Who are BSR?
The British Society for Rheumatology (BSR) is the UK’s leading specialist medical society for rheumatology and musculoskeletal professionals.
What information are we collecting?
The National Early Inflammatory Arthritis Audit (NEIAA) is commissioned by the Healthcare Quality Improvement Partnership (HQIP) on behalf of NHS England and Digital Health and Care Wales are joint data controllers for the audit.
Over 200 hospitals in England and Wales are taking part in this audit.
The audit follows patients through the first 12 months of care. The audit is collecting health information at the first appointment for all patients with a confirmed diagnosis of inflammatory arthritis, connective tissue disease and systemic vasculits then 3 months later for those who have a diagnosis of Rheumatoid Arthritis. This will include diagnosis, tests undertaken to reach the diagnosis and treatment. Patient reported outcomes are also collected after the first appointment and then at 3, 6, 9 and 12 months.
The identifiable information we are collecting is: patient name, date of birth, NHS number, postcode and gender. The benefit of collecting these personal details is that it enables us to link with other national sources of information and this will give us a fuller picture of how well people respond to treatment and outcomes of care.
The information gathered will answer the following questions:
- How quickly are patients referred to secondary care by GPs and how long does it takes to see a specialist in rheumatology?
- What treatment do patients with inflammatory arthritis receive over the first year of care and is this in line with national guidelines?
- How well staffed are rheumatology departments, and do they have access to specialist services such as physiotherapy, podiatry, psychology?
- Do patients receive timely education about their new diagnosis to help manage it well?
- Can patients get access to advice quickly if their symptoms worsen or they run into problems?
We are using a bespoke secure online platform to collect this data, which will be entered by clinicians (at www.arthritisaudit.org.uk) and patients (at www.myarthritisaudit.org.uk).
Who are we sharing the information with?
To create this in-depth picture of patient care, personal details (NHS number, date of birth, postcode) are sent to NHS England and to Digital Health and Care Wales (Wales). NHS England and Digital Health and Care Wales will then use these details to find relevant information (HES admitted patient data and PEDW admitted patient data). The linked information is returned to the NEIAA team in a pseudonymised format. BSR has commissioned a team at King’s College London, in partnership with King's College Hospital, who will analyse the results of this audit.
The confidential information is stored safely in accordance with NHS recommendations, standards and regulations.
Data from the audit may also be shared with third party applicants for the purposes of research, service evaluation and health/care improvement. Sharing data will always be under relevant legal and information governance regulations. Personal identifiers will not be shared unless the appropriate legal, ethical and security arrangements are in place. No personal information will ever be made public, and no data will be transferred outside of the EU. We will store your data permanently for as long as NEIAA is running.
What is the legal basis for collecting this data?
We have gained approval from the Health Research Authority’s Confidentiality Advisory Group in order to collect patient data without written consent. This means that patients have to actively opt out if they do not want their information to be included.
In England, patients who have chosen to opt out of their confidential data being used for purposes other than their own care and treatment (National Data Opt-out Programme) will not be included in the audit. Wales does not operate a national opt-out programme, but all patients in both England and Wales are still able to opt out of individual audits, such as this one.
The legal basis for processing the information collected is article 9 (2) (i) of GDPR ‘processing is necessary for reasons of public interest in the area of public health’ which is underpinned by Health and Social Care Act 2012 Part 1 section 2.
Can I see what information is collected about me?
If you would like to see your information, please contact your local Rheumatology department.
Can I withdraw my information?
Of course. Please contact your rheumatology department and inform them that you do not wish your data to be included. Alternatively, you can contact Ella Jackson audit@rheumatology.org.uk, on +44 (0) 20 7842 0900 or by post: British Society for Rheumatology, Bride House, 18-20 Bride Lane, London, EC4Y 8EE
You also have the right to raise concerns or make a complaint through the Information Commissioners Office by calling 0303 123 1113 or following the link https://ico.org.uk/concerns/
HQIP, together with NHSE and Digital Health and Care Wales are joint data controllers for the audit. You can contact HQIP's data protection officer at data.protection@hqip.org.uk.
The BSR’s data protection officer is Jessica Badley, and can be contacted on jbadley@rheumatology.org.uk.
Frequently Asked Questions
Will the data be identifiable?
The data processor will extract identifiable audit data.
Does the audit have a S251 exemption?
Yes, this is available publicly here (Ref: 18/CAG/0063).
You can find out about the duty of confidentiality here
How will the host organisation control access to the data?
Net Solving and KCL are the primary data processors for the audit on behalf of the British Society for Rheumatology (BSR). The following outlines the measures that are being put in place to safeguard the security of the data:
- Clinicians have unique logins. They will only see data for their own patients.
- The online audit platform is hosted by Rackspace, a secure web hosting provider.
- The data is stored in a Microsoft SQL Server database, secured using Windows authentication which prevents login information being stored in the application.
- Net Solving hosts an SQL database in a RAID array preventing data loss if a hard drive fails.
- Data is backed up in a secure remote physical location.
- KCL accesses pseudonymised data directly from the audit portal.
- KCL adheres to institutional data handling policies with full GDPR compliance.
How will the data be transferred to the host organisation?
Via the online portal here
Will there be any additional transfers from the host organisation?
During data linkage, data will be transferred to NHS England and Digital Health and Care Wales.
How will the host organisation securely store the data?
The server is hosted in a Rackspace datacentre. Each Rackspace data center is restricted by biometric authentication, keycards, and 24x7x365 surveillance. This helps to ensure that only authorised engineers have access to routers, switches and servers.
How long will the host organisation retain the data?
Identifiable data will be retained for ten years after project completion. The audit is currently funded until October 2022. There is an opportunity for this to be extended.
Data protection registration number
Z127452X