British Heart Foundation

   British Heart Foundation (BHF) National Audit of Cardiac Rehabilitation

NHS Digital


Patient Information



NHS Digital collect data on behalf of the University of York for the National Audit of Cardiac Rehabilitation (NACR). This data is then securely transferred to the University of York but all personal identifiers are removed. The University of York cannot identify individuals and are unable to link to other datasets.

The information collected includes medical history, patient demographics, smoking, physical activity and mental and physical well-being measures.

Data is gathered by clinicians and by purpose-designed questionnaires. Most patients complete a questionnaire before and immediately after rehabilitation with some entering data at 12 months after attending rehabilitation. The staff of the programmes distribute the questionnaires themselves, receive the replies, and submit the data to the NHS Digital / NACR Database.

NHS Digital processes personal data collected from providers of health care. This includes information about the diagnosis, treatment received, postcode and date of birth. It also includes NHS number which is used by NHS Digital to link data from several sources.

What is the purpose of the study?

NACR is a national audit based at the University of York in the Department of Health Sciences, funded by the British Heart Foundation and hosted by the University of York. It collects comprehensive audit data used to quality assure programmes, support improvement and monitoring of cardiac rehabilitation services in terms of their uptake, quality and clinical outcomes. NACR's remit is to support clinical cardiac rehabilitation teams in auditing their service, under the guidance of a National Steering Committee which includes clinical and patient representatives.

NACR use the data to produce annual reports and ad hoc reports by request for individual programmes. Programmes can also view and download their data for local analyses. NACR runs a joint National Certification Programme for CR with the British Association of Cardiovascular Prevention and Rehabilitation where programmes are assessed on seven standards. It also informs research papers submitted to journals.

Where do we get your data from?

Data is collected routinely as part of your care whilst accessing the Cardiac Rehabilitation service. After data collection clinical teams use the secure online system which is hosted by NHS Digital. Data comes from a combination of information obtained via clinical input / rehab sessions, and assessment Questionnaires.

For the purposes of this privacy notice, University of York is the Data Controller as defined in the General Data Protection Regulation. We are registered with the Information Commissioner's Office. Our registration number is Z4855807.

What data do we have?

We hold medical information about you, but we don't hold any identifying details, so it is not possible to identify you from this information.

Do I have to take part?

This is completely voluntary and patients can Opt-out at any time and this will not affect treatment in any way. The NHS has an Opt-out policy which NHS Digital and NACR follow.

For more detail see:

What is our legal basis for processing your data?

Under the General Data Protection Regulation (GDPR), the University has to identify a legal basis for processing personal data and, where appropriate, an additional condition for processing special category data.

In line with our charter which states that we advance learning and knowledge by teaching and research, the University processes personal data for research purposes under Article 6 (1) (e) of the GDPR:

Processing is necessary for the performance of a task carried out in the public interest

Special category data is processed under Article 9 (2) (j):

Processing is necessary for archiving purposes in the public interest, or scientific and historical research purposes or statistical purposes

Research will only be undertaken where there is a clear public interest and where appropriate safeguards have been put in place to protect data.

In line with ethical expectations and in order to comply with common law duty of confidentiality, we will seek your consent to participate where appropriate. This consent will not, however, be our legal basis for processing your data under the GDPR.

How do we use your data?

Data will be processed for the purposes of research, to audit and improve care in Cardiac Rehabilitation, as outlined in the Background and Purpose sections of this Notice.

Who do we share your data with?

Data will be accessible to the NACR team at York and the Cardiac Rehabilitation programmes.

How do we keep your data secure?

The University will put in place appropriate technical and organisational measures to protect your personal data and/or special category data. For the purposes of this project the data will be stored on a secure server and will be restricted to members of the NACR team only.

Information will be treated confidentially and shared on a need-to-know basis only. The University is committed to the principle of data protection by design and default and will collect the minimum amount of data necessary for the NACR project.

How do we transfer your data safely internationally?

Data will be held within the European Economic Area.

Will you be identified in any research outputs?

No. York does not receive any personal identifiers of participants.

How long will we keep your data?

All data submitted to the NHS Digital Clinical Audit Platform database will be retained for the duration of the audit and for a minimum of 5 years after closure.

It is important for healthcare changes to be monitored over time to ensure that Cardiac Rehabilitation programmes are continuing to align their services with the needs of patients.

What rights do you have in relation to your data?

Under the GDPR, you have a general right of access to your data, a right to rectification, erasure, restriction, objection or portability. You also have a right to withdrawal. Please note, not all rights apply where data is processed purely for research purposes. For further information see,

Questions or concerns

If you have any questions about the NACR project or concerns about how your data is being processed, please contact Professor Patrick Doherty, Professor of Cardiovascular Health, Department of Health Sciences (email: in the first instance. If you are still dissatisfied, please contact the University's Data Protection Officer at

Right to complain

If you are unhappy with the way in which the University has handled your personal data, we ask that you get in touch with us in the first instance, to allow us to resolve your concern. If you are unhappy with our response, you have a right to complain to the Information Commissioner's Office. For information on reporting a concern to the Information Commissioner's Office, see

 The University of York