Privacy Notice

Updated: November 2023

Healthcare Quality Improvement Partnership Ltd (HQIP) (referred to as “HQIP” “We, “Our” or “Us”) are committed to protecting the privacy and security of your Personal Data and being open and honest about how it is used.

We have developed this Privacy Notice to inform you of the data we collect, what we do with your information, what measures we take to keep it secure as well as the rights and choices you have over your Personal Data. It is important that you read this notice so that you are aware of how and why we are using such information.

About HQIP

The Healthcare Quality Improvement Partnership (HQIP) was established in April 2008 to promote quality in healthcare and to increase the impact that clinical audit has on healthcare quality improvement. We are an independent organisation led by the Academy of Medical Royal Colleges and The Royal College of Nursing.

HQIP commissions, manages, supports and promotes national and local quality improvement, through this work HQIP is responsible for several national quality improvement programmes. These include the National Clinical Audit and Patient Outcome Programme (NCAPOP) and the National Joint Registry (NJR).  The NCAPOP is composed of approximately 38 projects which cover national clinical audit and clinical outcome reviews. NHS England, Department of Health, Welsh Government and other devolved nations fund and commission HQIP to manage these programmes.

Our Employee Privacy Notice can be found here.

Data Protection Legislation

Throughout this document we refer to Data Protection Legislation.

In the United Kingdom (UK), Data Protection Legislation means the Data Protection Act 2018 (‘DPA 2018’), United Kingdom General Data Protection Regulation (‘UK GDPR’), the Privacy and Electronic Communications (EC Directive) Regulations 2003 (‘PECR’) and any legislation implemented in connection with the aforementioned legislation.

HQIP is the Data Controller (‘controller’) for the Personal Data we process, unless otherwise stated.

HQIP has a Data Protection Officer who can be contacted by emailing: [email protected].

Project specific information

Each quality improvement project has its own privacy notice and fair processing documentation to ensure transparency. Data from Devolved Nations or Crown Dependencies may be included in some of the NCAPOP projects. More details around this will be provided in the specific privacy notice for each project.

Please see below for a list of all national quality improvement projects which HQIP commissions, manages or hosts:

National Clinical Audit Programme Projects

Clinical Outcome Review Programmes

The National Joint Registry

Information we may collect about you

We may collect, use, store and transfer different kinds of personal data about you. We have grouped the types of data together as follows:

  • identity data includes: first name, last name, username or similar identifier.
  • contact data includes: email address, telephone numbers, organisation name, job title and your role within the organisation e.g. Doctor
  • technical data includes: internet protocol (IP) address, your login data, browser type and version, time zone setting and location, browser plug-in types and versions, operating system and platform, and other technology on the devices you use to access our site
  • usage data includes: information about how you use our site, products and services
  • feedback data includes: information relating to your use of our site or services

We also collect, use and share aggregated data such as statistical or demographic data, but only where such data is anonymous. Data is considered to be anonymous where you cannot be identified (whether directly or indirectly). For example, we may aggregate your usage data to calculate the percentage of users accessing a specific website feature.

How we use your information

We use your information in the following ways:

  • For direct marketing purposes to send you notifications of publications, events and activities in connection with our aims and that help improve the quality of healthcare provided to the public that we think you may be interested in
  • Analyse how you use our website via google analytics
  • Collecting your views, experiences and advice in surveys or feedback sessions helps us to improve the quality of services we provide
  • To respond to your queries and complaints.
  • To send you communications required by law or which are necessary to inform you about changes to the services we provide you. For example, updates to this privacy policy
  • To comply with our contractual or legal obligations to share data with law enforcement. For example, when a court order is submitted to HQIP to share data with law enforcement agencies or a court of law
  • To process and monitor your order should you buy something from us (such as through our Data Access Request process)
  • To send you survey and feedback requests to help improve our services

HQIP tracks your interaction with the marketing emails we send you and your use of our website including downloads and pages viewed to improve the relevance of the communications we send you.

We will only use your Personal Data for the purposes for which we collected it, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose.

If we need to use your Personal Data for an unrelated purpose, we will notify you and we will explain the legal basis which allows us to do so.

Please note that we may process your Personal Data without your knowledge or consent, where this is required or permitted by law.

When we will collect your information

In general, we will collect this data directly from you. Where this is the case, you are under no obligation to provide us with your Personal Data. However, a failure to provide Personal Data may result in us being unable to provide you with our Services or access certain features of our website.

We collect the data about you in the following ways:

  • If you fill in any questionnaires, surveys or feedback forms we will collect your experiences, opinions and any health information you are happy to share with us
  • When you communicate with us, for example if you make an enquiry or a complaint
  • When you engage with us on any of our social media channels
  • When you sign up for and attend an HQIP event
  • When you apply for audit data via our data access process
  • Through our National Clinical Audit Directory
  • If you buy one of our services or products

If you interact with our website and accept our Cookies, we may collect certain technical information, such as your browsing activity across our website and your IP address.

We may also receive information about you from third parties, for example our service providers and suppliers, or from third parties who may have gathered your consent on our behalf, or from publicly available sources.

The lawful bases we use to process your information

We can only process your personal information if we have a lawful basis to do this. The legal basis that HQIP rely on to process your information are as follows:


This is the basis we use when you agree to us using your information to send you reports or other products or communications that you would be interested in by providing us with your name and email address.  You can withdraw your consent at any time by contacting [email protected].


Processing is necessary for the performance of a contract to which the data subject is a party or to take steps at the request of the data subject prior to entering into a contract. We process your personal information on this legal basis as part of your DARG application.

Legal obligation

We use this legal basis when it is necessary for us to comply with HQIP’s legal non-contractual obligations. For example, we may be required to keep documentation to produce for parliamentary questions.

Legitimate interests

This basis is used to allow us to process information where it is necessary for our legitimate interests for example, to respond to your queries and complaints.

Who we share your personal details with

We use Service Providers (“Data Processors”) who are third parties who provide elements of services for us. Examples of these Data Processors include, but are not limited to:

  • sub-contractors for the performance of any contract we enter into with them or you (for example, Clarity Marketing who are our website hosting provider) or,
  • service providers acting as processors who provide IT and system administration services

We have Data Processor Agreements in place with our data processors. This means that they cannot do anything with your personal data unless we have instructed them to do it. They will not share your personal data with any organisation apart from us or further sub-processors who must comply with our instructions. They will hold your personal data securely and retain it for the period we instruct.

In addition to the Data Processors indicated above, we may have to share your personal data with third party Data Controllers to provide our services to you or otherwise fulfil our legal obligations.

Examples of third parties include:

  • local authorities/public services;
  • NHS bodies;
  • The Police, and other law enforcement agencies; and/or,
  • The Courts;
How long we will keep your information

We will always retain your personal data in accordance with the Data Protection Legislation and never retain your information for longer than is necessary.

Any personal data shared with us for marketing purposes will only be processed for as long as you wish us to. Your personal data will be held until such time that you notify us that you no longer wish for us to hold your information. We regularly update contact details with any changes. You can update your personal details at any time by completing the form here:

You can unsubscribe by clicking the link at the bottom of any marketing email or newsletter that we send you. If you unsubscribe, HQIP will stop sending you marketing emails. Your email address will be added to a suppression list to prevent you from being inadvertently resubscribed.  Any marketing data HQIP hold associated to your email address will be kept for 13 months for the purpose of management reporting. HQIP will review its contact database twice a year (January and July) and delete subscriber associated records older than 13 months.

You can request your subscriber details are deleted at any time by contacting HQIP via our contact us page:

You can re-subscribe at any time by completing our Subscribe form here:

International transfers of information

Your website activity information may be processed outside the United Kingdom.  Wherever this transfer occurs from the UK to countries not deemed by the ICO or European Commission (as relevant) to provide an adequate level of Personal Data protection, the transfer will be based on safeguards that allow us to conduct the transfer in accordance with the Data Protection Legislation, such as the specific contracts containing standard data protection clauses approved by the ICO or European Commission (as relevant) providing adequate protection of Personal Data. You can obtain a copy of this documentation by contacting the HQIP Data Protection Officer.

Automated decision making and profiling

Your data is not subject to automated decision making or profiling as defined in data protection legislation.

Security of your personal data

We know your personal information is important to you and data security is of great importance to HQIP. We have put in place appropriate technical and organisational measures to prevent your personal data from being accidently lost, used, or accessed in an unauthorised way, altered, or disclosed.

We take security measures to protect your information including:

  • Limiting access to our resources to only those that we have determined are entitled to have it;
  • Managing a data security breach reporting and notification system which allows us to monitor and communicate information on data breaches with you or with the applicable regulator when required to do so by law;
  • All staff are regularly trained in IT, data security and data protection;
  • Implementing access controls to our information technology systems; and,
  • Deploying appropriate procedures and technical security measures (including strict encryption, anonymisation and archiving techniques) to safeguard your information across all our computer systems, networks and websites.
Your rights over your information

The right to be informed about our collection and use of personal data 

You have the right to be informed about the collection and use of your personal data. We ensure we do this with our internal and external Privacy Notices (including this document). These are regularly reviewed and updated to ensure these are accurate and reflect our data processing activities.

Right to Access Your Personal Data 

You have the right to access the Personal Data that we hold about you in many circumstances, by making a request. This is sometimes called a ‘Data Subject Access Request.’ If we agree that we are obliged to provide Personal Data to you (or someone else on your behalf), we will provide it to you or them free of charge and aim to do so within 1 month from when your identity has been confirmed.

We would ask for proof of identity and sufficient information about your interactions with us that we can locate your Personal Data.

Right to Rectify Your Personal Data 

If any of the Personal Data we hold about you is inaccurate, incomplete, or out of date, you may ask us to correct it.

Right to Erasure 

You have the right to have personal data erased. This is also known as the ‘right to be forgotten’. The right is not absolute and only applies in certain circumstances. For instance, the right to erasure does not apply where we have a legal obligation to retain your Personal Data.

Right to Restrict Processing 

You have the right to ask us to restrict the processing of your personal data. For example, this may be because you have issues with the accuracy of the data we hold or the way we have processed your data. The right is not absolute and only applies in certain circumstances.

Right to Portability 

The right to portability gives you the right to receive personal data you have provided to a controller in a structured, commonly used, and machine-readable format. It also gives them you the right to request that a controller transmits this data directly to another controller.

Right to Object 

You have the right to object to our processing of some or all the personal data that we hold about you. This is an absolute right if we use your data for direct marketing but may not apply in other circumstances where we have a compelling reason to do so, e.g., a legal obligation.

Rights Related to Automated Decision-Making 

You have the right to object to our processing where a decision is made about you solely based upon automated processed and which has significant or legal effects. [Insert organisation name] does not intend to conduct any automated decision-making for your Personal Data.

For more information about your privacy rights 

In the UK, the Information Commissioner’s Office (ICO) regulates data protection and privacy matters. They make a lot of information accessible to consumers on their website, which you can access here:

You can make a complaint to the ICO, or any other supervisory authority, at any time about the way we use your information. However, we hope that you would consider raising any issue or complaint you have with us first. We will always do our absolute best to solve any problems you may have.

If you would like to exercise any of your rights listed above or contact us about the processing of your personal data, please contact the Data Protection Officer by emailing [email protected]

HQIP is on the Information Commissioner’s Office register of Data Controllers (reference is Z1780946)