organisation name, job title, area of interest, type of organisation
  • Staff from NHS and other organisations: contact details (telephone number, email, address), job title, place of employment, type of organisation, organisation name, area of interest
  • General enquiries: name, job tile, organisation name, email address, telephone number, opinions, previous interaction with NHS Resolution, claimant medical details
  • Media enquiries: information provided as part of a press enquiry, name, information about individual claims in the public domain, legal judgements
  • Suppliers: contact name, job title, contact details, organisation details, contract details, bank details, invoices, purchase order numbers, previous commercial interaction
  • Third party – Wilmington Healthcare: Quarterly updated contact list with name, job title, organisation, email address and telephone number

How we use personal data

Claims Management

We use this information to ensure that claims made against the NHS are handled fairly and consistently, and to support the NHS to learn from things that have gone wrong to improve patient and staff safety, with due regard to the interests of both claimants and the NHS. We seek to settle justified claims efficiently and to defend unjustified claims robustly.
We also use claims information for the purposes of internal training and the auditing of our claims management.
We are a member of the Claims and Underwriting Exchange Personal Injury (CUE PI) database. If a non-clinical claim is brought against one of our members, personal information about the injured party and the reason for the claim will be shared with the CUE PI database. We may run enquiry or fraud checks through the CUE PI database to allow us to effectively manage claims.
We may run identity checks against open source data sets to check that information provided by claimants or their representatives is accurate.
We may run checks against mortality data sets on injured parties in order to effectively manage claims that have been settled by way of a structured settlement or periodical payment agreement.
We will pass information to our panel of law firms who are under contract to us to manage claims on our behalf. They may in turn arrange to provide information to experts and other parties to assist the management of the claim.
In some cases, we may ask our panel of law firms and/or private investigators to provide reports on people who bring claims against our members. Such reports are to assist with the process of effectively validating claims. The compiling of the report may include running checks against various data sources such as but not limited to, publicly available open source data, social media websites, personal and motor and business databases.

We authorise surveillance conducted by private investigators in accordance with our Surveillance Protocol.

We will also use claims information to ensure that we can provide our members with accurate forecasting of trends, and to calculate contributions for members.
We make information about claims and incidents reported available to the NHS ‘Getting It Right First Time’ programme, which is hosted by NHS Improvement, for the purposes of learning from incidents. This has been approved by the Confidentiality Advisory Group. This information is handled sensitively and in conditions of confidence. You can find out more about the programme and the information it uses by visiting their website or letting us know if you would like more information about this.

We also use claims information to enable staff and patients to learn from claims. We do this by feeding back to members, or through publications of themes or illustrative case stories.

Practitioner Performance Advice

We use the information that we collect for the following reasons:

  • Advising and supporting healthcare organisations employing/contracting organisations where there is a concern about the performance of a dentist, doctor or pharmacist.
  • Monitoring the diversity of individuals referred to us (as required by the Secretary of State).
  • Engaging with individual practitioners who are the subject of concerns, including, where applicable, producing an assessment report, and where possible helping to develop a subsequent action plan.
  • Facilitating the carrying out of a review of the functioning of a clinical team.
  • Monitoring suspensions and exclusions of dentists, doctors and some pharmacists from work.
  • Issuing alert notices in relation to healthcare professionals and maintaining the HPAN system.
  • Carrying out research, evaluation and educational activities relating to the services provided by us.

Primary Care Appeals

We use this information for the following purposes:

  • Determining appeals against decisions in accordance with the NHS (Pharmaceutical Services) Regulations 2013 concerning the provision of NHS pharmaceutical services and GP dispensing services
  • Determining contractual disputes between primary care contractors and NHS England
  • Determining disputes over the assessment of GP Registrars’ allowances under relevant Directions
  • Determining other occasional appeals and applications under various regulations and directions governing primary care
  • Responding to enquiries from NHS England Local Area Teams or those acting on their behalf as to whether there  have been any decisions taken against a primary care contractor on the relevant National Performers List

Please note that decisions, including the name of the contractor, are published this website.

We also use information we hold for the purposes of internal training and the auditing of our decisions.

Safety and Learning

We share information with third parties such as our legal panel, police, NHS Counter Fraud Authority, the Department of Health and Social Care or other government departments, regulatory and/or other public authorities, to comply with legal obligations or where this is otherwise necessary and it is lawful to do so, including disclosures made to protect patient safety or to enhance public protection.

We do compile and publish research and statistics relating to Safety and Learning, this can be in the form of aggregated data – where we use anonymised data this is in line with the Information Commissioner’s Anonymisation Code of Practice.

Where we publish case stories that identify an individual, the individual will be fully informed and would have to consent to sharing any identifiable data before any personal data is shared with the public.

Human Resources (HR) and Organisational Development (OD)

We use this information for the following purposes:

  • Applicants: To administer your application, for pre-employment screening, equal opportunities monitoring and to respond to discrimination claims which may be brought against the organisation.  We may also use this information in order to respond to legislative returns, parliamentary questions and freedom of information request.
  • Employees: For the management of your employment, including payroll/pension processes, employee referrals for health support and management, and responding to legislative returns, parliamentary questions and Freedom on Information requests.

Membership and Stakeholder Engagement

We use this information for the following purposes:

  • Internal survey responders: this data is shared internally with our Human Resource and Organisational Development team for organisational purposes such as workforce planning
  • Internally within the MSE team to understand the opinions of employees and to formulate our internal communications
  • External survey responders: understand perceptions of us and what we are like to do business with
  • Training and event delegates: manage logistical delivery of training courses and events. In certain circumstances it is also to receive payment from delegates.
  • Staff from NHS and other organisations: provide service updates and canvass opinions
  • General enquiries: respond to the enquiry. The enquiry will be passed to the relevant team within NHS Resolution to deal with
  • Media enquiries: to respond to enquiries from media which sometimes contain information about individuals and their cases. We act on this information in line with data protection and any other relevant legal restrictions and considerations
  • Suppliers: to make sure that suppliers are set up on our systems such as finance for payment and procurement for the management of contracts.
  • Third party – Wilmington Healthcare: We receive quarterly contact updates from Wilmington Healthcare the data is used to share information about the activities of NHS Resolution, such as learning from claims and initiatives with our broad NHS audiences.

How we collect your data

Claims Management

Where we do not collect the data directly from you (the data subject) the data will have been obtained from your legal representative or other external sources such as NHS trusts, medico-legal experts, defence solicitors or barristers.

Practitioner Performance Advice

Where we do not collect the data directly from the data subject the data will have been obtained from the employing/contracting organisation or other practitioners.

Primary Care Appeals

Where data has been obtained indirectly, the personal data is obtained from NHS England and Health Boards (Wales, Northern Ireland and Scotland).

Where we receive data that has been collected from public sources such as public feedback on pharmacy applications, providing we have contact details, such as an email address, we will inform the data subject of the personal data we are holding within a reasonable period of obtaining the personal data and no later than one month. The exception to this is where there would be disproportionate effort (to provide the privacy notice).

If we use data to communicate with you, at the latest, when the first communication takes place. We will not share this data with other third parties.

Safety and Learning

Where we do not collect the data directly from you (the data subject) the data will have been obtained from your legal representative or other external sources such as NHS trusts, medico-legal experts or Binley’s.

Human Resources (HR) and Organisational Development (OD)

Where we do not collect the data directly from you (the data subject) the data will have been obtained from:

  • NHS Jobs or other recruitment media used to process your application.
  • The Electronic Staff Records (ESR) system via the Inter Authority Transfer process (only applicable to successful candidates)
  • Recruiters (if sourced via this method)
  • Recruitment Agencies (if sourced via this method)

Membership and Stakeholder Engagement

Where we do not collect the data directly from you (the data subject) the data will have been obtained from:

  • Internal teams that send us their contact list for use in the customer survey and publicising our events and services
  • Third party organisations such as Wilmington Healthcare for up to date contact lists

How long we keep your personal data

In order to determine how long we keep your personal data, we follow the NHS Records Management Code of Practice. You can find information about our retention schedules in our Records Management Policy – this document will outline the duration that we keep specific information for.

Claims Management

The Claims Management service specifically holds information for claimants for 75 years. We have considered the justification for the current retention period – the rationale for retaining personal data includes:

  • Informing pricing for our members of our Indemnity Schemes
  • Analysis of long term trends to help reduce the high cost of claims
  • Acting as a single corporate memory for the NHS
  • Settled claims with periodical payments requires retention for the lifetime of the individual
  • Requirements to hold information for Public Inquiries
  • Requirements by Department of Health and Social Care to retain data

Practitioner Performance Advice

We specifically hold information referred to in the above sections for a period of 20 years. We hold information so that we can learn from the cases referred to us, to help us inform service improvements and to support practitioners and organisations to deliver safer care to patients.

Who we share your personal data with

Data sharing with the Getting It Right First Time Programme (GIRFT) at NHS Improvement

NHS Resolution has been asked to share data from claims reported to us with the Getting it Right First Time Programme which is hosted by NHS Improvement. The Getting It Right First Time (GIRFT) programme is helping to improve the quality of care within the NHS by reducing unwarranted variations.

The information that will be shared is as follows:

  • Patient age at incident
  • NHS Resolution Claim Reference and Claim ID
  • Sex
  • Description of medical negligence claim including dates of incident, date of case creation (notification), case status and outcome, damages paid, case costs, causes and injury sustained.

The Secretary of State for Health through the Confidential Advisory Group (CAG) has approved the application by NHS Improvement on behalf of GIRFT to access this information and NHS Resolution has carried out its own analysis to determine whether it is lawful to share the information.

If you do not wish to have your claims information included in the programme or have any concerns about the data sharing proposal please contact the Data Protection Officer at NHS Resolution at Information.Governance@resolution.nhs.uk or by phone on 0207 811 2806.  You may also contact NHS Improvement at nhsi.data@nhs.net  

Claims Management

We share information with third parties such as our legal panel, police, actuarial services, NHS Counter Fraud Authority, the Department of Health and Social Care. or other government departments, regulatory and/or other public authorities, to comply with legal obligations or where this is otherwise necessary and it is lawful to do so, including disclosures made to protect patient safety or to enhance public protection.

We do compile and publish research and statistics relating to claims, although this is in the form of anonymised or aggregated data.

Practitioner Performance Advice

Personal data about practitioners and referring organisations may be shared with third parties who provide services as part of our assessment process (and with other third parties – see below). Where we contract with third parties to provide services as part of our assessment processes; we require those third parties to sign appropriate agreements before access to data is granted.

We share information with third parties such as the Police, NHS Counter Fraud Authority, the Department of Health and Social Care or other government departments, regulatory or other public authorities, to comply with legal obligations or where this is otherwise necessary, including disclosures made to protect patient safety or for the purposes of public protection.

Primary Care Appeals

We share information with third parties such as our legal panel, police, NHS Counter Fraud Authority, the Department of Health and Social Care or other government departments, regulatory and/or other public authorities, to comply with legal obligations or where this is otherwise necessary and it is lawful to do so, including disclosures made to protect patient safety or to enhance public protection.

Safety and Learning

We share information with third parties such as our legal panel, police, NHS Counter Fraud Authority, the Department of Health and Social Care or other government departments, regulatory and/or other public authorities, to comply with legal obligations or where this is otherwise necessary and it is lawful to do so, including disclosures made to protect patient safety or to enhance public protection.

We do compile and publish research and statistics relating to Safety and Learning, this can be in the form of aggregated data – where we use anonymised data this is in line with the Information Commissioner’s Anonymisation Code of Practice.

Where we publish case stories that identify an individual, the individual will be fully informed and would have to consent to sharing any identifiable data before any personal data is shared with the public.

Human Resources (HR) and Organisational Development (OD)

We share information with third parties such as:

  • SBS: Our payroll provider, to update employee pay and tax records as required by Her Majesty’s Revenue and Customs (HMRC) and for pension administration purposes.
  • Sugarman: Our Occupational Health Provider for pre-employment screening and employee referrals to support health and wellbeing.
  • Way With Words: The provider who transcribe the audio files of formal meetings and hearings to obtain full verbatim notes in line with our policies and procedures.

You may also choose to access a number of staff benefits during your employment with NHS Resolution.  Should you choose to access such benefits we will be required to share your information with the third party organisations which currently includes, Edenred (for childcare vouchers), Tastecard, HASSRA and Specsavers (eye care vouchers).

Where we are asked to share personal data, and where possible we anonymise the data in line with the Information Commissioner’s Anonymisation Code of Practice.

Membership and Stakeholder Engagement

We share information with third parties such as our legal panel in order to organise training and event activities.

We do compile and publish research and statistics relating to the annual report and accounts, the business plan, our five year strategy, and reports on claims related harm and learning we want to share across healthcare. Where we use personal date we anonymise the data in line with the Information Commissioner’s Anonymisation Code of Practice or use illustrative examples which are drawn from multiple cases.

The lawful basis for processing your data

Claims Management

For all of the processing of personal data undertaken by Claims Management, the lawful basis for processing is:

  • Processing is necessary for the establishment, exercise or defence of legal claims or where courts are acting in their judicial capacity (Article 9(2)(f)). This lawful basis is relied on where data is processed for the purpose of handling claims, and general claims management,
  • Processing is necessary for reasons of substantial public interest, on the basis of Union or Member State law which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject (Article 9(2)(g)). This lawful basis is relied on where data is processed in connection with the discharge of our functions and the functions of our members.
  • Processing is necessary for the purposes of medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services (Article 9(2)(h)). This lawful basis is relied on where data is processed in connection with the claims and general claims management, as well as our safety and learning functions.
  • Processing is necessary for reasons of public interest in the area of public health, such as ensuring high standards of quality and safety of health care and of medicinal products or medical devices (Article 9(2)(j)). This lawful basis is relied on where data is processed in connection with our safety and learning functions.

Practitioner Performance Advice

For all of the processing of personal data undertaken by Practitioner Performance Advice, the lawful basis for processing is as follows:

  • Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.

Where we have to process special categories of personal data, there are three justifications depending on the circumstances (please contact the Data Protection Officer for more information):

  • Processing is necessary for reasons of substantial public interest.
  • Processing is necessary for the purposes of preventative or occupational medicine, for the assessment of the working capacity of the employee, the management health or social care systems on the basis of Union or Member State law.
  • Processing is necessary for reasons of public interest in the area of public health such as ensuring high standards of quality and safety of healthcare, on the basis of Union or Member State law which protects the rights and freedoms of the data subject, in particular professional secrecy.

Primary Care Appeals

For all of the processing of personal data undertaken by Primary Care Appeals, the lawful basis for processing is:

  • It is necessary for compliance with a legal obligation
  • It is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller

Safety and Learning

For all of the processing of personal data undertaken, the lawful basis for processing is:

  • Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller

Where we have to process special categories of personal data, the lawful basis for processing is:

  • Processing is necessary for reasons of substantial public interest, which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject

Human Resources (HR) and Organisational Development (OD)

For all of the processing of personal data undertaken, the lawful basis for processing is:

  • Processing is necessary for the performance of a contract with the data subject or to take steps to enter into a contract
  • Consent

Where we have to process special categories of personal data, the lawful basis for processing is:

  • Necessary for the carrying out of obligations under employment
  • Explicit consent

Membership and Stakeholder Engagement

For all of the processing of personal data undertaken, the lawful basis for processing is:

  • Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller, and
  • Consent

Where we have to process special categories of personal data, the lawful basis for processing is:

  • Explicit consent

Processing data outside of the European Economic Area

In some cases we process your personal data outside the European Economic Area (EEA) where countries may not have laws which protect your personal data to the same extent as in EEA.
We are obliged to ensure that your personal data is processed securely and is protected against unauthorised access, loss or destruction, unlawful processing and any processing which is inconsistent with the purposes set out in this privacy notice.
If we transfer your personal data outside the EEA we review and risk assess the data transfer and third party organisation that will be processing your personal data to ensure adequate measures are in place to keep your personal data secure, this includes having appropriate contractual clauses and ensuring that we only work with organisations that are registered on the Privacy Shield.
https://www.privacyshield.gov/welcome
We will update this privacy notice from time to time to reflect any changes to our ways of working. Please contact our Data Protection Officer if you would like more information about the safeguards we have in place.

Your rights

By law you have a number of rights when it comes to your personal data, however, some rights are only triggered where we are relying on a particular lawful basis when processing your data.

This is shown in the table below. Please be aware that, as stated above, we only rely on the public task condition when processing personal data.

The table below outlines what right you have, what these rights mean and whether the right applies to this processing. More information about your rights is available on the Information Commissioner’s website.

How we protect your data

We have implemented and maintain appropriate technical and organisational security measures, policies and procedures designed to reduce the risk of accidental destruction or loss, or the unauthorised disclosure or access to such information as appropriate to the nature of the information concerned.
We have in place a framework of policies and procedures that includes all legal, physical and technical controls involved in our information risk management processes – to demonstrate this we are ISO 27001 certified. In addition, we do have a Cyber Essentials Plus certificate, verifying that our IT is suitably secure.
Furthermore, we are required to annually complete and publish the Data Security and Protection Toolkit (previously known as the Information Governance (IG) Toolkit).
The Data Security and Protection Toolkit is an online self-assessment tool that allows organisations to measure their performance against the National Data Guardian’s 10 data security standards.
All organisations that have access to NHS patient data and systems must use the Data Security and Protection Toolkit to provide assurance that they are practising good data security and that personal information is handled correctly.

What data breach procedures we have in place?

We follow the Department of Health and Social Care guidance for reporting, managing and investigating IG and Cyber incidents, and we report incident and near misses on the Data Security and Protection Toolkit.
It is important that the relevant authorities and individuals are made aware at the earliest opportunity should a serious incident occur – the NHS has an established culture of informing the Information Commissioner’s Office of all data breaches that meet specific requirements.

The right to lodge a complaint with your local supervisory authority

You have the right to lodge a complaint about the way we handle or process your personal data with a supervisory authority.
We ask that you please attempt to resolve any issues with us first, although you have a right to contact your supervisory authority at any time.
The supervisory authority for the UK is the Information Commissioner.
https://ico.org.uk/

Our data protection officer contact details

For any questions or queries about how we are handling your data, the Data Protection Officer for NHS Resolution is Tinku Mitra, contact details which are shown below:
Email: Information.Governance@resolution.nhs.uk
Telephone: 0207 811 2806

Changes to our privacy notice

Any changes we may make to our privacy notice in the future will be posted on our website. Please check back frequently to see any updates.

Page last updated on: