NHS Digital Data Release Register - reformatted

Nec Software Solutions Uk Limited projects

• National Joint Registry Annual Extract 2020
• Neurosurgical National Audit Programme (NNAP)
• Beyond Compliance

47 data files in total were disseminated unsafely (information about files used safely is missing for TRE/"system access" projects).

---

🚩 Nec Software Solutions Uk Limited was sent multiple files from the same dataset, in the same month, both with optouts respected and with optouts ignored. Nec Software Solutions Uk Limited may not have compared the two files, but the identifiers are consistent between datasets, and outside of a good TRE NHS Digital can not know what recipients actually do.

National Joint Registry Annual Extract 2020 — DARS-NIC-07289-G8J6C

Type of data: information not disclosed for TRE projects

Opt outs honoured: Yes - patient objections upheld, Identifiable, Anonymised - ICO Code Compliant, Yes, No (Section 251, Section 251 NHS Act 2006, Mixture of confidential data flow(s) with consent and flow(s) with support under section 251 NHS Act 2006)

Legal basis: Section 251 approval is in place for the flow of identifiable data, Section 42(4) of the Statistics and Registration Service Act (2007) as amended by section 287 of the Health and Social Care Act (2012), Health and Social Care Act 2012 – s261(7), National Health Service Act 2006 - s251 - 'Control of patient information'. , Health and Social Care Act 2012 – s261(7); National Health Service Act 2006 - s251 - 'Control of patient information'., Health and Social Care Act 2012 – s261(2)(c); Health and Social Care Act 2012 – s261(7); National Health Service Act 2006 - s251 - 'Control of patient information'., Health and Social Care Act 2012 – s261(2)(c); Health and Social Care Act 2012 – s261(7), Health and Social Care Act 2012 - s261(5)(d); Health and Social Care Act 2012 – s261(2)(c); National Health Service Act 2006 - s251 - 'Control of patient information'.

Purposes: No, Yes (Supplier, Commercial)

Sensitive: Sensitive, and Non-Sensitive

When:DSA runs 2020-01-01 — 2020-12-31 2017.12 — 2023.12.

Access method: One-Off

Data-controller type: HEALTHCARE QUALITY IMPROVEMENT PARTNERSHIP (HQIP), NHS ENGLAND (QUARRY HOUSE)

Sublicensing allowed: No, Yes

Datasets:

1. Hospital Episode Statistics Admitted Patient Care
2. Office for National Statistics Mortality Data
3. Bridge file: Hospital Episode Statistics to Mortality Data from the Office of National Statistics
4. Patient Reported Outcome Measures (Linkable to HES)
5. HES:Civil Registration (Deaths) bridge
6. Civil Registration - Deaths
7. Civil Registration (Deaths) - Secondary Care Cut
8. HES-ID to MPS-ID HES Admitted Patient Care
9. Civil Registrations of Death - Secondary Care Cut
10. Hospital Episode Statistics Admitted Patient Care (HES APC)

Objectives:

The NJR was established in 2002 by the Department of Health following a National Audit Office (NAO) report into the higher than expected failure rate of the 3M hip replacement device. The NAO report concluded that, had a national register of hip replacements been in existence, the failure rate would have been detected earlier. Earlier identification would have meant less patients were affected and the costs of revision surgery for the NHS would have been considerably less. The NJR went live in April 2003. Since its establishment, the responsibility for delivering the NJR has passed to HQIP who are contracted by the Department of Health to deliver the National Clinical Audit and Outcomes Programme (NCAPOP). The NJR is an audit within NCAPOP.

HQIP acts as the data controller for the NJR and contracts to two other organisations for the delivery of the programme, both of which are data processors:

• Northgate Public Services (NPS) is responsible for the NJR’s data collection and processing activities, including data storage and the provision of stakeholder reporting services.

• The University of Bristol (UoB)is also a data processor with responsibilities for statistical analysis and reporting.
HQIP, as the data controller, has no access to the record level data. Northgate has access to record level data, including patient identifiers, in order to link the data provided to patient records held by the NJR. The linked dataset is pseudo-anonymised by NPS before it is made available to the statistical analysis team at the UoB. Although the UoB team has access to record level data, it does not have access to patient identifiers.

The work undertaken by the NJR is to monitor the outcomes of hip, knee, shoulder, ankle, and elbow joint replacement surgery with regards to the performance of devices, surgical teams, and Trusts and hospitals. The monitoring is necessary to ensure patient safety, improve patient outcomes.

The overall purpose of the NJR is summarised in its mission statement:

‘The purpose of the National Joint Registry for England, Wales, Northern Ireland, and the Isle of Man is to collect high quality and relevant data about joint replacement surgery in order to provide an early warning of issues relating to patient safety. In a continuous drive to improve the quality of outcomes and ensure the quality and cost effectiveness of joint replacement surgery, the NJR will monitor and report on outcomes, and support and enable related research.’

The strategic goals of the NJR are as follows:
• To monitor in real time the outcomes achieved by brand of prosthesis, hospital and surgeon, and highlight where these fall below an expected performance in order to allow prompt investigation and to support follow-up action.
• To inform patients, clinicians, providers and commissioners of healthcare, regulators and implant suppliers of the outcomes achieved in joint replacement surgery.
• To evidence variations in outcome achieved across surgical practice in order to inform best practice.
• To enhance patient awareness of joint replacement outcomes to better inform patient choice and patients’ quality of experience through engagement with patients and patient organisations.
• To support evidence-based purchasing of joint replacement implants for healthcare providers to support quality and cost effectiveness.
• To support suppliers in the routine post-market surveillance of implants and provide information to clinicians, patients, hospital management and the regulatory authorities.

The NJR has been collecting data since 2002 and is an ongoing audit with no planned end date. The NJR’s Steering Committee reviews the NJR’s mission statement and strategic goals annually to ensure that they remain relevant to existing stakeholder priorities, clinical guidance, and legislation.

Data has been supplied to the NJR by NHSD annually from 2006 to 2015. The last data was received in 2015 for data to 31 December 2013.

The NJR requires record level data from HES, PROMs and ONS in order to help it achieve some of its strategic goals. The NJR creates of an annual, linked dataset comprising of data from the NJR, HES, Patient Episode Database Wales (PEDW), PROMs (NHS England programme), and the ONS. This dataset is used primarily for the production of the NJR’s Annual Report, its associated analyses, and in some reporting services provided to stakeholders.

By linking to HES, PROMs and ONS Mortality data, the NJR is able to enhance the quality and type of analyses that it undertakes. The priorities for NJR analyses and research are set by the NJR’s Research Committee and Editorial Board, both of which report to the NJR Steering Committee.
• Linkage to HES data enables the NJR to improve the type and quality of the analyses that it can undertake without having to collect the data itself. Such linkage may be length of stay linked to outcomes or co-morbidities linked to outcomes. The NJR has, for example, published a paper examining the increased risk of cancer to patients who have had hip replacement procedures involving the use of metal on metal bearing surfaces, i.e. the femoral head and the acetabular cup or liner are both made of metal.
• By linking to PROMs outcomes analyses will improve as poor performance will be detected even if the primary joint replacement procedure has not been revised. A patient’s view of the outcome of joint replacement is a key indicator to the reporting of outcomes and provides an additional endpoint in addition to revision and death. Linkage to PROMs and analysis at the record level enables the NJR to monitor the performance of hospitals, surgeons, and individual implants.
• The NJR is required to publish 90 day mortality rates for all those NHS England Trusts undertaking joint replacement surgery in its Annual Clinical Reports to Trusts, the NJR’s Annual Report and as part of the NHS England Clinical Outcomes Programme. This latter information is also re-published by NHS Choices. Date of death and any associated co-morbidities are essential for outcomes analyses and for risk-adjusting mortality analyses.

The data required by the NJR are HES inpatient episodes relating to a defined set of OPCS procedure codes, linked to ONS death data and any pre- or post-operative PROMs data. The data are required to be at the record, i.e. patient, level and to include identifiers so that the data can be linked to data held by the NJR.

This application requests the data for the defined cohort for;
• Records where there is no corresponding record in the NJR.
• Records where a patient has declined consent for the NJR to hold their personal identifiers.
Where ‘No’ is recorded for consent, the NJR data entry system prevents a user from entering personal identifiers so these records cannot, in any case, be included in any linkage activity, but are necessary for patient safety purposes.

This will enable the NJR to continue to improve its analysis and data quality audits, activities which are expressly intended to improve patient outcomes and patient safety.

Data from the Isle of Man and Northern Ireland is sourced from elsewhere and not provided by NHS Digital.

Yielded Benefits:

• Identifying a higher than normal failure rate of hip resurfacing procedures in women over the age of fifty, leading to an immediate change in clinical practice. • Identification of the DePuy ASR hip replacement system as an outlier leading to its immediate withdrawal from the market. • The identification of a higher than normal failure rate of large head, metal on metal, stemmed hip replacements. • Research, using NJR and HES data, looking at the risk of cancer following a metal on metal hip replacement compared to other bearing surfaces and the general population.

Expected Benefits:

The NJR is an ongoing clinical audit which started to collect data in April 2003. It has no specific target date for the delivery of benefits: these are provided on an ongoing basis.

The main benefits associated with the data requested from NHSD are the ability of the NJR to undertake a broader range and type of analyses, and improved monitoring of clinical, patient, and implant-related outcomes by being able to risk-adjust analyses using additional data.

A register, such as the NJR, will only ever collect data such that it can identify potential issues: it may not necessarily be able to determine the cause of those issues. The use of the data provided by NHSD, coupled to other research, enables the NJR to begin the process of identifying the cause of potential issues, e.g does early discharge of patients following joint replacement surgery lead to increases in returns to theatre?

The work undertaken by the NJR is published as widely as possible, including internationally. The outputs may lead to changes in clinical practice which are, ultimately, to the benefit of patients. The financial cost savings to the NHS are through a reduction in the need to undertake revision procedures or certain types of primary procedure. The NJR has already had a number of notable successes:

It is difficult to accurately measure or quantify the benefits arising out of the work of the NJR, but there is evidence to show that its outputs to lead to changes in clinical practice for the benefit of all stakeholders, including patients, Trusts and hospitals, clinicians, suppliers, and the regulatory authorities such as CQC, NICE, and the MHRA. Whilst patient outcomes continue to improve, the NHS is making potential savings through a reduction in the need to undertake as many revision procedures in the future.

Outputs:

The outputs from the use of the data will vary each year, dependent upon the research and analysis priorities set by the NJR’s Research Committee and NJR’s Editorial Board and agreed by the NJR Steering Committee.

a) The main vehicle for publication is the NJR’s Annual Report which is published annually in September. In addition to the Annual Report, a Patient’s Guide to the Annual Report is also published and made available in both hard and electronic copy. The Annual Report and the patients guide can be accessed at http://www.njrreports.org.uk.

b) Additional analyses are undertaken throughout the year and these are published either on the NJR website or in relevant, professional medical journals. To date those journals have included The Lancet, the British Medical Journal, and the Journal of Bone and Joint Surgery. The NJR maintains a dedicated research section on its website and details of planned, approved, completed, and published analysis can be found at: http://www.njrcentre.org.uk/njrcentre/Research/ResearchPortfolio/tabid/313/Default.aspx.

c) The outcomes of analyses are also disseminated at conferences and meetings of professional societies. These include the British Orthopaedic Association, the British Hip Society, the British Association for Surgery of the Knee, the British Elbow and Shoulder Society, and the British Orthopaedic Foot and Ankle Society. The NJR also holds two regional events per year which are aimed at those hospital staff responsible for collecting the data, providing them with an update on the work of the NJR, including its outputs.

d) Some outputs are also published through the NJR’s secure online reporting services. These services include NJR Clinician Feedback and NJR Management Feedback which provide information for clinicians and trust/hospital management respectively.

All outputs are aggregated and small numbers suppressed in line with the HES analysis guide

Processing:

a) Data Flows. Data is provided by NHSD to NPS for a defined set of OPCS procedure codes related to hip, knee, shoulder, elbow, and ankle joint replacement surgery. This data includes record level HES in-patient episode data linked to ONS and PROMs data. The data is stored, encrypted, in NPS’ secure data centre. All processing activities take place on the server, not on client PCs/Laptops.

The data is subsequently linked to NJR data using patient identifiers, principally the NHS number. Once the linked data set has been created, all patient identifiers are removed to create a pseudonymised data set.

The data which is received by the NJR from NHS Digital for the people who have consented "No" to the NJR is destroyed by the NJR once it's identified that they are not able to link them into the registry.

This dataset is encrypted and transferred securely to the UoB who then use the data for analyses as directed by the NJR Steering Committee. All reporting is based on the publication of aggregated data with small numbers being supressed in line with the HES analysis guide: no record-level reports are published.

The data flows have support under Section 251 of the NHS Act 2006.

b) Access to the data. Only three, substantive employees of NPS have access to the data provided by NHSD. Those three individuals work within NPS’ NJR team. That access is for the purposes of linking the data to NJR data and producing an annual, NJR/HES/ONS/PROMs linked dataset. The UoB receive, from NPS, a pseudo-anonymised dataset which is held on a server within the UoB. Based on the requirements of specific analyses, the UoB team will create sub-sets of the data which are for use by the UoB team only. NHSD supplied data is not made available to external researchers or analysts. All individuals requiring access to ONS data are individually identified as part of the application process.

c) What will not happen to the data. The team at the UoB have no requirement to identify individuals in the linked dataset nor will any attempt be made to do so. This would, in any instance, require NPS to provide the identifiers necessary to do so. Subsets of linked data which include data supplied by NHSD will not be made available to third parties without the prior agreement of NHSD. All outputs from use of the data will be based on aggregated data and small numbers suppressed in line with the HES analysis guide.

d) Justification for the data required. In order to accurately determine the outcomes of joint replacement surgery it is necessary to collect as much data as possible over as long a period as possible. For example, data provided from the NJR to the study into the potential increased risk of cancer associated with metal on metal hip replacement had access to a very large cohort of patient data. The conclusions of the study were diametrically different to a similar study that had been published earlier but had only had access to a small set (by comparison) of local data.

In order to ensure as much data as possible is available, national data is required. Deprivation analysis and comparison also requires the collection of national data. It is also necessary for the NJR to collect all available longitudinal data, i.e. all data since the NJR started to collect data in 2003. Although NICE guidance is based on ten year survivorship, it is necessary to look further than ten years when assessing outcomes. Some specific issues may not manifest themselves until some considerable time after implantation. Longitudinal data also enables the NJR to look at changes over time, whether it is changes in patient demographics or comorbidities or the effects of changes in clinical practice.

Only data related to patients with specific joint replacement are requested and these include patient identifiers. The identifiers are necessary to link NHSD supplied data to corresponding NJR records and are removed once the linkage is complete. Patient identifiers are not used in, or available for, any analysis of the linked dataset.

All organisations party to this agreement must comply with the Data Sharing Framework Contract requirements, including those regarding the use (and purposes of that use) by “Personnel” (as defined within the Data Sharing Framework Contract ie: employees, agents and contractors of the Data Recipient who may have access to that data).

No other data processor or storage location can access or share the data, including sub-licencing other than those already noted within the agreement.

ONS and PROMS terms and conditions will be adhered to by all persons accessing the data.

All data previously supplied to the applicant and held by Northgate Public Services has been destroyed as this did not have patient objections applied due to these not being required at the time that data was disseminated. This application will resupply all historical data with objections applied. The pseudo-anonymised data set derived from previously provided data and held by the University of Bristol may be retained.

---

Neurosurgical National Audit Programme (NNAP) — DARS-NIC-233512-B7C4W

Type of data: information not disclosed for TRE projects

Opt outs honoured: No - data flow is not identifiable, Anonymised - ICO Code Compliant, Identifiable, No (Does not include the flow of confidential data)

Legal basis: Health and Social Care Act 2012 – s261(1) and s261(2)(b)(ii), Health and Social Care Act 2012 – s261(1) and s261(2)(b)(ii), Health and Social Care Act 2012 – s261(2)(b)(ii), Health and Social Care Act 2012 – s261(2)(a)

Purposes: No (Supplier, Commercial)

Sensitive: Sensitive, and Non Sensitive, and Non-Sensitive

When:DSA runs 2019-06-30 — 2022-06-29 2019.09 — 2023.07.

Access method: One-Off, Ongoing

Data-controller type: THE SOCIETY OF BRITISH NEUROLOGICAL SURGEONS

Sublicensing allowed: No

Datasets:

1. Hospital Episode Statistics Admitted Patient Care
2. HES:Civil Registration (Deaths) bridge
3. Civil Registration - Deaths
4. Civil Registration (Deaths) - Secondary Care Cut
5. HES-ID to MPS-ID HES Admitted Patient Care
6. Civil Registrations of Death - Secondary Care Cut
7. Hospital Episode Statistics Admitted Patient Care (HES APC)

Objectives:

The Neurosurgical National Audit Programme (NNAP) was established by the Society of British Neurological Surgeons (SBNS) in 2013 as part of a major quality improvement initiative. The programme aims to support neurosurgical units in the UK to improve patient care, outcomes, safety, and experience by providing high quality, robust audit data that is analysed and presented in a consistent and clinically relevant way. Currently the only data available to achieve this is HES data linked to Civil Registration/Mortality data. SBNS has a responsibility to ensure that all twenty four NHS trusts undertaking neurosurgery in England are doing so safely.

The linkage requested is necessary for the purposes of the legitimate interests pursued by the controller or by a third party except where such interests are overridden by the interests of fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child) - covered by Article 6 (1)(F) of the GDPR.

The Society of British Neurological Surgeons (SBNS) has established the NNAP to promote improvements in the quality of neurosurgical services and patient care by providing neurosurgical units in the UK and Ireland with a comprehensive audit programme that reflects the full range of elective and emergency neurosurgical activity.

The Society promotes safe and effective Neurosurgical treatment for patients throughout Great Britain and Ireland. The Society has developed and maintains the National Neurosurgical Audit Programme (NNAP), which produces outcome data for all neurosurgical in patients in England. It is also fully engaged with the Getting It Right First Time (GIRFT) project, aiming to improve patient care while reducing costs in all specialities. High standards of professional practice are promoted through the Society's involvement in the education and the examination of Neurosurgeons and through its scientific meetings and associated activities in the continuing professional development of Neurosurgeons and Neurosurgery. Therefore the Society of British Neurosurgeons requires data from NHS Digital the purposes of it's legitimate interests to do the above.

There is evidence from other national audits that the publication of activity and audit data, when carefully analysed and interpreted, leads to improvements in patient outcomes. The SBNS supports the publication of outcome data that will promote the understanding of the range and complexity of neurosurgical services and the steps being taken to improve those services.

NNAP was established to provide both patients and surgeons with information about the outcomes of neurosurgery and surgeon and hospital level information is published annually as part of the Clinical Outcomes Publication (COP). COP is an NHS England initiative designed to increase transparency within the NHS and to provide the public with information on surgical outcomes. This forms only 10% of the overall audit work. Individual consultant and unit level reports may be accessed through this website. Currently, the key indicator is 30- day mortality although additional indicators may be added in the future. The consultant code is essential to enable the publication of information at the surgeon-level.

Consultant neurosurgeons will have secure access to data relating to their own practice. This will enable surgeons to preview and validate the information that is intended for publication on the NNAP COP website.

Surgeons will also be provided with a secure online reporting service, via the NNAP website, that will enable them to review their own clinical practice. Whilst record-level data will be available to surgeons, it will include only that data necessary to enable them to identify the patient in local PAS and/or theatre systems, i.e. date of procedure, procedure type, etc.

The data requested under this agreement is to enable consultants to validate the outcome data relating to the procedures they performed. Consultants nominated by SBNS will have access to data for the purposes of investigating potential outlier performance. The risk-based methodology used to determine performance against the key indicator of mortality will identify potential outlier performance. That surgeon's data will be made available to the investigating surgeon to determine if there is a case to answer and to take any action necessary, i.e. patient pseudo-identifiers will be removed and dates - if required, summarised. However, it is essential that any surgeon whose data indicates outlier performance can be identified using the Consultant Code so that Trust Chief Executives can be informed and a plan for further, local audit and follow-up action can be initiated.

The data published for COP is also required for publication via the Choices website. All data that will be published on public websites will be aggregated with small number suppression applied.

This audit is not commissioned by HQIP but NHS England provided the funding to HQIP to cover the COP work for all clinical audits irrespective of the data controllership. HQIP therefore are only funding the work to produce the COP for this audit. The financial support is for costs of data processing for this work only - not the other 90% of the audit.

The data will also be used for specific analyses to be undertaken at the request of SBNS, the data controller. The results of the analysis will take the form of aggregated data, not record level data. SBNS also receive queries about surgeon and hospital level performance from NHS England and the regulator, Care Quality Commission (CQC). The data will also be used to answer these queries.

The head of SBNS is employed as a neurosurgeon at Leeds NHS FT however access to data will be as a substantive employee of SBNS. There is no access to data or no project team at LTH NHS FT.

Expected Benefits:

The benefits to health care are in the improvement of patient outcomes and patient safety through the ability to identify outlier performance against the key indicator of mortality and the ability for surgeons to assess the outcomes of their own clinical practice by comparing it to the outcomes of their colleagues.

Updated data and information will be provided to patients annually via the NNAP COP website.

Patients will be better informed on the NHS Choices website about procedures undertaken by their consultant.

It is in the legitimate interest of patients that that the quality and effectiveness of their care is being monitored and assessed.

The detection of potential outlier performance will ensure clinical and management review of clinical practice to identify systemic or individual issues to ensure the necessary corrective action is taken. The potential number of patients affected is in the tens of thousands. The cost savings are difficult to quantify. However, savings will be made by reducing the number of repeat, or revision, procedures. This would be achieved by the identification of those procedure types with less good outcomes or using case-mix adjustment to improve patient and procedure selection. Patients are the main beneficiaries of the data processing, as clinicians will be able to monitor the outcomes of surgery and assess their own clinical practice.

Outcomes will be monitored on an annual basis and, as NNAP has already been in existence for three years, the benefits of processing the data will be realised immediately.

Outputs:

The following outputs will be produced.

Website Dashboard and Reports:

One output of NNAP is the COP publication, the date of which changes each year. It is expected that the COP publication will be complete in December of each year, with the data being published on Choices in the following February or March.

The publication will not contain any patient level data - it will only contain aggregated data with small number suppression applied.

Information will also be shared with the Get it Right First Time (GiRFT) programme for publication on the GiRFT dashboard. Again, only aggregated data with small number suppression will be supplied.

All data published on the NNAP website for COP, the GiRFT Dashboad, and Choices will be aggregated data.

Surgeon Validation:

Surgeons taking part in the audit will have access to record level data for the purpose of validating the information due to be published as part of COP. Surgeons will only have access to those procedures where they are indicated as 'Consultant' - as indicated by the CONSULT field in the HES product.

Reports. Ad Hoc reports will be made available to NHS England, NHS Improvement and other NHS bodies as requested. These reports will be based on aggregated data and normally at Trust or Hospital Level.

Presentations: The outcomes of the analysis will be presented at professional meetings and conferences. These will be based on aggregated data.

All published outputs will only contain aggregated data with small number suppression applied as in line with the HES Analysis Guide.

Processing:

All organisations party to this agreement will comply with the Data Sharing Framework Contract, including requirements on the use (and purposes of that use) by “Personnel” (as defined within the Data Sharing Framework Contract i.e.: employees, agents and contractors of the Data Recipient who may have access to that data).

There will be no flow of identifiable or confidential data from any of the data controllers/processors named in this agreement into NHS Digital. NPS will provide NHS Digital with a list of OPCS4 codes and the speciality codes for neurosurgical and paediatric neurosurgical procedures. These are just codes in the dataset, and not record level data.

NHS Digital are to use these codes to filter the HES APC product from 2013/14 onwards and extract records accordingly.

NHS Digital are then to extract mortality records for people included in the HES extract.

The data will then be transferred back to Northgate Public Services (NPS), on an annual basis.

Upon receipt, the data requested will be held by Northgate Public Services (NPS) in its secure data centre.

NPS' Health Analysts will then clean the data prior to undertaking risk adjusted mortality analyses for the purposes of producing funnel plots in order to identify potential outlier performance. The data will also be adjusted so that the multiplicity of OPCS4 procedures from the HES APC product requested are grouped into a manageable number of procedure categories.

Once the cleansing, mortality analysis, and grouping of data is complete, the data will be loaded onto a database server so that it can be previewed by consultants prior to publication. Surgeons will have access to record level data for only those procedures which they are indicated as 'Consultant' - ie surgeons will only access record level data pertaining to their own patients - they will not view data on patients of other surgeons.

Once the preview process is complete and any adjustments to the data (e.g reassignment of a procedure to another surgeon) the data will be published on the COP website. The finalised data-set will also be uploaded to the surgeon-level reporting service. Surgeons only have access to the data relating to their own patents.

An SBNS surgeon will have access to record level data, for the purposes of undertaking outlier analyses and to respond to ad-hoc queries from organisations such as NHS England, NHS Improvement, and individual Trust Medical Directors. SBNS are the data controller for this project.

The data will also be used for ad-hoc queries and analysis requested by the data controller, SBNS. This work will be undertaken by NPS health data analysts and, where necessary, an SBNS surgeon nominated by the data controller.

All data will be processed by substantive employees of either SBNS, NPS, Sungard (who act in a processing capacity as data centre host), and Iron Mountain (as off-site backup storage provider).

The data held by NPS will be stored on a secure server in the SunGard data centre which is only accessible to a limited number of users. The reduced data-set completed as a result of the cleansing and categorisation of the supplied data-set will be held on a protected database server, also hosted with NPS' data centre.

NPS staff will access the data held in the data centre either directly from an NPS office or via a secure VPN which requires two factor authentication, including the use of an RSA token. The VPN is an extension of the NPS secure network and does not provide direct access to the server. Access to the server is subject to additional controls.

In order to ensure that the data remains in a secure location, SBNS access to the data will be by remote desktop via NPS' VPN. A single, dedicated folder will be made available to the SBNS, and the remote desktop will include all those tools necessary to manipulate the data. Account holders will be required to sign to accept NPS' terms and conditions for access to the network and the data. It is expected that no more than one surgeon will require such access. Logging onto the VPN will not be permitted in public locations or via public, insecure WiFi connections. The Terms and Conditions that an SBNS surgeon will be required to sign will explicitly include this condition, restricting access to be either from within an office located in a hospital or using a secure home connection.

There will no linkage permitted to other data sets apart from what is detailed in this agreement.

There will be no attempts by employees of the named data processors or controllers to re-identify participants in the audit.

---

Beyond Compliance — DARS-NIC-351761-F8Z6V

Type of data: information not disclosed for TRE projects

Opt outs honoured: No - data flow is not identifiable, Anonymised - ICO Code Compliant, No (Consent (Reasonable Expectation))

Legal basis: Health and Social Care Act 2012 – s261(1) and s261(2)(b)(ii), Health and Social Care Act 2012 – s261(1) and s261(2)(b)(ii), Health and Social Care Act 2012 – s261(2)(b)(ii), Health and Social Care Act 2012 - s261 - 'Other dissemination of information'

Purposes: Yes (Supplier, Commercial)

Sensitive: Non Sensitive, and Non-Sensitive

When:DSA runs 2020-04-20 — 2021-04-19 2020.08 — 2021.01.

Access method: Ongoing

Data-controller type: NORTHGATE PUBLIC SERVICES (UK) LIMITED, NEC SOFTWARE SOLUTIONS UK LIMITED

Sublicensing allowed: No

Datasets:

1. Patient Reported Outcome Measures (Linkable to HES)

Objectives:

BACKGROUND:

The purpose of collecting the data is service evaluation. Northgate Public Services (NPS) are the data controller for the NHS Digital data supplied under this agreement for the purposes set out below. They specialise in integration of IT and network technologies that can be used to benefit people and businesses worldwide, including health and social care. NPS have designed the data collection platform and the reports that will be disseminated. It is NPS that collate, aggregate, analyse and disseminate data needed during the assessment process. Access to the platform is offered by Northgate to the implant manufacturers who have products registered with the Beyond Compliance Service on an annual subscription-basis.

Beyond Compliance is a service to support the safe and stepwise introduction of new or modified implantable medical devices.
An independent panel of experts, known as the Beyond Compliance Advisory Group, who are governed by a Beyond Compliance Steering Committee, work with the implant manufacturer to assess the relative risk of any new product, and the rate at which it should be introduced to the market. The service collects data about patients who receive these implants and about their recovery following surgery.
This data is made available to clinicians using the implant, to the manufacturer, and to independent assessors from the Beyond Compliance Advisory Group, to provide real-time monitoring of the implant’s performance. The clinicians who agree to joining the advisory group are drawn from the most experienced and respected members of their field.

Beyond Compliance is the name of the platform created, the service provided, and there is also a Steering Committee and an Advisory Group.

The linkage requested under this agreement is justified in line with Article 6 (1)(F) of the GDPR; This work is necessary for the purposes of the legitimate interests pursued by the controller or by a third party except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child. As set out in the legitimate interest assessment that Northgate Public Services have undertaken - the data requested is to help achieve the following: Aid and assist The Beyond Compliance service which has been set up in the interest of patients, to support the safe and stepwise introduction of new or modified medical implants such as joint replacements. This is done by supporting surgeons’ and manufacturers’ close scrutiny of the performance of their implants in their early years of use. This is principally achieved through the collection of various data describing the types of surgery, details of the devices and characteristics of the patients. The outcome of the device is monitored for signs of excessive early revision and lower than expected PROMs scores (based on same-in-class industry standard benchmarks). As all NHS funded patients in England and Wales undergoing hip or knee replacement are asked to complete a pre and post-operative questionnaire, the Beyond Compliance service is requesting access to this valuable information for the purposes already specified and to reduce the burden of data collection on the patients by avoiding having to ask them to complete multiple copies of the same PROMs instruments.

The data is also required for service evaluation purposes - meeting the conditions outlined as per Article 9 (2)(I) of the GDPR. Processing is necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health or ensuring high standards of quality and safety of health care and of medicinal products or medical devices, on the basis of Union or Member State law which provides for suitable and specific measures to safeguard the rights and freedoms of the data subject, in particular professional secrecy. Northgate Public Services are carrying out service evaluation work and quality checking work as described in this agreement to investigate how the safety of implants can or should be improved.

Northgate Public Services (NPS) is a commercial entity, providing a technology platform for the provision of the Beyond Compliance service. Beyond Compliance as as service was introduced in 2012, by the Association of British Healthcare Industries (ABHI), the British Orthopaedic Association (BOA) and the Medicines & Healthcare products Regulatory Agency (MHRA), as a service available to manufacturers of implants used for joint replacements, such as total hip or total knee replacements, which supports their safe introduction. The Beyond Compliance service is a service available to implant manufacturers (themselves commercial entities) wishing to enhance the safety and vigilance of the entry of a new or modified CE (European Conformity) marked product into the UK market. CE Marking is a declaration that a product complies with the essential requirements of the relevant legislation so that it may be marketed in Europe. A modified CE product is one which is an existing product that has been substantially modified so as to be considered "new". The service provides analysis of on-market implant performance to implanting surgeons, independent expert advisors, and the implant manufacturer who collectively monitor the implant. NPS collects information about patients who receive these implants and then tracks their post-surgical progress and provide reports to Beyond Compliance that illustrate whether each new design or design modification is performing as required.

The Northgate system allows for the collection, analysis and reporting of information on (orthopaedic) implants in order for their performance and safety to be monitored and assessed during their introduction to the market (required of all implant manufacturer’s Post Market Surveillance activities as defined by the Medical Device Regulations). The charges Northgate makes for the provision of its services are direct to the device manufacturers who fully fund the costs of running the programme. The addition of PROMs data to this service will not attract any additional changes and therefore provide no commercial benefit to Northgate.

To support and enable the monitoring of implants registered as part of the Beyond Compliance Service, NPS has developed a Beyond Compliance platform for the secure collation, aggregation, analysis and dissemination of data needed during the assessment process. Access to this platform is offered by NPS to implant manufacturers with products in the Beyond Compliance Service on an annual subscription-basis, to support their monitoring of implant performance.

Beyond Compliance is governed by a Steering Committee, chaired by the National Clinical Director for Musculoskeletal Services, NHS England. The BC Steering Committee has responsibility for ensuring buy-in and involvement of representatives of all stakeholder groups. Membership of the BC Steering Committee is made up of an independent group of orthopaedic experts, including representatives from: Department of Health, Patient representative, Lay representative, Notified Bodies, Association of British Healthcare Industries, British Hip Society, National Joint Registry, British Orthopaedic Association, NHS Supply Chain, British Association for Surgery of the Knee, Medicines and Healthcare products Regulatory Agency (MHRA) who are the Secretariat for the BC Steering Committee. The Steering Committee has responsibility for ensuring representatives of all the stakeholders are involved.

The objective of processing is for Northgate Public Services to provide the Beyond Compliance Advisory Group (and accompanying service) and the implant manufacturer with the mechanism to assess the patient reported outcomes of patients receiving an implant (within the Beyond Compliance service) in comparison to the national average procedure-specific scores to monitor implant performance, and to flag any areas where patient outcomes report to be statistically significantly worse than the expected.

Northgate Public Services are the data controller and processor of the data collected and processed by the service. Beyond Compliance is the name of the project commissioned by NPS.

Implant risk assessment and on-going safety monitoring is undertaken by the Beyond Compliance Advisory Group. http://www.beyondcompliance.org.uk/About/Committees/TheAdvisoryGroup.aspx.

The role of the Advisory Group is:
• To offer advice to industry on a voluntary basis.
• To act as an independent data monitoring committee for clinical follow-up data on new or modified products within the Beyond Compliance Service.

The Beyond Compliance Advisory Group reports to the Steering Committee.

Surgeons who decide to use an implant that is registered with the Beyond Compliance Service are authorised by the manufacturer for the specific implant. To be accepted as an implant within Beyond Compliance Service, the manufacturer and the Beyond Compliance Advisory Group agree and sign a Risk Assessment which includes a commitment by the manufacturer that: "The manufacturer understands that surgeons who use a device registered with the Beyond Compliance Service will have to obtain specific consent from each patient for the use of personal data held within the Beyond Compliance platform. This is in addition to the consent for operation and consent for the National Joint Registry."

In terms of the governance and commercial position of the Beyond Compliance Service, all data describing the performance of implants are scrutinised by an independent Advisory Group drawn from healthcare professionals (surgeons), who are experienced and respected members in their field and who work with the implant manufacturer to assess the risk of any new product. Based upon this risk, the Advisory Group and the manufacturer agree the most appropriate way for the product to be introduced into the market. The Group will consider the rate of introduction of the product and will also review the specialist training to be provided to surgeons. The Beyond Compliance Advisory Group give their time voluntarily, and they have no commercial ties with the implant manufacturer.

The surgeons who volunteer to assess and monitor implants claim expenses for attending risk assessment meetings from SCCL (Supply Chain Coordination Limited), who also provides their legal indemnity and general administrative support.

The only “commercial” relationship that exists is between Northgate and the implant manufacturers and is for the provision of the IT and data services on which the surgeons rely for their assessments and monitoring.

The governance of BC comprises a steering committee which meets every quarter and comprises the following as its members:

· British Orthopaedic Association
· MHRA
· ABHI
· SCCL
· Industry representative (manufacturer)
· Chair of the Advisory Group (see below)

Under this is the Advisory Group which is chaired by a retired orthopaedic Surgeon and functions as the means by which new implants are initially risk assessed (presentations by manufacturers to surgeon rapporteurs) and reviews the latest data on implant performance across all BC implants. It meets monthly and issues official minutes which are approved by SCCL.

In addition to the collection of data on the type of implant used and outcomes such as death, revision and PROMs, the service also has the legal (by means of its consent wording) and technical ability to carry out bespoke patient surveys. Previously BC has surveyed patients who had received a particular knee implant following evidence within the data of a higher than expected rate of revision. The system also collects x-rays and the results of explant analysis (where a BC implant has been removed).

In addition to looking at the survivorship of implants (revision), BC also carries out bespoke patient surveys and long term PROMs follow up (up to 10 years) to evaluate how patients are living with their implants in terms of satisfaction and ADL. The service therefore informs surgeons on best practice and best products in the market.

Only participants recruited on later versions of the consent material (v1.7 onwards) are the subject of the cohort for this agreement.
The cohort comprises all patients who received an orthopaedic implant (hip, knee or shoulder) since the 1st June 2018, that was registered with Beyond Compliance (https://www.beyondcompliance.org.uk/) at the time of implantation and who consented to share their personal data for (amongst other things) the purposes specified within this application i.e. use of their personal data to link their Beyond Compliance record to their PROMs record (if present within the national NHS PROMs dataset).

Yielded Benefits:

Through its independence and collaborative approach, the Beyond Compliance Service has realised some significant benefits in effecting changes to product introduction. These include: - Discovery of significant factors, hitherto unknown, affecting patient outcomes - Changes to product design features - Change of indication for use and contraindication - Changes to instruments and instrument box contents - Revised Instructions for use, surgical technique, package inserts and labelling Working with the Beyond Compliance Service, manufacturers can make considered and informed changes during a product’s market introduction. Such changes may be small or large but will be evaluated and monitored carefully to maintain patient safety and aim to ensure an implant is used to best effect. With closer, independent scrutiny, greater assessment of product risk prior to market introduction, ongoing assessment of data collected independent of the manufacturer, and sharing of early stage results across all user surgeons, there is little question that the Beyond Compliance Service significantly enhances assurance that product innovations are being introduced in a risk-proportionate way

Expected Benefits:

The close monitoring of new or modified implants has significant benefits to patients and to the health and social care system. It is the objective of the Beyond Compliance Service to support the responsible and safe introduction of new or modified orthopaedic implants into the UK market, and to provide an additional level of scrutiny to these products during the early stages of product introduction. The Beyond Compliance Service aims to identify implant-related failures as early as possible, and to work collaboratively with the implant supplier to scrutinise implant performance data, taking swift action to investigate and remedy issues highlighted through the data collected. Such remedies may ultimately result in implants being withdrawn from the market prior to wide-scale adoption.

In summary, the benefits gained from the Beyond Compliance Service are: -

• Enhanced and objective monitoring of orthopaedic implant performance that provides greater safety to patients
and assurance to health professionals in order to:
o detect potential issues sooner, to implement solutions earlier and
o expose fewer patients to any unnecessary risk,
• Supporting innovation of new implant technology coupled to increased patient protection, guided by expert
advisers,
• Independent assessment of the relative risk of new implants and the recommended rate at which they should be introduced to the NHS through ongoing service evaluation,
• Supporting and encouraging peer governance over orthopaedic advances
• Building confidence in, and adoption of, improved orthopaedic implants that benefit patients, healthcare providers and the national economy.

Outputs:

Northgate Public Services will provide Implant Summary Reports on a monthly basis about specific Beyond Compliance Implants. The reports will detail implant performance and outcome and inform authorised stakeholders of this. A certain section of the reports will contain data that is derived from PROMs, however it will only take the form of aggregated data with all small numbers suppressed in line with the HES Analysis Guide. The first reports containing the PROMs data is expected for release from April 2018 onwards.

The Implant Summary Reports are made accessible to
• Designated independent assessors who are responsible, as members of the Beyond Compliance Advisory Group, for leading the safety monitoring process for each implants
• Surgeons who use the implant and are registered with Beyond Compliance Service by the implant manufacturer
• Nominated personnel within each implant manufacturer.

The section containing the PROMs data will report on the following information:
a) Overall PROMs
- Mean pre-operative and six month Oxford Hip/Knee, EQ-5D, and EQ-VAS scores for the Beyond Compliance implant and
comparator group, together with mean Health Gain (six month minus pre-operative score), and the percentage of patients with an improved vs. unchanged/worsened score are tabulated.

b) Success and Satisfaction
- The proportion of patients giving each of the five possible responses is plotted for both the Beyond Compliance implant and for all other implants in that product category is plotted for the following questions:
o Success: "Overall, how are your problems now, compared to before your operation?"
o Satisfaction: "How would you describe the results of your operation?"

The Implant Summary report is distributed to those authorised users listed above via the Beyond Compliance service and platform.
These authorised users may only download the reports when they are logged in to their secure account on the Beyond Compliance platform.

The implant summary reports are the basis for the ongoing assessment of the implant’s safety performance

Processing:

All organisations party to this agreement must comply with the Data Sharing Framework Contract requirements, including those regarding the use (and purposes of that use) by “Personnel” (as defined within the Data Sharing Framework Contract ie: employees, agents and contractors of the Data Recipient who may have access to that data).

Data that is disseminated under this agreement will only be used for the purposes stated. The data will only be linked to data as stated in this agreement.

Any proposed change in the use of the data would require a new application.

Where a patient has provided consent to share their PROMs data with NPS for the purpose of delivering the Beyond Compliance Service implant monitoring service, NPS will, request associated PROMs data for the patient from NHS Digital.

To identify patients who have given consent to Beyond Compliance, for each consented patient, NPS will provide NHS Digital with the following data:

• BC Index Number (Study ID)
• NHS number
• Gender
• Date of birth
• Post code

Where NHS Digital finds a matching PROMs record for this patient, they are requested to provide back to NPS the following data:

• BC Index Number (Study ID)
• All orthopaedic (Hip & Knee) PROMs data
• All EQ-5D and EQ-VAS scores (contained within PROMs)
• All Oxford Hip or Knee scores (contained within PROMs)

Upon receipt of this data from NHS Digital, NPS will link the PROMs data with the corresponding patient record and store this data within the Beyond Compliance system. The linking is completed at the patient level in order to ensure that the correct PROMs scores are analysed and reported upon. For example, the pre-operative and post-operative reports relate to the same patient and implant. The analysis will then summarise the PROMs data and outputs will be aggregated with small numbers suppressed inline with the HES analysis guide. It will not be possible to identify any individual patients from the outputs made using the data provided by NHS Digital.

Beyond Compliance currently collects data from England, Wales and Northern Ireland - however for the purposes of linkage it will be ensured that only Beyond Compliance identifiers for patients with postcodes in England will be sent to NHS Digital. No further PROMs data from outside England is being requested and no separate linkages will be taking place.

All processing of the data will take place at Northgate Public Services. All those processing the data are substantive employees of Northgate Public Services.
Northgate Public Services will process the PROMs data provided by NHS Digital to report comparisons, for each available PROMs measure, between the specific implant and the national average procedure, specific scores to show:

- Mean scores reported,
- Health Gain achieved,
- Percentage patients who are improved, unchanged or worsened
- Success rates,
- Satisfaction rates.

The Beyond Compliance platform is only available to authorised users. Each person has an individual account that is set up by Northgate Public Services that can be accessed only by a secure password that is confidential to themselves.

Gyron Internet Limited are the NPS data centre providers. Gyron provides the data centre facility, namely the location, building/data centre fabric, racks, power, cooling and selected "hands on" services. Gyron also provide the network switches for the Secure Shared Environment (SSE). However, Gyron have no access to NPS systems for management purposes as all of the switch configuration is stored, managed and accessed by NPS.
Gyron is ISO-IEC 27001:2013 certified, and both the Hemel and Slough Gyron data centers used by NPS are also Police Assured Secure Facility (PASF) approved. Gyron do not have access to any data.

The data will not be made available to any third parties except in the form of aggregated outputs with small numbers suppressed - this will apply to all PROMs data provided by NHS Digital.

PROMS terms and Conditions will be adhered to.

HQIP have no role within Beyond Compliance but they are the Data Controller for the National Joint Registry (NJR) data. The primary source of Beyond Compliance’s implant data is the National Joint Registry. Beyond Compliance provides the NJR with the product codes of the implants it is monitoring and when these are detected within the NJR system a copy of certain specified fields from these records is transferred to the BC system. Where a patient has consented to BC this information also includes personal data which enables BC to link these records to other data (NHS PROMs) and to contact the patient for additional PROMs or bespoke patient surveys. Where consent is not given, no personal data is transferred. All transfers of data are subject to a data sharing agreement (DSA) between Northgate and HQIP (the respective data controllers). As part of the DSA, NJR also provides benchmarks based on implant types which enables BC to make comparative assessments of its subscribed implants against expected values.

Only participants recruited on later versions of the consent material (v1.7 onwards) are the subject of the cohort for this agreement. c) The cohort comprises all patients who received an orthopaedic implant (hip, knee or shoulder) since the 1st June 2018, that was registered with Beyond Compliance (https://www.beyondcompliance.org.uk/) at the time of implantation and who consented to share their personal data for (amongst other things) the purposes specified within this application i.e. use of their personal data to link their Beyond Compliance record to their PROMs record (if present within the national NHS PROMs dataset).

---