Skip Navigation
Search site

This is our old website. Most information can now be found on our new NHS Digital website. Let us know what you think.

Hospital Episode Statistics Privacy Impact Assessment Report

A Privacy Impact Assessment (PIA) is an assessment made at a point in time and as such is a position statement of that point in time.

The purpose of a PIA is to:

  • explain and justify in law how personal data about individuals are used
  • identify and assess privacy risks
  • propose actions to mitigate or avoid those risks.

They aim to provide transparency over the processing of personal data, and citizens should be able to respond to the analysis and proposals contained in a Privacy Impact Assessment.

PIAs are not forward looking and as such will be reviewed/assessed as necessary in terms of legislative or process changes. 

Background to the Hospital Episode Statistics PIA

Hospital Episode Statistics are records held by NHS Digital about patient stays and visits to hospitals in England. 

They are used for a variety of purposes, including the commissioning and management of health and care services, and research.

HES is a national data store of individual health records and sensitive information dating back to the 1990s. As such it is bound by strict privacy controls, including a Privacy Impact Assessment that is open to public comment and scrutiny - as recommended by the Information Commissioner's Office (ICO).

In the summer of 2016 we asked you to comment on a report from a PIA of Hospital Episode Statistics initially carried out in 2014. We asked you to complete a three-question survey, and comment on the draft report during a three-month period.

What you told us

13 people answered survey questions and responded as follows:

  • How robust was the HES PIA report? - very robust (2) / fairly robust (5) / neither robust nor weak (5) / fairly weak (0) / very weak (0)
  • How comprehensive are the recommendations? - very comprehensive (3) / fairly comprehensive (2) / neither adequate nor inadequate (3) / less than comprehensive (0) / inadequate (0)
  • Are the actions taken by NHS Digital since 2014 to address the recommendations sufficient and proportionate? - yes, sufficient or more than sufficient (0) / broadly sufficient and proportionate (6) / neither sufficient nor insufficient (0) / less than sufficient and proportionate (2) / no, far short of sufficient and proportionate (5) 

Respondents could also provide free text comments, and if they did, they could choose to give an email address so a response could be provided to each of their comments.

Eight people/organisations chose to provide an email address and each has received a response to each of their comments.

What we did

A variety of comments were made that resulted in changes to the report, including: 

  • A new section on HES purposes and benefits;
  • A clarification to the analysis of the legal basis for HES data flows to reflect new information provided about an unpublished 2005 Direction;
  • A correction to the scale of HES (to "around 1 billion" HES records); and
  • Amendments to the risk analysis.

The revised report is available here: word icon Hospital Assessment Statistics Privacy Impact Assessment report [3Mb]

What happens next

We agreed to undertake an additional piece of work to review all of the report recommendations and take action where appropriate.

Close iCM Form