NHS HES Data
Sharing Agreement

We welcome you to our website.
We would like to inform you about the management of your personal data.
Last updated on 5th March 2024 v2.8

Introduction
We are Device Access UK Ltd, Kenneth Dibben House, Enterprise Rd, Chilworth, Southampton Science Park, Southampton SO16 7NS. A company registered in England and Wales with company number 07257316..

This privacy and cookie policy (“Policy”) describes Device Access UK Ltd (“Company,” “we,” and “our”) collect, use and share personal data when using this website https://www.deviceaccesseurope.com: (the “Site”) or when we have obtained it form a third party such as NHS England. Please read the following information carefully to understand our views and practices regarding your personal data and how we will treat it.

We encourage you to read the Privacy Policy in full. However, to summarise:

• we will always use your data within the law
• we will never sell your personal identifiable data
• we will always respect your wishes about how you would like to be contacted

We will post any modifications or changes to the Policy on our Site. We reserve the right to modify the Policy at any time, so we encourage you to review it frequently. The “Last Updated” legend above indicates when this Policy was last changed. If we make any material change(s) to the Policy, we will notify post a notice on our Site prior to such changes(s) taking effect. In the event that such a change could materially affect your privacy, you will be notified without delay by appropriate means.

If you want to request information about our privacy policy you can email us at compliance@deviceaccess.co.uk or write to:

Device Access UK Ltd,
Kenneth Dibben House,
Enterprise Rd,
Chilworth,
Southampton Science Park,
Southampton
SO16 7NS

This privacy notice tells you what to expect when Device Access collects personal information. It applies to information we collect about:

• people who download our brochure
• visitors to our website
• NHS England Hospital Episode Statistics (HES) data

When someone visits this site we use a third party service, Google Analytics, to collect standard internet log information and details of visitor behaviour patterns. We do this to find out things such as the number of visitors to the various parts of the site. This information is only processed in a way that does not identify anyone. We do not make, and do not allow Google to make, any attempt to find out the identities of those visiting our website. If we do want to collect personally identifiable information through our website, we will be up front about this. We will make it clear when we collect personal information and will explain what we intend to do with it.

We store the IP address transmitted by your web browser for a period of seven (7) days, strictly for the purpose of identifying, restricting and eliminating attacks on our website. After seven (7) days, we delete or anonymize your IP address. The legal basis for the processing of this personal data is provided for in Art. 6 para. 1 s. 1 lit. f GDPR.

When you visit our website, the data collected from the use of the website is temporarily stored on our web server for statistical purposes in the legitimate interest to improve the quality of our website. The legal basis for the processing of this personal data is provided for in Art. 6 para. 1 s. 1 lit. f GDPR. This data set contains:

• the IP address of the requesting computer shortened to such an extent that no reidentification of any persona data is possible.
• the name of the data file,
• the date and time of the query,
• the amount of data transferred,
• the page, from which the data is requested
• the access status (file transmitted, file not found),
• a description of the type of browser and operating system used (e. g. browser language, image resolution, type of browser, plugins),

The listed usage data is stored anonymously.

We will also monitor any emails sent to us, including file attachments, for viruses or malicious software. Please be aware that you have a responsibility to ensure that any email you send is within the bounds of the law.

Under the General Data Protection Regulation (GDPR) and the Data Protection Act 2018 (DPA), you have rights as an individual that you can exercise in relation to the information we hold about you.

Device Access tries to be as open as it can be in terms of giving people access to their personal information. Individuals can find out if we hold any personal information by making a ‘subject access request’ under the Data Protection Act 1998. If we do hold information about you we will:

• give you a description of it;
• tell you why we are holding it;
• tell you who it could be disclosed to; and
• let you have a copy of the information in an intelligible form.

To make a request to Device Access for any personal information we may hold you need to put the request in writing to the address provided below.

If you agree, we will try to deal with your request informally, for example by providing you with the specific information you need over the telephone.

If we do hold information about you, you can ask us to correct any mistakes.

In most circumstances we will not disclose personal data without consent.The exceptions to this are;

• circumstances where we can pass on personal data without consent for example, to prevent and detect crime and to produce anonymised statistics;
• our instructions to staff on how to collect, use and delete personal data; and
• how we check that the information we hold is accurate and up to date.

This privacy notice does not cover the links within this site linking to other websites. We encourage you to read the privacy statements on the other websites you visit.

You have the right to:

Access the personal data which the Company holds about you. This is called a Subject Access Request (SAR) and can be made by calling us or in writing via email or at the address as provided in the “How to contact us” section.

You may use this process to exercise your right to:

• Have your personal data rectified if it is inaccurate or incomplete.
• Request that we erase information we hold about you.
• Restrict the processing of your personal data, for example ask us not to contact you.
• Object to the processing of your data for specific purposes such as communications or direct marketing.
• Ask for the transfer of your data electronically to be provided to a third party (data portability)

DAUK is the Data Controller and a Data Processor of NHS Hospital Episode Statistics (HES) data provided under a formal Data Sharing Agreement with NHS England.
Hospital Episode Statistics (HES) is a data warehouse containing details of all admissions, outpatient appointments and A and E attendances at NHS hospitals in England. See NHS England and DARS for further details.

For all outputs produced by DAUK, these must be approved by the Device Access UK Limited (DAUK) Data Access Review Group (DADARG). The following is the review and approval numbers of DADARG for the previous 4 years:

• 2023 – 30 Reviewed, 27 Approved
      
• Areas of work: Obesity, Type II Diabetes, Heart attacks in hospital, Lung cancer, Gonarthrosis, Hospital and ventilator acquired pneumonia, Heart failure, Cardiomyopathy, Myocardial infarction, Neurostimulator for spinal cords, C-sections, Vascular procedures, Bowel resections, Sleep apnoea, Heart valve replacement, Staphylococcus infections, Bladder cancer, Kidney Injury, Macular degeneration, Coronary artery bypass graft, Otits Media, Breast cancer, Pancreatic cancer, Bile duct cancer, Cardiac procedures, Radiotherapy, Chemotherapy
• 2022 – 24 Reviewed, 22 Approved
      
• Areas of work: Obesity, Radiotherapy, low birth weight and hypothermic newborn patients, Hospital and ventilator acquired pneumonia, Age-related Macular Degeneration, C-sections, Vascular procedures, Pancreatic cancer, Bile duct cancer, Kidney Transplants, Skin cancer, Skin grafts, Breast cancer, Lung cancer, Stroke rehabilitation, Prostate cancer, Endometriosis, Brain cancer, Cardiac procedures, Colorectal procedures, Hip and Knee and Shoulder replacements, Lung Nodules, Ascities
• 2021 – 31 Reviewed, 28 Approved
      
• Areas of work: Obesity, Cardiac endovascular treatments, Angioplasty, Hospital and ventilator acquired pneumonia, Functional Endoscopic Sinus Surgery, Functional Endoscopic Nasal Surgery, Chronic Ischemic Heart Disease, Myocardial infarction, AMD, C-sections, Vascular procedures, Peripheral vascular disease, Oral Mucositis, Head and Neck cancer, Artery procedures, Electrocardiography, Replacement of mitral valve, Paralysis of vocal cords, Varicose Veins, Gall Bladder, Gastric Bypass, Breast procedures, Bladder Disorders, Lung cancer, Endoscopy, Epilepsy, Spine fractures, Chronic rhinitis
• 2020 – 30 Reviewed, 26 Approved
      
• Areas of work: Hospital and ventilator acquired pneumonia, Meningitis, Neurostimulator for spinal cords, Injury to nerves, Peripheral Nerve Operations, C-sections, Vascular procedures, Polyp of colon, Colon cancer, Epilepsy, Cardiac Arrest, Gastro-oesophageal reflux disease, Atrial fibrillation, Palpitations, Kidney transplants, Fistula of Intestine, Enterostomy, Myocardial infarction, Angioplasty, Glaucoma, Glucose monitoring, Cranioplasty, Pressure ulcers, Delirium, Sepsis, Surgical complications, Breast cancer

To contact our data protection officer Gus Davidson, please email Gus.Davidson@ajdweb.co.uk

We receive and process this data as a result of the Data Sharing Agreement with NHS England and our legitimate interest in conducting scientific and statistical research in order to enable medical device providers to achieve NICE approvals and accreditation and subsequent NHS Adoption, and thus positively impact patients Hospitals and the NHS.

This is covered under GDPR as the most appropriate lawful basis for processing under Article 6 being “Legitimate interest”; coupled with Article 9 condition: – Article 9(2) (j) following a formal assessment to ensure that this meets the purpose, necessity and balancing test criteria.

The preparation and delivery of the bespoke anonymised, aggregated dataset to any medical device manufacturer is only processed; following a formal approval process to ensure it meets the Purpose, Necessity and balancing test criteria for each particular recipient.

The NHS HES data we receive is pseudonymised special category “health data” and non-identifiable; which means individuals cannot be identified from the data.

We never give direct access to unprocessed NHS HES data to any third parties. We do aggregate and anonymise the data at appropriate levels level in accordance with the NHS England HES Analysis Guide Methodology to provide insight and build analytical models into bespoke data sets. These are provided to medical device manufacturers following formal external approval process to ensure the requirements for purpose and benefit are met.

We have been able to identify where new technologies could replace the current standard of care and show significant benefits to patients, providers of care, and payers of care. This has been the foundation of the success in over 30 NICE evaluations since 2010.

The HES data sets containing the pseudonymised data are retained for four (4) years after which they are securely destroyed. These data sets are downloaded stored and processed securely in conformance with the NHS England Toolkit requirements and the Data Sharing Agreement conditions.

DAUK only has access to pseudonymised NHS HES data for the past four years and cannot remove individuals from the datasets.