Privacy notice and data flows

MBRRACE-UK collects personal and identifiable data for all women who die during pregnancy or up to one year after the end of pregnancy in England, Wales and Scotland. Similar data are collected about babies and their mothers for all eligible perinatal deaths. As part of the confidential enquiries, personal and identifiable data is also collected for smaller subsets of women or babies who had serious complications or illnesses but recovered.

Personal and identifiable data collected for women and babies is limited to what is essential for checking against routine data sources, such as name and NHS number, or that which enables monitoring of trends over time or between different regions/groups, such as postcode or ethnicity. This information is collected directly from hospitals using a secure electronic data collection system and is only made available to a small group of specified individuals in the MBRRACE-UK team. All information provided to assessors for review as part of the confidential enquiry process is fully anonymised before sharing.

The information that we receive from Northern Ireland and the Republic of Ireland does not contain personal identifiers.

Privacy issues in Northern Ireland restrict identifiable information from being transferred out of the province. As such, all surveillance data and medical records are collected by the Northern Ireland Maternal and Child Health (NIMACH) office of the Public Health Agency of Northern Ireland Anonymised data and records are then provided to MBRRACE-UK by the NIMACH office.

The deaths of women during pregnancy or up to a year after pregnancy in the Republic of Ireland are not reported as part of MBRRACE-UK's routine maternal surveillance but are included in maternal confidential enquiries. All information and case records for the women who die are collected by the Maternal Death Enquiry (MDE) Ireland and fully anonymised before being sent to the MBRRACE-UK office.

Under the General Data Protection Regulation (GDPR) and the Data Protection Act 2018, the 'data controller' determines the purpose for data processing and bears responsibility for any collected data. For the Maternal, Infant and Newborn Clinical Outcome Review Programme (MINI-CORP) delivered by MBRRACE-UK, the Healthcare Quality Improvement Partnership (HQIP) is the main data controller working in partnership with joint data controllers in each of the devolved nations.

HQIP and NHS England are joint data controllers for data relating to England and English residents. HQIP and Digital Health and Care Wales (DHCW) are joint data controllers for data relating to Wales and Welsh residents. HQIP and the Scottish Government are the independent data controllers for data relating to Scotland and Scottish residents. For the rest of the UK, HQIP is the sole data controller.

MBRRACE-UK acts as the 'data processor' on behalf of HQIP. This means that MBRRACE-UK collects, stores and uses the data controlled by HQIP. Data processing is carried out by the MBRRACE-UK teams who are based at the National Perinatal Epidemiology Unit (NPEU) at the University of Oxford and at the University of Leicester.

The legal basis under which MBRRACE-UK processes personal data is Article 6(1)(e) of GDPR, which is processing necessary for the performance of a task carried out in the public interest.

The legal basis under which MBRRACE-UK processes special category data is Article 9(2)(i) of GDPR, where processing is necessary for reasons of public interest in the area of public health including ensuring high standards of quality and safety of health care.

The legal basis of the Data Protection Act 2018 under which MBRRACE-UK processes special category data is Schedule 1(1)(3)'public health' underpinned by the Health and Social Care Act 2012 Part 1 section 2.

England and Wales

In England and Wales we collect confidential patient information (including identifiable information) without consent with Secretary of State approval following an application to the Confidentiality Advisory Group (CAG) of the Health Research Authority under s251 of the NHS Act 2006 (England and Wales) which sets aside the common law duty of confidentiality (15/CAG/0119).

Scotland

In Scotland the test of public interest is applied by the Public Benefit and Privacy Panel for Health and Social Care (Scotland) (HSC-PBPP). We have approval from PBPP (reference 2223-0101) for processing confidential patient information in Scotland.

Northern Ireland

We do not receive confidential patient information from Northern Ireland except with consent.

MBRRACE-UK has a legal duty to keep all information confidential and secure. No information that identifies individuals is collected or shared unless there is a legal basis to do so and MBRRACE-UK holds all data and records in the strictest confidence.​​​​

The University of Oxford has strict security measures to protect personal identifiable data against unauthorised access, unlawful use, accidental loss, corruption or destruction. These include 'technical measures' such as encryption and passwords to protect individual datasets and the systems holding datasets and 'operational measures' such as limiting the number of people who have access to databases holding identifiable information.

Personal identifiable data collected and stored by MBRRACE-UK is not shared with anyone or used for any purposes outside of the commissioned programme of work unless there are special permissions in place. As a data controller, HQIP can authorise the sharing of MBRRACE-UK data for the purpose of quality improvement, including research, service evaluation and audit, provided that certain conditions and permissions are met. Anonymised data may also be shared with other groups for the purpose of health and care research but these data do not include any information that enables the identification of individuals. Eligible third parties looking to access MBRRACE-UK data can submit a Data Access Request to HQIP.​​​​​​