NCEPOD's Information Governance policies and procedures
We have also created the following documentation to clearly detail the policies and procedures we have in place:

To view our to Information Security, Confidentiality and Data Protection Policy please click here.
To view our Information Security Procedures please click here.
To view our Information Governance Framework please click here.
To view our Data Protection Impact Assessment please click here.
To view our Privacy Notice please click here
To view our Data Flow Diagram please click here
To view our Processing Register please click here

The General Data Protection Regulation 2016

NCEPOD is committed to maintaining a recognised level of best practice for its information security procedures. In 2016 we undertook an external audit of our information security procedures and will undertake another by 2020. Recommendations from the audit were acted upon and our information security procedures have been formulated in conjunction with the International Standard ISO/IEC 27001:2013. 'Information technology – Code of practice for information security management'.

All NCEPOD staff manage data according to the information security procedures as a means of ensuring integrity and confidentiality of data submitted to NCEPOD. The procedures apply to both physical and electronic data formats.

Although the GDPR 2016 does not apply to deceased patients. NCEPOD will apply its standards to all data regardless of patient outcome.

Our legal basis for collecting information
The legal bases for collecting and using personal data are:
Public Task
We collect only the information that is necessary to carry out our function and avoid collecting information that will not be used. This is received from healthcare providers, such as NHS Trusts and Health Boards. To see what information is held in your healthcare record please contact your local Trust or Board.
Article 6(1)(e) processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.


Where people sign up to receive newsletters and updates, attend events or work with NCEPOD consent is received for us to store and process personal data.


For example, this is the basis we use when it is necessary for us to take specific steps before entering into a contract with you to supply you a service or vice versa.

Legal obligation

For example, this is the basis we use when it is necessary for us to comply with the law (not including contractual obligations) because we are required to keep documentation to produce in court proceedings.

Legitimate interests

This basis is used to allow us to hold information as evidence should we need it in the future, for example, if you ask us to unsubscribe you from our newsletter.

Common Law Duty of Confidentiality

We apply the Common Law Duty of Confidentiality to all data we hold.

Article 9 condition for processing special category data:

• 2(i) - processing is necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health or ensuring high standards of quality and safety of health care and of medicinal products or medical devices, on the basis of Union or Member State law which provides for suitable and specific measures to safeguard the rights and freedoms of the data subject, in particular professional secrecy.

NCEPOD is registered with the Information Commissioner's office for the purpose of data protection: number Z5442652.

To view our registration on the Information Commissioner's office website click here.

The NHS Act 2006 – Section 251 - England & Wales
Whilst the Government has stated that consent is the fundamental principle governing the use of patient identifiable information by any part of the NHS or research community they have recognised that in some instances that this approach may be difficult. Section 251 of this Act therefore provides the Secretary of State for Health with a power to authorise that patient identifiable data can be used and provides support for the breach in confidentiality. Section 251 approval has been granted to NCEPOD through the Health Research Authority Confidentiality Advisory Group (HRA-CAG). An annual review ensures our method remains acceptable.

The current status of all applications can be viewed on online at

  • For the Medical & Surgical studies follow the 2001-2008 approved applications link and look for A0077.
  • For the Child Health studies follow the April 2013 award approved non-research applications link and look for A1019.
Annual review and amendments for current studies are listed here;

Health Research Authority (HRA) – Ethics Approval
At the present time the HRA have agreed that it is not necessary for NCEPOD to obtain ethics approval for our work, the reasons are listed below:
  1. Our work is a ‘confidential enquiry’ and not research or audit – we do not interact directly with patients or have influence in the treatment of an individual.
  2. We have approval to continue without consent under Section 251 of the NHS Act 2006.
  3. Some of the cases we investigate are deceased patients.
  4. Our work is supported by Government Departments and the GMC.

NHS - Data Security and Protection Toolkit

Every year we complete this online assessment tool for the purposes of improving our internal information governance procedures and policies.

Requesting access to anonymised datasets

Data access should be requested through HQIP. HQIP's data access request process is here.