This notice is provided in compliance with the General Data Protection Regulation 2018. It relates to the use of personally identifiable information the context of research conducted in the National Perinatal Epidemiology Unit.
'MBRRACE-UK' is the collaboration appointed by the Healthcare Quality Improvement Partnership (HQIP) to run the national Maternal, Newborn and Infant clinical Outcome Review Programme (MNI-CORP) which continues the national programme of work conducting surveillance and investigating the causes of maternal deaths, stillbirths and infant deaths. HQIP commissions this work on behalf of NHS England, NHS Wales, the Health and Social Care Division of the Scottish government, the Department of Health, Social Services and Public Safety, Northern Ireland (DHSSPS), the States of Jersey, Guernsey, and the Isle of Man. The MBRRACE-UK collaboration is led from the National Perinatal Epidemiology Unit in the Nuffield Department of Population Health at the University of Oxford.
The aim of the MNI-CORP MBRRACE-UK programme is to provide robust national information to support the delivery of safe, equitable, high quality, patient-centred maternal, newborn and infant health services.
Who is responsible for the data we collect?
Under the General Data Protection Regulation the 'data controller' is responsible for what happens to data which is collected. The Healthcare Quality Improvement Partnership commissions the MNI-CORP programme in England on behalf of NHS England and NHS Wales. HQIP and NHS England are joint data controllers for data relating to England and English residents. HQIP and Digital Health and Care Wales (DHCW) are joint data controllers for data relating to Wales and Welsh residents. HQIP and the Scottish Government are the independent data controllers for data relating to Scotland and Scottish residents. For the rest of the UK HQIP is the data controller. MBRRACE-UK acts as the 'data processor'. The data processing is carried out by the MBRRACE-UK teams who are based in the NPEU at the University of Oxford and the MBRRACE-UK team at the University of Leicester.
Personal data we collect about individuals for the MBRRACE-UK programme and how we use it
We collect information about all mothers in the UK and British Crown Dependencies (BCDs) who die during pregnancy or up to one year after the end of pregnancy. We also collect information about all babies who die either during pregnancy (from 22 weeks gestation onwards) and babies who are born alive who die before they are a month old; this involves collecting information about their mother as well. We use this information to look at the rates of maternal and baby deaths. To do this we also use information about all mothers giving birth and all babies born in the UK and BCDs.
We also carry out confidential enquiries to look at the quality of care that was provided to mothers and babies and identify where improvements in care might make a difference to future mothers, babies and families. As well as confidential enquiries where the mother and or baby die we also carry out confidential enquiries where the mother and/or baby was very ill from particular very serious conditions but recovered.
When we are carrying out this work we use personal identifying data, for example, name, address, and NHS number of mothers and babies. This information is only used for particular purposes and importantly, this information is only made available to specified individuals in the MBRRACE-UK team on a 'need to know' basis. For example the members of the research team who carry out the data analysis are not given access to the identifying data.
The information we use comes from hospitals around the UK and the BCDs. By law each of these organisations is required to display a privacy notice giving details about how they use the information that they collect including how they share information with organisations such as MBRRACE-UK. Hospitals display these notices on their website.
As a research unit within the university we use personally-identifiable information to conduct research to improve health, health care and health services. As a publicly-funded organisation, we have to ensure that it is in the public interest when we use personally-identifiable information in our research. Health and care research should serve the public interest, which means that before we are able to access to the personal identifiable information which is listed above we have to demonstrate that our research serves the interests of society as a whole.
Legal basis for the collection and processing of information
The legal basis under which we process personal data is Article 6(1)(e) of the General Data Protection Regulation (GDPR), which is processing necessary for the performance of task carried out in the public interest.
The legal basis under which we process special category data is Article 9(2)(i) of GDPR, where processing is necessary for reasons of public interest in the area of public health including ensuring high standards of quality and safety of health care.
The legal basis under which we process special category data under the Data Protection Act 2018 is Schedule 1(1)(3)'public health' underpinned by the Health and Social Care Act 2012 Part 1 section 2.
In England and Wales we collect confidential patient information (including identifiable information) without consent with Secretary of State approval following an application to the Confidentiality Advisory Group (CAG) of the Health Research Authority under s251 of the NHS Act 2006 (England and Wales) which sets aside the common law duty of confidentiality (15/CAG/0119).
In Scotland the test of public interest is applied by the Public Benefit and Privacy Panel for Health and Social Care (Scotland) (PBPP). We have approval from PBPP (reference 1920-0288) for processing confidential patient information in Scotland.
We do not receive identifiable information from Northern Ireland except with consent.
How long we keep personal data for
The need to keep personally identifiable information in the long term depends upon the individual research study. For the purposes of MBRRACE-UK we keep the data long enough to enable us to monitor trends over time. We currently hold identifiable information relating to births, and maternal and baby deaths from 2009 onwards.
How we protect data
We ensure that we protect personal identifiable data against unauthorised access, unlawful use, accidental loss, corruption or destruction. To do this we use 'technical measures' such as encryption and passwords to protect the individual datasets as well as the systems the datasets are held in. We also use 'operational measures' to protect the data, for example, by limiting the number of people who have access to the databases in which identifiable data is held.
We keep these security measures under review and refer to University Security Policies to keep up to date with current best practice. Read the University's data protection policy.
Sharing MBRRACE-UK data
Personal identifiable data which is collected and managed by the MBRRACE-UK collaboration will not be shared with anyone else unless this is required as part of the conduct of the MNI-CORP programme or there is special permission in place to do this.
Anonymised data (from which individuals cannot be identified) may be shared with other research groups who are doing similar research. The data which is shared in these circumstances will not include any information to enable individuals to be identified and the data will not be combined with any other information in a way that could lead to individuals being identified. Any information shared will only be used for the purpose of health and care research, and will not be used to contact individuals or to affect their care.
As a data controller, HQIP can authorise the sharing of MBRRACE-UK data for the purpose of quality improvement, including research, service evaluation, and audit, if certain conditions are met and depending upon permissions in place for each project. Eligible third parties can submit a data access request for MBRRACE-UK data to HQIP in accordance with the Data Access Requests process available here: Data access requests – HQIP.
The rights of individuals
The rights of individuals to access, change or move their information are limited, as we need to manage information in specific ways in order for the research we carry out to be reliable and accurate. Individuals involved in any study we conduct do however, have the right to withdraw from the study. If this happens we will keep the information that we have already obtained. To safeguard an individual's rights, we will use the minimum personally-identifiable information possible.
National Data Opt-Out
MBRRACE-UK has received a formal approval from CAG to enable the National Data Opt-Out for England to be waived. Individuals are still able to individually request that their personal data relating to stillbirths are deleted and we honour these individual requests.
The individuals whose data we hold have the right to complain. If you are one of those individuals and you wish to raise a complaint about how we have handled your personal data, you can contact our Data Protection Officer, email@example.com who will investigate the matter. Alternatively, you can direct your complaint to HQIP as the data controller for the programme by emailing firstname.lastname@example.org.
If you live in the UK and are not satisfied with our response or believe we are processing your personal data in a way that is not lawful you can complain to the Information Commissioner's Office (ICO). The ICO has separate offices in Wales, Scotland and Northern Ireland.
If you live on the Isle of Man you can complain to the Isle of Man Information Commissioner. If you live in Jersey you can complain to the Jersey Office of the Information Commissioner. If you live in Guernsey you can complain to the Office for the Data Protection Authority.
- More information about the work of MBRRACE-UK.
- More information specifically for parents.
- More information about why we collect identifiable information.
- More information about the additional research we carry out using MBRRACE-UK data.
If you would like to contact us directly for more information about how we use and protect data collected for research conducted at the NPEU, please email Professor Jenny Kurinczuk, Director, National Perinatal Epidemiology Unit at: email@example.com