What data do we collect?
We collect the following information, in some cases we will not collect all of the information outlined below, only the information we need to know:
- *Claimants/*patients: contact details, name, gender, date of birth, date of death, occupation, National Insurance number, incident date, information concerning your physical or mental health or condition (this includes your medical records), details about your care, information concerning your involvement in the situation which is the subject of the claim, complaints correspondence, financial information in relation to your claim (including your bank details) and all of the previous categories of information for any injured party who is being represented by a litigation friend.
- Scheme beneficiaries and those working for them: contact details, employment status, professional details, information concerning your care of a patient, formal statements, incidents or accident reports, information concerning your handling of a claim, information concerning your medical defence organisation membership (where applicable).
- Other parties, or potential other parties to claims and their employees (i.e. those who may also be responsible for an injured party’s injuries): contact details, employment status, professional details, information concerning your potential responsibility for a Claimant’s injury, and insurance/indemnity arrangements.
- Witnesses: contact details, information concerning your involvement in the situation which is the subject of the claim.
- Experts: contact details, your opinions concerning a claim, financial information in relation to your fees.
- Service providers (lawyers, barristers, mediators): contact details, information concerning your involvement in the handling of a claim, financial information in relation to your fees, your opinions concerning a claim.
*For the purposes of this notice, “Claim” means any actual or potential tortious liabilities covered under any NHS Resolution schemes. “Claimant” includes anyone pursuing a Claim including deceased patients on behalf of whom Claims are made.
How we use personal data
We use this information to ensure that claims made against the NHS are handled fairly and consistently, and to support the NHS to learn from things that have gone wrong to improve patient and staff safety, with due regard to the interests of both claimants and the NHS. We seek to settle justified claims fairly and efficiently and to defend unjustified claims robustly.
We also use claims information for the purposes of internal training and the auditing of our claims management function.
We are a member of the Claims and Underwriting Exchange Personal Injury (CUE PI) database. If a non-clinical claim is brought against one of our members, personal information about the injured party and the reason for the claim will be shared with the CUE PI database. We may run enquiry or fraud checks through the CUE PI database to allow us to effectively manage claims.
We may run identity checks against open source data sets to check that information provided by claimants or their representatives is accurate.
We may run checks against mortality data sets on injured parties in order to effectively manage claims that have been settled by way of a structured settlement or periodical payment agreement.
We will pass information to our panel of law firms who are under contract to us to manage claims on our behalf. They may in turn arrange to provide information to experts and other parties to assist the management of the claim.
In some cases, we may ask our panel of law firms and/or private investigators to provide reports on people who bring claims against our members or beneficiaries of our schemes. Such reports are to assist with the process of effectively validating claims. The compiling of the report may include running checks against various data sources such as but not limited to, publicly available open source data, social media websites, personal and motor and business databases.
We authorise surveillance conducted by private investigators in accordance with our Surveillance Protocol.
We will also use claims information to ensure that we can provide accurate forecasting of trends, and to calculate contributions for members.
We make information about claims and incidents reported available to the NHS ‘Getting It Right First Time’ programme, which is hosted by NHS Improvement, for the purposes of learning from incidents. This has been approved by the Confidentiality Advisory Group of the Health Research Authority. This information is handled sensitively and in conditions of confidence. You can find out more about the programme and the information it uses by visiting their website or letting us know if you would like more information about this.
We also use claims information to enable staff and patients to learn from claims. We do this by feeding back to members, or through publications of themes or illustrative case stories.
NHS Resolution provides expertise to the NHS on resolving concerns and disputes fairly, shares learning to enable organisation wide improvement and to preserve valuable resources for patient care. We hold a wealth of historic data on claims and utilise AI based technologies such as machine learning and Natural Language processing to help us gain, share insights and valuable data around the causes and impacts of harm. NHS Resolution does not utilise such automated technologies for decision-making purposes in relation to individuals.
How we collect your data
Where we do not collect the data directly from you (the data subject) the data will have been obtained from your legal representative or other external sources such as NHS trusts, medico-legal experts, defence solicitors or barristers.
How long we keep your personal data
In order to determine how long we keep your personal data, we follow the NHS Records Management Code of Practice. You can find information about our retention schedules in our Records Management Policy – this document will outline the duration that we keep specific information for.
The Claims Management service specifically holds information for claimants for 75 years. We have considered the justification for the current retention period – the rationale for retaining personal data includes:
- Informing pricing for our members of our Indemnity Schemes
- Analysis of long term trends to help reduce the high cost of claims
- Acting as a single corporate memory for the NHS
- Settled claims with periodical payments requires retention for the lifetime of the individual
- Requirements to hold information for Public Inquiries
- Requirements by Department of Health and Social Care to retain data
Who we share your personal data with
We share information with third parties such as our legal panel, police, actuarial services, NHS Counter Fraud Authority, the Department of Health and Social Care. or other government departments, regulatory and/or other public authorities, to comply with legal obligations or where this is otherwise necessary and it is lawful to do so, including disclosures made to protect patient safety or to enhance public protection.
We do compile and publish research and statistics relating to claims, although this is in the form of anonymised or aggregated data.
The lawful basis for processing your data
For all of the processing of personal data undertaken by Claims Management, the lawful basis for processing is:
- Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller (Article 6(1)(e) – this task is conferred on us by the National Health Service (Clinical Negligence Scheme) Regulations 2015 and National Health Service (Clinical Negligence Scheme for General Practice) Regulations 2019
Where we have to process special categories of personal data, the lawful basis is:
- Processing is necessary for the establishment, exercise or defence of legal claims or where courts are acting in their judicial capacity (Article 9(2)(f)). This lawful basis is relied on where data is processed for the purpose of handling claims, and general claims management,
- Processing is necessary for reasons of substantial public interest, on the basis of Union or Member State law which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject (Article 9(2)(g) and paragraph 6 of Schedule 1 to the Data Protection Act 2018). This lawful basis is relied on where data is processed in connection with the discharge of our functions and the functions of our members.
- Processing is necessary for the purposes of medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services (Article 9(2)(h) and paragraph 2 of Schedule 1 to the Data Protection Act 2018). This lawful basis is relied on where data is processed in connection with the claims and general claims management, as well as our safety and learning functions.
- Processing is necessary for reasons of public interest in the area of public health, such as ensuring high standards of quality and safety of health care and of medicinal products or medical devices (Article 9(2)(j) and paragraph 3 of Schedule 1 to the Data Protection Act 2018). This lawful basis is relied on where data is processed in connection with our safety and learning functions.
- NHS Resolution and its staff are subject to the same obligations of confidentiality as apply to all staff employed by the NHS.
Page last updated on: