Our NCAPOP and Website Privacy Notice

Updated: July 2022

Healthcare Quality Improvement Partnership Ltd (HQIP) takes your privacy seriously. We are committed to protecting your personal information and being open and transparent about how it is used. This policy describes how and why we obtain, store and process data about you.

About HQIP

The Healthcare Quality Improvement Partnership (HQIP) was established in April 2008 to promote quality in healthcare and in particular, to increase the impact that clinical audit has on healthcare quality improvement. We are an independent organisation led by the Academy of Medical Royal Colleges, The Royal College of Nursing and National Voices.

HQIP commissions, manages, supports and promotes national and local quality improvement, through this work HQIP is responsible for several national quality improvement programmes. These include the National Clinical Audit and Patient Outcome Programme (NCAPOP) and the National Joint Registry (NJR).  The NCAPOP is composed of approximately 38 projects which cover national clinical audit and clinical outcome reviews. NHS England, Department of Health, Welsh Government and other devolved nations fund and commission HQIP to manage these programmes.

Our contact details are available via the contact us link on our website. HQIP are the data controller for the personal information we hold about you.

Our Employee Privacy Notice can be found here.

HQIP has a Data Protection Officer who can be contacted by emailing: [email protected].

HQIP as a Data Controller for commissioned or hosted projects

HQIP is a controller for the clinical data collected and processed by these programmes, we determine and authorise the purpose for and manner in which the data collected are processed.

For the NCAPOP specifically, HQIP is joint data controller in partnership with NHS England for the England component of the NCAPOP abd Digital Health and Care Wales (DHCW) for the Wales component of the NCAPOP. The organisations HQIP commissions to deliver these projects are data processors as they are responsible for collecting and processing personal data. HQIP does not directly receive, handle or otherwise process personal or special category data as part of the work it commissions from other organisations to deliver the NCAPOP.

Legal basis

Under GDPR, implemented in the UK by the Data Protection Act 2018, the lawful basis used by these quality improvement projects to process personal data is: performance of a task in the public interest (article 6(1)(e)) to ensure high standards of quality and safety in health care (article 9(2)(i)). The lawful basis for processing special category data under the UK Data Protection Act 2018 is Schedule 1(1)(3) ‘public health’ underpinned by the Health and Social Care Act 2021 Part 1, section 2.  This is justified as all projects aim to drive improvements in care and outcomes for patients, with commissioning and funding arrangements which link back to NHS England, Welsh Government and other national bodies who have statutory responsibilities to improve quality of health care services.

Individual projects may also be required to meet the common law duty of confidentiality to collect and process confidential patient information. The legal basis used will be project specific: usually either consent or approval by the Confidentiality Advisory Group (CAG) under section 251 of the NHS Act 2006.  Please refer to individual project privacy notices for details of their legal basis under the common law duty of confidentiality. These can be found on the relevant provider websites, please see below for a hyperlinked list to all projects.

Data Sharing for commissioned projects

HQIP does not collect or in any other way process data for commissioned projects. Where data for commissioned projects (which HQIP is a data controller of) is not already in the public domain, HQIP has a data access process and operates a Data Access Request Group (DARG) to manage requests and provide approval for data sharing.

The DARG must give permission before any personal data can be used for third party access for research purposes, service evaluation, clinical audit or for any use of the audit data outside of the stated purpose for which it was collected. HQIP will only share data where the necessary ethical, security and legal permissions are in place.

Project specific information

Each quality improvement project has its own privacy notice and fair processing documentation to ensure transparency. Individual project privacy notices should be referred to for the following information as details are project specific:

  • What data is being collected and what they are used for
  • How long data is kept
  • What data is shared and with whom
  • Security (how data are kept secure)
  • How to exercise your individual rights
  • Where applicable, how the project complies with the National Data Opt Out in England
  • Details of the Data Protection Officer

Please see below for a list of all national quality improvement projects which HQIP commissions, manages or hosts:

National Clinical Audit Programme Projects

Clinical Outcome Review Programmes

The National Joint Registry

When we will collect your personal information
  • When you fill out a form on our website
  • When you communicate with us, for example if you make an enquiry or a complaint
  • When you engage with us on social media
  • When you attend an event
  • When you apply for audit data via our data access process
  • Through our National Clinical Audit Directory
  • If you enter into a contract with us, for example if you are one of our suppliers, or if we are one of your suppliers
  • If you are one of our audit providers
  • If you buy one of our services or products, or if we buy from you
  • If you fill in any questionnaires, surveys or feedback forms we will collect your experiences, opinions and any health information you are happy to share with us
  • If you interact with our website we may collect certain technical information, such as your browsing activity across our website and your IP address. An IP address provides the location of server you are contacting us from. We only use this information to:
    • Ensure website security
    • Undertake management reporting (based on country of access).
    • Information gathered by the use of cookies in your web browser. You can see our cookie policy here.


We may also receive information about you from third parties, for example our service providers and suppliers, or from third parties who may have gathered your consent on our behalf, or from publicly available sources, such as social media.

The lawful bases we use to process your information

We can only process your personal information if we have a lawful basis to do this. The legal basis that HQIP rely on to process your information are:


This is the basis we use when you agree to us using your information to send you reports or other products or communications that you would be interested in by providing us with your name and email address.  We use google analytic profiling on our website with your consent. You can withdraw your consent or control your consent at any time by contacting [email protected].


Processing is necessary for the performance of a contract to which the data subject is a party or in order to take steps at the request of the data subject prior to entering into a contract. We process your personal information on this legal basis as part of your DARG application. We will also process on this legal basis if you are one of our suppliers or contracted providers to fulfil the terms of our contract.

Legal obligation 

We use this legal basis when it is necessary for us to comply with HQIP’s legal non-contractual obligations. For example we may be are required to keep documentation to produce for parliamentary questions. We are also legally obligated to share information about our trustees with government organisations like Companies House.

Public task

We use this legal basis if we need to perform a task in the public interest such outlier management and management of applications for the NJR fellowship scheme.  All of the national quality improvement projects which HQIP commissions, manages or hosts use this legal basis.

Legitimate interests

This basis is used to allow us to hold information as evidence should we need it in the future, for example, if you ask us to unsubscribe you from our newsletter, you sign one of our declaration of Interest forms or to respond to your queries and complaints.

How we use your personal information

We use your information in the following ways:

  • For direct marketing purposes to send you notifications of publications, events and activities in connection with our aims and that help improve the quality of healthcare provided to the public that we think you may be interested in
  • Analyse how you use our website via google analytics
  • Collecting your views, experiences and advice in surveys or feedback sessions helps us to improve the quality of services we provide
  • To respond to your queries and complaints. Using the information you send us enables us to respond. We may also keep a record of these to inform any future communication with you and to demonstrate how we have communicated with you
  • To send you communications required by law or which are necessary to inform you about changes to the services we provide you. For example, updates to this privacy policy
  • To comply with our contractual or legal obligations to share data with law enforcement. For example, when a court order is submitted to HQIP to share data with law enforcement agencies or a court of law
  • Your personal data may be used to process and monitor your order should you buy something from us (such as through our Data Access Request process)
  • To send you survey and feedback requests to help improve our services

HQIP tracks your interaction with the marketing emails we send you and your use of our website including downloads and pages viewed to improve the relevance of the communications we send you.

Who we share your personal details with

Your personal data will be shared within HQIP and marketing agency Clarity Marketing who are our website hosting partner. We provide only the information they need to perform their specific services.

How long we will keep your information

For marketing purposes we will only process your information for as long as you wish us to. Your personal data will be held indefinitely until you notify us that you no longer wish for us to hold your information. We regularly update contact details with any changes. You can update your personal details at any time by completing the form.

If you unsubscribe, HQIP will stop sending you marketing emails. Your email address will be added to a suppression list to ensure it cannot be accidentally added as a subscriber. Any marketing data HQIP hold associated to your email address will be kept for 13 months for the purpose of management reporting. HQIP will review its contact database twice a year (January and July) and delete subscriber associated records older than 13 months. You can request your subscriber details are deleted at any time by contacting HQIP via our contact us page. You can re-subscribe at any time via our website at www.hqip.org.uk.

Personal data processed for the purpose of a data access requests is retained for 6 years after your data sharing agreement expiry date. Declaration of Interest records are retained of 6 years. Supplier contracts are retained for 6 years.  For other personal information we will retain it for no longer than is necessary, and in accordance with our records management policy.  Copies of this are available on request.

International transfers of information

Your website activity information is processed outside the European Economic Area (EEA), however we have ensured our supplier is bound by relevant Standard Contractual Clauses. This ensures that the processing of your information is compliant with the GDPR and your data receives the same protection as if it were being processed inside the EEA.

How we protect your personal data

We know your personal information is important to you.  Therefore we securely store the personal information we receive and use appropriate security features to prevent any unauthorised access. We have internal policies which set out and guide our data security. All staff adhere to this approach and are regularly trained in data protection.

Access to your personal data is password-protected and HQIP’s IT supplier regularly monitors our system for possible vulnerabilities and attacks. Our website is protected with industry standard SSL protection provided by Lets Encrypt. Data centres hosting the website are ISO27001:2013 certified. The website is automatically scanned for malware.

Your rights
  • See the information we hold on you, and confirm what data we are processing about you
  • Be informed about the collection and use of your personal data
  • Ask us to correct any inaccurate, out of date or incomplete personal data
  • Request that we erase the personal information we hold on you. This is also known as the ‘right to be forgotten’.  The right is not absolute and only applies in certain circumstances
  • Request that we restrict or limit the way that we use your personal data
  • Request a copy of your information and where possible we will provide it to you in a machine-readable format such as .CSV file if you wish. We will do this free of charge and would include only the information you have provided directly to us
  • Object to the processing of your information
  • Your right to reject automated decision making and profiling
  • Your right to withdraw consent, when consent is used as the legal basis to process your data


You can ask for any of the above by emailing [email protected]. We will make requested changes within one calendar month. This will be carried out free of charge in most cases. If we choose not to action your request we will explain to you the reasons for our refusal. The Information Commissioner’s Office has further information on your data subject access rights.

HQIP is on the Information Commissioner’s Office register of Data Controllers (reference is Z1780946) and has a Data Protection Officer who can be contacted at the address on the website or by emailing: [email protected].

NHS England Data Protection Officer can be contacted by emailing [email protected]. Digital Health and Care Wales joint Data Protection Officer can be contacted by emailing: [email protected].

This privacy notice will describe the information HQIP is responsible for as a data controller and the information HQIP processes as an organisation.

If you feel that your personal data has not been used correctly, please write to us in the first instance, so that we can do our best to correct this. Independently, you have the right to lodge a complaint with the Information Commissioner’s Office (ICO), you can visit their website for information on how to make a data protection complaint.