CRIS Privacy Notice
The contact details of the data controller and data protection officer
The CRIS Data Controller is Oxford Health NHS Foundation Trust.
Data Protection Officer – Please contact the Head of Information Governance:
IM&T Directorate, The White Building, Littlemore Mental Health Centre, 33 Sandford Road, Littlemore, Oxford, OX4 4XN
The purposes of the processing and the ‘legal basis’ for doing so
Processing of CRIS data is for the purpose of the provision of ‘health care clinical audit, service evaluation and for medical research’ and is necessary for medical purposes. It is undertaken by either a health professional or a person who in the circumstances owes a duty of confidentiality which is equivalent to that which would arise if that person were a health professional (Researcher). This is a ‘task carried out in the public interest’ as set out in UK Law.
The categories of data concerned and how do we obtain it
CRIS data source comprises ‘special categories’ data which is health information captured in your medical record. This might include demographics, test results, clinical notes, letters and assessment forms. Therefore, technical and organisational safeguards are also in place that ensure respect for the principle of data minimisation (i.e. using only the absolute minimum of personal data required for a purpose) via the process of pseudonymisation. CRIS extracts data from the medical record in an identifiable state, then processed to remove the patient identifiers, and a new pseudonymous database provisioned. Processing is necessary for scientific research purposes, in the public interest.
The potential recipients of the data
The data controller for a CRIS system is the NHS Trust, and they determine the purpose and manner of processing through a (legally binding) contract with the data processor, which is Akrivia Health. This provides instruction on how and what data will be processed to establish a CRIS system, the terms and conditions of processing and authority to use the listed sub-contractors to deliver the service. Akrivia Health sub-contract data processing activities for establishing a CRIS system to two sub-processors – Amazon Web Services who provide the infrastructure for CRIS and Global Initiative Limited who provide the Managed Service Provider (MSP) component of the Services. Responsibilities imposed on Akrivia Health by the data controller are flowed through sub-processing agreements/commercial contracts to the sub-processors. For more information on data controllers and data processors, the differences and their responsibilities, the Information Commissioner’s Office have published guidance available at the following link.
Oxford Health NHS Foundation Trust are also part of the CRIS Network, therefore authorised researchers from this network may be granted access the Oxford Health NHS Foundation Trust CRIS pseudonymised data set. This is a group of highly innovative NHS Mental Health Trusts who are working together to accelerate research work in dementia and mental health.
The data retention period
Please see ‘How do we maintain personal information that is held as a health and social care record?’ on our Trust Privacy Notice page
How subjects can exercise their rights in relation to such processing
If you do not wish your confidential patient information used for planning and research purposes, please visit the National data opt-out programme for further information. Please also see ‘What are your rights?’ on our Trust Privacy Notice page
How to lodge a complaint with the supervisory authority
If you wish to raise a complaint on how we have handled your personal data, please see our ‘What are your rights?’ section on our Trust Privacy Notice page, which includes details of our ‘Data Protection Officer’ and the ‘Information Commissioner’s Office’.
Page last reviewed: 1 November, 2021