Privacy Policy

NELA Privacy/Fair Processing Notice

What is the aim of the National Emergency Laparotomy Audit?

NELA is commissioned by the Healthcare Quality Improvement Partnership (HQIP) as part of the National Clinical Audit Programme on behalf of NHS England and the Welsh Government.

The National Emergency Laparotomy Audit (NELA) is being carried out by the Royal College of Anaesthetists.

The NELA aims to improve the quality of care for patients undergoing emergency bowel surgery (emergency laparotomy) through the provision of high quality comparative information from hospitals in England and Wales who undertake emergency laparotomies.

What information do we collect about you and how do we use this?

We collect information about the care patients receive whilst they are in hospital. This includes information about the investigations and treatment received, how long it took for different parts of treatment to be given, and whether a patient went to a critical care bed after surgery. The personal information we collect is name, date of birth, NHS number, postcode and sex.
NELA patient data is submitted directly to NELA by clinical teams treating the patient or from the hospital records.
NELA will not publish information that can enable individual patients to be identified.

By collecting and sharing this information, we are able to highlight areas where hospitals are doing well, and areas in which they can improve the quality of care for patients so that they can put plans in place to achieve this. It will also allow hospitals to compare themselves with others in England and Wales and in doing so improve the quality of care by sharing examples of good practice.


Data Controller

As funders and commissioners of the NELA NHS England, Digital Health and Care Wales, and HQIP are the joint data controllers for the patient data submitted to the audit i.e. they are the organisations in control of processing the data.

Legal bases for processing personal data

Under GDPR the following legal bases apply: processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller (Article 6 (1) (e) and Article 9 (2)(i) processing is necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health or ensuring high standards of quality and safety of health care and of medicinal products or medical devices, on the basis of Union or Member State law which provides for suitable and specific measures to safeguard the rights and freedoms of the data subject, in particular professional secrecy. The lawful basis according to the Data Protection Act Schedule 1 is Condition 3 (public health).

Under the Common Law Duty of Confidentiality (CLDC), NELA uses Section 251 as its legal basis to meet the CLDC.

NELA currently has approval under Section 251 to collect patient level data (reference number: CAG 5-07(d)/2013) for all emergency laparotomy patients admitted to hospital.

The rationale for this is that as many emergency laparotomy patients are extremely unwell before and after they have had an emergency laparotomy, it would not be feasible to ask all patients for their consent.

How we protect your data

The RCoA takes the security of your data seriously. In order to prevent unauthorised access or disclosure, we have put in place suitable physical, electronic and managerial procedures to safeguard and secure the information we collect online.

Local clinical teams enter patient data into a secure web-based tool provided by
Netsolving Ltd.

Only the hospitals participating via the doctors, nurses and clinical audit staff and the NELA project team will have access to the web-based tool. Security and confidentiality is maintained through the use of passwords and a person specific registration process.

Patient confidentiality and level of data collected

The patient information received and managed by the NELA team is treated as confidential. The information is only available to the NELA team in a pseudonymised format, with individual patients only distinguished by a computer-generated sequence of numbers. This data will be retained for the duration of the audit.

We maintain the confidentiality and security of patient information in the following ways:

  • All reports are produced at an aggregate level (national, regional, hospital).
  • In each audit publication, the statistical information is reviewed to ensure the risk of identification is minimised, and where necessary, small numbers are suppressed. This assessment follows guidelines issued by the Office for National Statistics - Review of the Dissemination of Health Statistics: Confidentiality Guidance.

Management of patient data by the NELA team

The NELA team are based at the Royal College of Anaesthetists (RCoA) and the Royal College of Surgeons of England (RCS). Both the RCoA and RCS conform to the General Data Protection Regulation (GDPR) and other legislation that relates to the collection and use of patient data, and have strict security measures in place to safeguard patient information. NELA stores the pseudonymised patient data on a secure computer to which only authorised audit team members have access. The IT system has various levels of security built into it, including:

  • ID password security: the data is stored on a password protected system, which prevents unauthorised users gaining access.
  • The stored data files are encrypted.

Who we share data with

NELA only shares patient-level data following a strict governance procedure to ensure compliance with the General Data Protection Regulation (GDPR). NELA has permission to link patient-level data with other national databases on a case-by-case basis. NELA holds a current Data Sharing Agreement with:

  • NHS Digital for the English hospital data (Hospital Episode Statistics)
  • Office for National Statistics (ONS) for the death register
  • National Wales Informatics Service (NWIS) for the Welsh hospital data (Patient Episode Database for Wales - PEDW)


Linkage with HES data enables NELA to compare the number of records submitted to NELA with the number recorded retrospectively in HES to ensure high data quality. This linkage also enables analyses on the associations between those undergoing emergency laparotomies and other medical conditions. Linking with ONS data allows NELA to report mortality rates in the first 30 days after patients are admitted to hospital. Linkage with PEDW data enables NELA to compare the number of records submitted to NELA with the number recorded retrospectively in PEDW data to ensure high data quality.

Researchers may apply to NELA's Data Controller (the Healthcare Quality Improvement Partnership, HQIP), for access to NELA data. These requests undergo a stringent approvals process as outlined here.

The RCoA also have a contract with Harbor Solutions Limited to provide data backup services for all data at the RCoA, including NELA data. This is to ensure that data originating at the RCoA continues to be available in the event of technological failure at the RCoA, or any other issues at the RCoA which may render local data unavailable or unusable. According to the principles of GDPR, Harbor Solutions Limited act as a data processor in this capacity. No patient identifiable data is stored with Harbor. Harbor are legally obligated to protect and keep confidential the data they backup.

Can I ask for my data not to be collected?

In 2018, the NHS decided that people should have the right to 'opt out' of having their data included in such audits. However, NELA is exempt from this as losing even a small number of cases could provide the wrong picture about a hospital's performance.

What if I still want to opt out?

Send an email to NELA@rcoa.ac.uk and put 'patient request to opt-out' in the subject line or call the NELA team at 0207 092 1580. We will then contact your hospital to request that they do not enter your details into the audit. If your data has already been collected, we may be able to delete it if it has not already been used for audit analyses.


Changes to our privacy policy

We keep our privacy policy under regular review and we will always include the latest version on this web page.

Who can I contact about this notice?

RCoA has a Data Protection Officer who can help you with any queries about the information in this privacy notice: dpo@rcoa.ac.uk.

You also have the right to lodge a complaint with the Information Commissioner's Office (ICO), the supervisory authority in the UK responsible for the implementation and enforcement of data protection law, if you have concerns about the way your personal data is being handled. You can contact the ICO via their website: www.ico.org.uk/concerns or by calling their helpline: 0303 123 1113.

Privacy Policy Last Updated August 2022.