How we use your data

Your data

More detailed information on what data we collect, how we collect it, how we use it, how long we hold data for and who we share it with can be found on our privacy policy pages:

How long we keep your personal data

In order to determine how long we keep your personal data, we follow the NHS Records Management Code of Practice. You can find information about our retention schedules in our Records Management Policy – this document will outline the duration that we keep specific information for.

Who we share your personal data with

Significant concerns

Our commitment to supporting patient safety and public protection.

As an NHS body, patient safety and public protection are our paramount concerns and, like other NHS organisations, we are obliged to act when we identify ongoing risks.  On very rare occasions, we may identify a significant concern and have a duty to share information externally, for example, with other NHS bodies or those with responsibility for regulation within the healthcare system.  This would happen if we see activity that potentially has caused significant harm or puts individuals at significant risk because of unsafe clinical practice or conduct that severely compromises the effective delivery of services.

In line with NHS Resolution’s strategy, we have strengthened our arrangements to respond to those rare situations, with the establishment of a framework for managing such concerns.  While we expect the users of our services to identify and act upon patient safety concerns in line with their local governance arrangements, if we have significant ongoing concerns, we may need to take steps to support the reduction of risk of harm or further harm.  Our approach to this work is evolving, and we will keep these arrangements under review.

The following documents set out our current framework:

Data sharing with the Getting It Right First Time Programme (GIRFT) at NHS Improvement

NHS Resolution has been asked to share data from claims reported to us with the Getting it Right First Time Programme which is hosted by NHS Improvement. The Getting It Right First Time (GIRFT) programme is helping to improve the quality of care within the NHS by reducing unwarranted variations.

The information that will be shared is as follows:

  • Patient age at incident
  • NHS Resolution Claim Reference and Claim ID
  • Sex
  • Description of medical negligence claim including dates of incident, date of case creation (notification), case status and outcome, damages paid, case costs, causes and injury sustained.

The Secretary of State for Health through the Confidential Advisory Group (CAG) has approved the application by NHS Improvement on behalf of GIRFT to access this information and NHS Resolution has carried out its own analysis to determine whether it is lawful to share the information.

If you do not wish to have your claims information included in the programme or have any concerns about the data sharing proposal please contact the Data Protection Officer at NHS Resolution at or by phone on 0207 811 2806.  You may also contact NHS Improvement at  

Processing data outside of the European Economic Area

In some cases we process your personal data outside the European Economic Area (EEA) where countries may not have laws which protect your personal data to the same extent as in EEA.
We are obliged to ensure that your personal data is processed securely and is protected against unauthorised access, loss or destruction, unlawful processing and any processing which is inconsistent with the purposes set out in this privacy notice.
If we transfer your personal data outside the EEA we review and risk assess the data transfer and third party organisation that will be processing your personal data to ensure adequate measures are in place to keep your personal data secure, this includes having appropriate contractual clauses and ensuring that we only work with organisations that are registered on the Privacy Shield.
We will update this privacy notice from time to time to reflect any changes to our ways of working. Please contact our Data Protection Officer if you would like more information about the safeguards we have in place.

Your rights

By law you have a number of rights when it comes to your personal data, however, some rights are only triggered where we are relying on a particular lawful basis when processing your data.

This is shown in the table below. Please be aware that, as stated above, we only rely on the public task condition when processing personal data.

The table below outlines what right you have, what these rights mean and whether the right applies to this processing. More information about your rights is available on the Information Commissioner’s website.

How we protect your data

We have implemented and maintain appropriate technical and organisational security measures, policies and procedures designed to reduce the risk of accidental destruction or loss, or the unauthorised disclosure or access to such information as appropriate to the nature of the information concerned.
We have in place a framework of policies and procedures that includes all legal, physical and technical controls involved in our information risk management processes – to demonstrate this we are ISO 27001 certified. In addition, we do have a Cyber Essentials Plus certificate, verifying that our IT is suitably secure.
Furthermore, we are required to annually complete and publish the Data Security and Protection Toolkit (previously known as the Information Governance (IG) Toolkit).
The Data Security and Protection Toolkit is an online self-assessment tool that allows organisations to measure their performance against the National Data Guardian’s 10 data security standards.
All organisations that have access to NHS patient data and systems must use the Data Security and Protection Toolkit to provide assurance that they are practising good data security and that personal information is handled correctly.

What data breach procedures we have in place?

We follow the Department of Health and Social Care guidance for reporting, managing and investigating IG and Cyber incidents, and we report incident and near misses on the Data Security and Protection Toolkit.
It is important that the relevant authorities and individuals are made aware at the earliest opportunity should a serious incident occur – the NHS has an established culture of informing the Information Commissioner’s Office of all data breaches that meet specific requirements.

The right to lodge a complaint with your local supervisory authority

You have the right to lodge a complaint about the way we handle or process your personal data with a supervisory authority.
We ask that you please attempt to resolve any issues with us first, although you have a right to contact your supervisory authority at any time.
The supervisory authority for the UK is the Information Commissioner.

Our data protection officer contact details

For any questions or queries about how we are handling your data, the Data Protection Officer for NHS Resolution is Tinku Mitra, contact details which are shown below:
Telephone: 0207 811 2806

Changes to our privacy notice

Any changes we may make to our privacy notice in the future will be posted on our website. Please check back frequently to see any updates.

Page last updated on: