British Heart Foundation

   British Heart Foundation (BHF) National Audit of Cardiac Rehabilitation

NHS Digital


Patient Information

Privacy Notice (How we use patient information)

National Audit of Cardiac Rehabilitation (NACR)

National Audit of Cardiac Rehabilitation is the Data Controller verified by NHS Digital. Our address is:

Department of Health Sciences
University of York
York Y010 5DD

How to contact us

Please contact us if you have any questions about our privacy notice or information that we may hold about you:

Tel: 01904 321326

What level of data is collected?

The information collected includes medical history, patient demographics, smoking, physical activity and mental and physical well-being measures and is either entered manually into the NHS Digital /NACR secure online portal or alternatively, data files of records for multiple patients are uploaded directly via NHS Digital.

Data is gathered by clinicians and by purpose-designed questionnaires. Most patients complete a questionnaire before and immediately after rehabilitation with some entering data at 12 months after attending rehabilitation. The staff of the programmes distribute the questionnaires themselves, receive the replies, and submit the data to the NACR Database.

NHS Digital processes personal data collected from providers of health care on our behalf. This includes information about the diagnosis, treatment received, postcode and date of birth. It also includes NHS number which is used by NHS Digital to link data from several sources.

NACR does not receive or process data that identifies individuals directly. This is not necessary for our purposes. We only receive link-anonymised data which we, NACR, are unable to link to other datasets.

How is the data categorised by the GDPR?

For GDPR purposes the data is categorised as personal.

Where is the data collected from?

Data collection occurs through clinical teams using the secure online system which is hosted by NHS Digital. Data comes from a combination of information obtained via clinical input / rehab sessions, and assessment Questionnaires.

The NACR only holds link-anonymised data with no personal identifiers as per agreement with NHS Digital. This process is checked annually by the NACR Project Lead and the Director of the NACR.

The purposes for which the data is processed

The NACR is a national audit, funded by the British Heart Foundation and hosted by the University of York. It collects comprehensive audit data used to quality assure programmes, support improvement and monitoring of cardiac rehabilitation services in terms of their uptake, quality and clinical outcomes. The NACR Team is based at the University of York in the Department of Health Sciences with a remit to support clinical cardiac rehabilitation teams in auditing their service, under the guidance of a National Steering Committee which includes clinical and patient representatives.

NACR use the data to produce annual reports and ad hoc reports by request for individual programmes. Programmes can also view and download their data for local analyses. NACR runs a joint National Certification Programme for CR with the British Association of Cardiovascular Prevention and Rehabilitation where programmes are assessed on seven standards. Summarised data entered on NACR is used for this purpose. It also informs research papers submitted to journals.

The legal basis of the processing

As a national audit of NHS services the NACR is approved to collect data for the purpose of quality assuring services delivery, evaluating patient benefit and promoting service improvement. In England and Wales, the NACR also operates under 251 exemptions through NHS Digital which removes the requirement of individual patient consent. This is reviewed annually by NHS Digital.

NACR operates under Article 6: EU GDPR "Lawfulness of processing"
1. Processing shall be lawful only if and to the extent that at least one of the following applies: (e) processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.

And under Article 9: EU GDPR "Processing of special categories of personal data" 2(h)
1. Processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation shall be prohibited.

2. Paragraph 1 shall not apply if one of the following applies:
(h) processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services on the basis of Union or Member State law or pursuant to contract with a health professional and subject to the conditions and safeguards referred to in paragraph 3;
(i) processing is necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health or ensuring high standards of quality and safety of health care and of medicinal products or medical devices, on the basis of Union or Member State law which provides for suitable and specific measures to safeguard the rights and freedoms of the data subject, in particular professional secrecy;

Who the data is shared with?

The data is only seen by the staff who collect the information at the Cardiac Rehabilitation programme and staff at NHS Digital if necessary. Staff of the National Audit in York see the same information but with personal identifiers removed (name/NHS number/date of birth/address) and are unable to identify individuals.

The period for which the personal data will be stored?

All data submitted to the NHS Digital Clinical Audit Platform database will be retained for the duration of the audit and for a minimum of 5 years after closure.

It is important for healthcare changes to be monitored over time to ensure that Cardiac Rehabilitation programmes are continuing to align their services with the needs of patients.

The right to request from NHS Digital access to and rectification or erasure of the personal data >p> NACR, as data controller, are unable to identify individual patient records as no personal information is received by the team. However, you have the right to request that processing of personal data is restricted if, for example, you contest the accuracy. You also have the right to access or erasure of your personal data from NHS Digital.

The right to withdraw consent or opt out at any time

This is completely voluntary and patients can Opt-out at any time and this will not affect treatment in any way. The NHS has an Opt-out policy which NHS Digital and NACR follow.

For more detail see:

Right to complain to the Data Controller

You have the right to complain to the Data Controller, who is the Project Lead, if you are not happy with any aspect of NACR's processing of personal data or believe that we are not meeting our responsibilities as a data controller. The contact details for the Project Lead are:

Professor Patrick Doherty
Professor of Cardiovascular Health
Department of Health Sciences
University of York
York Y010 5DD

 The University of York