National Obesity Audit Transparency Notice

This transparency notice explains for the National Obesity Audit:

  • why we collect information about you (we call this “personal data”)
  • what we do with it, including who we share it with
  • how long we keep it for and where we store it
  • our legal basis for using it
  • what your data protection rights are.

To read more about how NHS England uses personal data to improve health and care, see Transparency Notice: how we use your personal data (below for convenience).

About the National Obesity Audit

The impact of obesity on population health and the NHS is significant and increasing, but data collected and analysed is of variable quality which limits both service providers’ and researchers’ ability to fully understand and track the impact of obesity, and to understand and monitor which interventions are most effective and where they are best located.

NHS England has established the National Obesity Audit (NOA) data collection as part of the National Clinical Audit and Patient Outcomes Programme (NCAPOP) to measure service provision and outcomes to support current and future services with the information they need to deliver efficient, effective and equitable prevention and care programmes.

The NOA data collection supports the NHS Long Term Plan, which aims to provide better outcomes for the patient.  It is a patient-level data set which covers all aspects of adult and child weight management services that are publicly funded by the NHS and the Department of Health and Social Care (DHSC) in England.

The NOA follows the patient journey from primary to secondary care, looking at all areas of weight management care, interventions and outcomes. For example, the data will show where patients are being placed out of area, where care packages are being changed frequently, and other evidence which may indicate poor outcomes for the patient, allowing this to be identified and addressed. 

Our role

Under data protection law, NHS England is the ‘controller’ for the NOA. This means that we make decisions about what personal data we need to collect and how we will use your data to conduct the NOA.

What data we collect

The NOA data collection includes both personal data and special categories of personal data relating to patients living with overweight or obesity, including:

  • Demographic information – such as NHS number, date of birth, postcode, sex and ethnicity
  • Health information – such as Body Mass Index (BMI), obesity related co-morbidities, healthcare interventions such as weight loss advice and bariatric surgery.

More information on the data used for the purposes of the NOA is available in the NOA dataset specification

Where we get your data from

The NOA makes use of data already held by NHS England in other data collections that we are responsible for managing.  This includes relevant data from the

NHS England collects the above datasets from health and care providers in community, primary and secondary care settings.

How we use your data

NOA data will be used for the purposes of informing policy and guidelines for managing obesity across the NHS and local authorities.  It will also be used for benchmarking and to enable NHS providers to maximise the use of their resources and to improve patient outcomes.

NHS England will analyse the data held in the NOA to carry out data quality checks, to pseudonymise the data (de-identify) and to derive values, for example turn date of birth into age. 

Data in the NOA may also be linked to other data that NHS England holds, including the Hospital Episode Statistics (HES), Cardiovascular Disease Prevention Audit (CVD Prevent) and the Community Services Data Set (CSDS).

NOA data is used to create regular statistical publications on the NHS England website including dashboards and an annual report.  All data published is anonymous and aggregate so that patients cannot be identified from the data.

The data collected for the NOA from the CVD Prevent Audit will not be used for performance management of GPs.

Our legal basis

Data protection law requires NHS England to have a legal basis before we can use your personal data.

Our legal basis is:

Legal obligation

Article 6(1)(c) of UK GDPR.  This is because the Secretary of State for Health and Social Care has issued NHS England with a Direction to analyse this data for NOA purposes. This Direction is called the National Obesity Audit Directions 2023

We also need an additional legal basis in the UK GDPR and the Data Protection Act 2018 (DPA 2018) to use data which is extra sensitive. This is known as ‘special categories of personal data’. Our legal basis to use data relating to your health and ethnicity is:

Substantial public interest 

Article 9(2)(g) of UK GDPR, plus Schedule 1, Part 2, Paragraph 6 “statutory etc and government purposes” of DPA 2018

Health or social care

Article 9(2)(h) of UK GDPR, plus Schedule 1, Part 1, Paragraph 2 “Health or social care purposes” of DPA 2018.

Who we share data with

We treat the data we hold with great care. All data which is shared by NHS England is subject to robust rules relating to privacy, security and confidentiality and only the minimum amount of data necessary to achieve the relevant health and social care purpose will ever be shared.

Data is shared or is expected to be shared with organisations such as healthcare providers, clinicians, and commissioners of NHS services, for example:

  • the organisation that provided your care: to assess the effectiveness of your care and to improve the services they offer
  • The Department of Health and Social Care: to inform policy and guidelines
  • organisations responsible for the commissioning of NHS services in England, such as Integrated Care Boards: to plan and improve weight management services and for benchmarking
  • local authorities: to help plan and improve weight management services
  • research organisations, including universities and charities: to carry out research

These organisations must apply for access to NOA data through NHS England’s Data Access Request Service.  Each application is assessed very carefully to make sure that the organisation: 

  • has a legal basis to access the data for that purpose 
  • will use the data for the benefit of health and care and for the agreed purposes only 
  • will handle and store the data securely 

We only share data which can identify you (identifiable data) if this is absolutely necessary and the organisation who has made an application for data cannot achieve their purpose without it.  Where possible we remove information from the data which identifies you, or we replace it with a unique reference number (this is known as pseudonymisation). 

Each organisation we share data with must sign a Data Sharing Framework Contract and a Data Sharing Agreement and we carry out audits to check they are using the data as agreed. 

Details about the NOA data we have shared with other organisations, except for anonymous data, will be published in the NHS England Data Uses Register

How long we keep data for

NHS England will keep NOA data for as long as it is necessary for the purposes outlined above in accordance with the Records Management Code of Practice 2021 and our Records Management Policy.

Other organisations we share your personal data with must only keep it for as long as is necessary and as set out in their Data Sharing Agreement. Information about this will be provided in their privacy notices on their websites.

Where we store data

We securely store your data on our servers in the United Kingdom (UK).

Your data protection rights

You can read more about the health and care information collected by NHS England, and your choices and rights in:

  • Your right to be informed – You have the right to be told how and why we are using your personal data.  We have published this transparency notice to provide you with this information
  • Your right to get copies of your data – You have the right to ask us for copies of your personal data (right of access). For more information, see how to make a subject access request
  • Your right to get your data corrected – You have the right to ask us to correct (rectify) your personal data if you think it is inaccurate or incomplete
  • Your right to limit how we use your data – You have the right to ask us to limit the way we use your personal data (restrict processing) in certain circumstances

To make a rights request, email us at england.contactus@nhs.net

Opt-outs

Type 1 opt-out

Patients that have registered a Type 1 opt-out with their General Practice will not have their data shared with NHS England for this collection. The Type 1 objection prevents an individual’s confidential patient information from being shared outside of their General Practice except when it is being used for the purposes of their direct care. More information on the Type 1 opt-out and how to request this is available.

National Data Opt-Out

The national data opt-out applies to identifiable patient data about your health which is called confidential patient information. If you do not want your confidential patient information to be shared by NHS England for purposes except your own care you can register a National Data Opt-out

You can find out more about and register a national data opt-out or change your choice on nhs.uk/your-nhs-data-matters.

Your right to complain

We take our responsibility to look after your data very seriously. If you have any questions or concerns about how NHS England uses your data, please contact our Data Protection Officer at england.dpo@nhs.net.

If you are not happy with our response, you have the right to make a complaint about how we are using your data to the Information Commissioner’s Office by calling 0303 123 1113 or through their website.

Changes to this notice

We may make changes to this notice. If we do, the ‘last edited’ date on this page will also change. Any changes to this notice will apply immediately from the date of any change

Last edited: 7 November 2023 5:48 pm