CRIS privacy notice

The contact details of the data controller and data protection officer

The CRIS Data Controller is Oxford Health NHS Foundation Trust.
Data Protection Officer – Please contact the Head of Information Governance:
IM&T Directorate, The White Building, Littlemore Mental Health Centre, 33 Sandford Road, Littlemore, Oxford, OX4 4XN

The purposes of the processing and the ‘legal basis’ for doing so

Processing of CRIS data is for the purpose of the provision of ‘health care clinical audit, service evaluation and for medical research’ and is necessary for medical purposes.  It is undertaken by either a health professional or a person who in the circumstances owes a duty of confidentiality which is equivalent to that which would arise if that person were a health professional (Researcher).  This is a ‘task carried out in the public interest’ as set out in UK Law.

The categories of data concerned and how do we obtain it

CRIS data source comprises ‘special categories’ data which is health information captured in your medical record. This might include demographics, test results, clinical notes, letters and assessment forms. Therefore, technical and organisational safeguards are also in place that ensure respect for the principle of data minimisation (i.e. using only the absolute minimum of personal data required for a purpose) via the process of pseudonymisation.  CRIS extracts data from the medical record in an identifiable state, then processed to remove the patient identifiers, and a new pseudonymous database provisioned. Processing is necessary for scientific research purposes, in the public interest.

The potential recipients of the data

The data controller for a CRIS system is the NHS Trust, and they determine the purpose and manner of processing through a (legally binding) contract with the data processor, which is Akrivia Health. This provides instruction on how and what data will be processed to establish a CRIS system, the terms and conditions of processing and authority to use the listed sub-contractors to deliver the service. Akrivia Health sub-contract data processing activities for establishing a CRIS system to two sub-processors – Amazon Web Services who provide the infrastructure for CRIS and Global Initiative Limited who provide the Managed Service Provider (MSP) component of the Services. Responsibilities imposed on Akrivia Health by the data controller are flowed through sub-processing agreements/commercial contracts to the sub-processors. For more information on data controllers and data processors, the differences and their responsibilities, the Information Commissioner’s Office have published guidance available at the following link.

Oxford Health NHS Foundation Trust are also part of the CRIS Network, therefore authorised researchers from this network may be granted access the Oxford Health NHS Foundation Trust CRIS pseudonymised data set.  This is a group of highly innovative NHS Mental Health Trusts who are working together to accelerate research work in dementia and mental health.

The data retention period

Please see ‘How do we maintain personal information that is held as a health and social care record?’ on our Trust Privacy Notice page

How subjects can exercise their rights in relation to such processing

If you do not wish your confidential patient information used for planning and research purposes, please visit the National data opt-out programme for further information.  Please also see ‘What are your rights?’ on our Trust Privacy Notice page

How to lodge a complaint with the supervisory authority

If you wish to raise a complaint on how we have handled your personal data, please see our ‘What are your rights?’ section on our Trust Privacy Notice page, which includes details of our ‘Data Protection Officer’ and the ‘Information Commissioner’s Office’.

CRIS Project Linkages

ORCHARD

Oxford Health CRIS links with the ORCHARD Project at Oxford University Hospitals (https://www.ouh.nhs.uk/research/patients/trials/orchard.aspx). This project has ethical approval (ref 18/SC/0184) to undertake linkage of ORCHARD data with data on dementia and other mental health outcomes from the Oxford Health Clinical Record Interactive Search (CRIS) database, in order to determine the predictive value for ORCHARD project participants of cognitive and physical frailty markers for subsequent cognitive decline and dementia. The information which is linked between Oxford Health CRIS and ORCHARD includes cognitive test scores, diagnostic coding and information relating to episodes of care.

If you do not wish your anonymised Oxford Health mental health information to be shared with Oxford University Hospitals for inclusion in ORCHARD, please contact CRIS.admin@oxfordhealth.nhs.uk.

Page last reviewed: 20 March, 2024