CRIS Privacy Notice
Clinical Record Interactive Search (CRIS) – Privacy Notice
The contact details of the data controller and data protection officer
The CRIS Data Controller is Oxford Health NHS Foundation Trust.
Data Protection Officer – Please contact the Head of Information Governance:
IM&T Directorate, The White Building, Littlemore Mental Health Centre, 33 Sandford Road, Littlemore, Oxford. OX4 4XN
The purposes of the processing and the ‘legal basis’ for doing so
Processing of CRIS data is for the purpose of the provision of ‘health care clinical audit, service evaluation and for medical research’ and is necessary for medical purposes. It is undertaken by either a health professional or a person who in the circumstances owes a duty of confidentiality which is equivalent to that which would arise if that person were a health professional (Researcher). This is a ‘task carried out in the public interest’ as set out in UK Law.
The categories of data concerned and how do we obtain it
CRIS data source comprises ‘special categories’ data which is health information captured in your medical record. This might include demographics, test results, clinical notes, letters and assessment forms. Therefore, technical and organisational safeguards are also in place that ensure respect for the principle of data minimisation (i.e. using only the absolute minimum of personal data required for a purpose) via the process of pseudonymisation. CRIS extracts data from the medical record in an identifiable state, then processed to remove the patient identifiers, and a new pseudonymous database provisioned. Processing is necessary for scientific research purposes, in the public interest.
The potential recipients of the data
CRIS information is held securely with strict arrangements about who can access the information. This will include Trust staff, clinicians and approved researchers. The information will only be used for the purpose of health and care research, service evaluation, clinical audit or to contact you about future opportunities to participate in research.
Where there is a risk that you can be identified your data will only be used in research that has been independently reviewed by an ethics committee.
The data controller for a CRIS system is the NHS Trust, and they determine the purpose and manner of processing through a (legally binding) contract with the data processor, which is the University of Oxford. This provides instruction on how and what data will be processed to establish a CRIS system, the terms and conditions of processing and authority to use the listed sub-contractors to deliver the service. The University of Oxford sub-contract data processing activities for establishing a CRIS system to two sub-processors, Phoenix Software (re-sellers of VMware) who provide the infrastructure for CRIS, and Sirius Corporation, who manage and maintain the system, and provide technical support for Trust users of CRIS. Responsibilities imposed on University of Oxford by the data controller, are flowed through sub-processing agreements/commercial contracts to the sub-processors (and operate as ‘data processors’). For more information on data controllers and data processors, the differences and their responsibilities, the Information Commissioner’s Office have published guidance available at the following link.
Oxford Health NHS Foundation Trust are also part of the CRIS Network, therefore authorised researchers from this network may be granted access the Oxford Health NHS Foundation Trust CRIS pseudonymised data set. This is a group of highly innovative NHS Mental Health Trusts who are working together to accelerate research work in dementia and mental health. For further information on this network and its members please see the CRIS Network website.
The data retention period
Please see ‘How do we maintain personal information that is held as a health and social care record?’ on our Trust Privacy Notice page
How subjects can exercise their rights in relation to such processing
If you do not wish your confidential patient information used for planning and research purposes, please visit the National data opt-out programme for further information. Please also see ‘What are your rights?’ on our Trust Privacy Notice page
How to lodge a complaint with the supervisory authority
If you wish to raise a complaint on how we have handled your personal data, please see our ‘What are your rights?’ section on our Trust Privacy Notice page, which includes details of our ‘Data Protection Officer’ and the ‘Information Commissioner’s Office’.
Last updated: 11 September, 2018