CLEAR and data privacy

Welcome to 33n Ltd’s (33n) privacy notice for the National CLEAR Programme. CLEAR is supported by the NHS and delivered by 33n, a company of NHS clinicians, data analysts and data scientists. 33n is a “data controller”, which means 33n controls all data relating to the National CLEAR Programme and is responsible for deciding how personal information is processed. 33n is required under data protection legislation to notify you of the information contained in this privacy notice. 

The below privacy notices are unique to firstly service users, and secondly to healthcare providers and other members of staff either employed at the organisation taking part in a project, as part of the National CLEAR Programme, or by other organisations associated with the delivery of care at the organisation where the project is taking place.  

33n respect your privacy and are committed to protecting your personal data. This privacy notice will inform you how we look after your personal data, when it is used as part of a project for the National CLEAR Programme and it will tell you about your privacy rights and how the law protects you, in accordance with the UK General Data Protection Regulation (GDPR). 

This privacy notice is provided in a layered format so you can click through to the specific areas set out below. 

If you have any questions or concerns about the below or would like to know more, please contact 33n’s Data Protection Officer (DPO) by emailing dpo@33n.co.uk. 

You also have the right to make a complaint to the Information Commissioner’s Office (ICO) which is the UK supervisory authority for data protection issues. You can find out more on the ICO website. 

Privacy notice for service users

Privacy notice for staff

Privacy notice for service users

Last updated June 2023 

This privacy notice applies to all service users that have attended, or may attend, a site or service that is taking part in a project as part of the National CLEAR Programme, within the agreed timeframe of the data extract. In this privacy notice, “you” or “your”, refers to service users that have attended, or may attend, a site or service that is taking part in a project as part of the National CLEAR Programme, within the agreed timeframe of the data extract.  

If you have any questions or concerns about the below or would like to know more, please contact 33n’s Data Protection Officer (DPO) by emailing dpo@33n.co.uk. 

You also have the right to make a complaint to the Information Commissioner’s Office (ICO) which is the UK supervisory authority for data protection issues. You can find out more on the ICO website. 

individuals

The personal data 33n collects about you is ‘non-identified’ meaning no confidential patient information is used.  33n does not collect names, NHS numbers, residential addresses, dates of birth, or any other contact details. 33n does not use ‘unstructured’ data e.g. service user notes, as this cannot be organised in a predefined manner. 

From commencement of a CLEAR project, 33n will collect, store, and use the following categories of personal information about you: 

  • Service user demographic data: including gender, age at attendance, race/ethnicity data and Lower Layer Super Output Area codes. 
  • Data concerning physical and/or mental health or condition: this may include care data (medication, allergies, blood results etc); attendance and pathway data (length of stay, arrival and discharge times etc); risk assessment data; and clinical classifications and coding (treatment codes, diagnosis codes etc). 

33n does not collect data directly from you. CLEAR projects use data collected from healthcare organisations through the provision of care. This data is shared with 33n so clinicians can analyse the data for the purposes of a CLEAR project. Your healthcare provider will extract the required data from their patient record system and share it with us using a secure, encrypted channel to our UK-based servers. 

There are strict data agreements in place and both 33n and healthcare providers work closely together to ensure the process complies with national data protection laws. 

All personal information that is used will be ‘non-identified’ (see ‘What data do you collect about me?’) and will only be used when the law allows it. The lawful basis for using your information on a CLEAR project is legitimate interests. 

It is also possible that there may be some circumstances where 33n use your data where we need to comply with a legal obligation. 

CLEAR projects 

CLEAR projects use your personal data to establish an activity baseline that allows clinicians to understand the volume and type of clinical activity and demand in a service. This understanding supports the development of recommendations for new models of care and workforce, that align with local demand, reflect local operational constraints, and optimise opportunities, to improve the delivery and experience of patient care and overall well-being of the workforce and patients.  

Improving tools and services for CLEAR projects 

We will use your personal data to help improve and introduce new tools and services relating to CLEAR projects. These tools and services will be on both a health service provider basis, and on a regional, national, or other aggregated basis. Both bases are designed to enable effective deployment of members of the healthcare workforce, improve the wellbeing of both workforce and service users and improve the overall care and experience of patients. 

Marketing and training members of the CLEAR project team 

33n will anonymise and/or aggregate your personal data for the purpose of marketing and promoting CLEAR and to train our employees, staff, and other participants in the CLEAR programme in the use of CLEAR tools and/or services. 

Change of purpose 

33n will only use your personal information for the purposes for which it was collected, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose. If we need to use your personal information for an unrelated purpose, we will notify you and we will explain the legal basis which allows us to do so. 

Please note that we may process your personal information without your knowledge or consent, in compliance with the above rules, where this is required or permitted by law. 

Automated decision-making 

Automated decision-making takes place when an electronic system uses personal information to make a decision without human intervention. We can use automated decision-making in the following circumstances: 

  1. Where we have notified you of the decision and given you 21 days to request a reconsideration.
  2. Where it is necessary to perform the contract with you and appropriate measures are in place to safeguard your rights.
  3. In limited circumstances with your explicit written consent and where appropriate measures are in place to safeguard your rights.

You will not be subject to decisions, as part of a CLEAR project, that will have a significant impact on you based solely on automated decision-making unless we have a lawful basis for doing so and we have notified you. 

We do not envisage that any decisions will be taken about you using automated means, however, we will notify you in writing if this position changes. 

We will never share your personal data with any third parties. 

33n uses third-party processing tools and, as a result, may make limited amounts of international transfers as part of a processing tool’s data redundancy and back-up, policies and procedures. All such transfers are governed by suitable safeguards, specifically use of Standard Contractual Clauses, which ensure your personal information is treated by those third parties in a way consistent with, and which respects, EU and UK laws on data protection.   

If you require further information about this protective measure, you can request it from the DPO (dpo@33n.co.uk). 

33n will only retain your personal information for as long as necessary to fulfil the purposes we collected it for including for the purposes of satisfying any legal or reporting requirements. Details of retention periods for different aspects of your personal information are available in our retention policy which is available from the DPO (dpo@33n.co.uk).    

To determine the appropriate retention period for personal data 33n consider the amount, nature, and sensitivity of the personal data; the potential risk of harm from unauthorised use or disclosure of your personal data; the purposes for which we process your personal data and whether we can achieve those purposes through other means; and the applicable legal requirements.  

We may anonymise your personal information so that it can no longer be associated with you in which case we may use such information without further notice to you. 

33n will only retain your personal information for as long as necessary to fulfil the purposes we collected it for including for the purposes of satisfying any legal or reporting requirements. Details of retention periods for different aspects of your personal information are available in our retention policy which is available from the DPO (dpo@33n.co.uk).

To determine the appropriate retention period for personal data 33n consider the amount, nature, and sensitivity of the personal data; the potential risk of harm from unauthorised use or disclosure of your personal data; the purposes for which we process your personal data and whether we can achieve those purposes through other means; and the applicable legal requirements.

We may anonymise your personal information so that it can no longer be associated with you in which case we may use such information without further notice to you.

Your legal rights 

Under certain circumstances, by law you have the right to: 

  • Request access to your personal information (commonly known as a “data subject access request”). This enables you to receive a copy of the personal information we hold about you and to check that we are lawfully processing it. 
  • Request correction of the personal information we hold about you. This enables you to have any incomplete or inaccurate information we hold about you corrected. 
  • Request erasure of your personal information. This enables you to ask us to delete or remove personal information where there is no good reason for us continuing to process it. You also have the right to ask us to delete or remove your personal information where you have exercised your right to object to processing (see below). 
  • Object to processing of your personal information where we are relying on a legitimate interest (or those of a third party) and there is something about your particular situation which makes you want to object to processing on this ground. You also have the right to object where we are processing your personal information for direct marketing purposes. 
  • Request the restriction of processing of your personal information. This enables you to ask us to suspend the processing of personal information about you if, for example, you want us to establish its accuracy or the reason for processing it. 
  • Request the transfer of your personal information to another party.  

If you want to review, verify, correct or request erasure of your personal information; object to the processing of your personal data; or request that we transfer a copy of your personal information to another party, please contact the DPO at by emailing dpo@33n.co.uk. 

No fee usually required 

You will not have to pay a fee to access your personal information (or to exercise any of the other rights). 33n may, however, charge a reasonable fee if your request for access is clearly unfounded or excessive. Alternatively, 33n may refuse to comply with the request in such circumstances. 

What we may need from you 

33n may need to request specific information from you to help us confirm your identity and ensure your right to access the information (or to exercise any of your other rights). This is another appropriate security measure to ensure that personal information is not disclosed to any person who has no right to receive it. 

33n reserve the right to update this privacy notice at any time, and we will provide you with a new privacy notice when we make any substantial updates. We may also notify you in other ways from time to time about the processing of your personal information.  

If you have any questions about this privacy notice, please contact the DPO at dpo@33n.co.uk. 

Join the CLEAR
programme

Get in touch with us if you would like to discuss
a potential project and/or opportunities for your
clinical staff.