Filter by topic
Filter by content type
  1. Home

Epilepsy12 Privacy Notice for Families

Looking after your data properly and keeping it safe is important to us. Epilepsy12 is a national project which helps epilepsy services to improve the care they give to the children and young people they look after. The Royal College of Child and Paediatric Health (RCPCH) are commissioned by the Healthcare Quality Improvement Partnership (HQIP) to run Epilepsy12 on behalf of NHS England, Jersey and the Welsh Government.
Contents
Table of contents

Why are Health Boards and Trusts taking part in Epilepsy12?

We want to get better at looking after children and young people who have epilepsy. Health Boards and Trusts can help by collecting information on the care they provide to their patients. The RCPCH looks at this information and lets teams know where they are doing well and where they need to improve. The RCPCH will also tell Health Boards and Trusts how they are doing compared with others who are taking part. We collect data from all NHS Health Boards and Trusts providing care for children and young people with epilepsy in England, Wales and Jersey every year.

What data are we collecting, and why?

Epilepsy12 wants to find out how Health Boards and Trusts decide if a child or young person has epilepsy and how they look after them if they do. For example, we collect information on the types of medicine that children and young people with epilepsy receive, and the doctors and nurses that look after them and the care planning information they receive. You can see a list of all the information that Epilepsy12 collects on our website: www.rcpch.ac.uk/epilepsy12

The information we look at is known as personal data. The personal data we collect is:

  • Name
  • Date of birth
  • Gender
  • Ethnicity
  • Home postcode, and
  • NHS number (URN for Jersey).

NHS numbers help Trusts and Health Boards to identify children and young people eligible for the audit. Your Health Board or Trust already collects this information, so this isn’t something new for Epilepsy12.

England and Wales

Your personal data is protected by a law called UK GDPR. Under UK GDPR, anyone collecting your data needs to tell you all the reasons why they are doing so. This is called the legal basis. Because we are processing medical data, we need to get special permission from the NHS to do so. This is called section 251 approval and lets us collect patient identifiable data without explicit consent, as our aims are in the public interest. This is because the audit will help to improve the standards of paediatric epilepsy care. To find out more about section 251 approval, please visit the Health Research Authority website.

Processing is permitted under GDPR on the following legal bases:

Article 6 (1) (e) processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller. This is justified through commissioning arrangements which link back to NHS England and the Welsh Government. (Public Task)

Article 9 (2) (i) processing is necessary for reasons of public interest in the area of public health (schedule 1(1)(3), such as protecting against serious cross-border threats to health or ensuring high standards of quality and safety of health care and of medicinal products or medical devices, on the basis of Union or Member State law which provides for suitable and specific measures to safeguard the rights and freedoms of the data subject, in particular professional secrecy. (Substantial Public Interest)

Jersey

In Jersey, processing is permitted under the Data Protection (Jersey) Law 2018, under the following legal basis

• Public interest under the common law duty of confidentiality

The results of the audit are published, from national, to NHS Trust level, on our Reporting Dashboards so you can see how your Health Board or Trust is doing. We also publish annual reports and patient and parent guides, which are publicly available on our website and via https://data.gov.uk/.

No identifiable data will ever be published.

International Transfer of Data between England and Jersey

As Jersey is outside of the UK, audit data collection is considered an international transfer under UKGDPR, so additional checks need to be undertaken to ensure that any personal data has an equivalent level of data protection in both countries. The UK is deemed adequate by the Jersey Office of the Information Commissioner, and the UK have deemed Jersey as having an adequate level of protection, so no further steps are required to ensure the transfer of your personal data between the UK and Jersey.

Do we share your data with anyone else?

The RCPCH will not send your personal data to anyone else unless they have permission to do so. If Epilepsy12 information is needed for other projects, such as audit service evaluation, research or other secondary uses, they will need permission from HQIP through their data-access request process. For HQIP to approve this request, the project must show that they follow the strict data protection policies described in HQIPs guidance to applicants, and must aim to improve care for children and young people with epilepsy. Data will only ever be shared in a pseudonymised format, which is where information that could identify you is removed or replaced (unless the requesting institution has its own legal basis for holding patient identifiable data).

After patient identifiers have been removed from the data in this programme, data may be used for secondary research purposes. HQIPs Overarching Research Database Approval for the NCAPOP permits this reuse under S.251 of the NHS Act 2006 (Reference 24/CAG/0108).

For more information on data sharing for uses outside of the Epilepsy12 audit programme, please see the NCAPOP privacy notice.

We follow UK GDPR when storing and using your personal data to keep it secure. So, your personal data will not be shared with countries outside the UK or EU.

Opting out of Epilepsy12

England and Wales

In England, the National Data Opt-Out service allows patients aged 13 or over (or those with parental responsibility for patients under 13) to opt out of their information being used for purposes beyond their direct care. The Secretary of State for Health and Social Care, having considered the advice from the Health Research Authority Confidentiality Advisory Group, has decided that the National Data Opt-Out will not be applied to Epilepsy12. 

This is because applying the National Opt-Out could introduce bias to the data and make it difficult to monitor care safety and quality within Health Board and Trusts. This could compromise quality of care and jeopardise patient safety. It could also reduce the impact of the data on improving care locally and nationally.

However, you can still opt out of your personal information being used for this audit. Please let your clinical team know and they will remove you from the submission so that we don't receive your data. Alternatively, you can contact the team directly at epilepsy12@rcpch.ac.uk and we will ensure that your personal identifiers are removed from our database. 

Jersey

To exercise your right to opt-out of your data being used for national audit and research, email the Jersey clinical audit team at HSSClinicalAuditDepartment@health.gov.je. You can also request that the processing of your data for national audit purposes is restricted through our online form. Data of Jersey patients who have opted out will be excluded from data flows to England. 

Can I opt out of the Epilepsy12 via any other means?

Yes. Wherever you attend clinic, you can opt out by asking your clinical team not to submit any data to the RCPCH for inclusion in the Epilepsy12 audit.

How long do you keep my data for?

The Epilepsy12 team at the RCPCH acts as the data processor on behalf of HQIP, NHS England and Digital Health and Care Wales, who are joint data controllers for the Epilepsy12 audit data. The RCPCH will hold the Epilepsy12 data for as long as it is contracted to deliver the Epilepsy12 audit. All data will be deleted or transferred back to HQIP within two weeks of the end of our contract, as per HQIP’s instructions.

Understanding your data rights

Please read our page on Understanding GDPR and your data rights to see the full description of rights relating to your personal data. The page also explains common words and phrases used in our privacy notices, and describes our use of artificial intelligence (AI). If you have any queries or would like to make any rights requests in relation to your patient record, please contact your Health Board or Trust directly.

In relation to the data we collect for the Epilepsy12 audit, to exercise your rights, please read the details below:

  • Right of Access: The personal data we hold about you is provided by your Health Board/Trust. We can let you know which categories of data we collect but you will need to contact your Health Board/Trust directly for a copy of your personal data as they are data controllers of your patient record.
  • Right to Erasure: The right of erasure does not apply to this audit because your data is being processed for the purposes of performing a task in the public interest, which in this case is for ensuring high standards of quality and safety health care.
  • Right to Object: Please see the ‘In England, can I opt out of the Epilepsy12 audit via the National Data Opt Out?’, ‘Can I opt out of the Epilepsy12 audit via any other means?’ and ‘Opting Out in Jersey’ sections above.
  • Right to Rectification: Any requests to amend or update your personal data should be sent to your Health Board/Trust as we are not data controllers of your patient information. If we receive any requests, we will forward these to the Health Board/Trust.
  • Right to Restriction: Any requests for restriction of processing should be sent to your Health Board/Trust and they will inform us where applicable. Any requests we receive will be forwarded to your Health Board/Trust.

Siaradwyr Cymraeg / Welsh Language Speakers

Hysbysiad Preifatrwydd Epilepsy12 i Deuluoedd

Mae edrych ar ôl eich data yn iawn a’i gadw’n ddiogel yn bwysig i ni. Prosiect cenedlaethol yw Epilepsy12 sy’n helpu gwasanaethau epilepsi i wella’r gofal maent yn rhoi i’r plant a’r bobl ifanc sy’n derbyn eu gofal. Mae’r Bartneriaeth Gwella Ansawdd Gofal Iechyd (HQIP) wedi comisiynu’r Coleg Brenhinol Iechyd Plant a Phediatreg (RCPCH) i redeg Epilepsy12 ar ran NHS England, Jersey a Llywodraeth Cymru.

Pam fod ysbytai a chlinigau yn cymryd rhan yn Epilepsy12?

Yr ydym eisiau bod yn well am ofalu am blant a phobl ifanc sydd ag epilepsi. Gall ysbytai a chlinigau helpu trwy gasglu gwybodaeth am y gofal maent yn ei ddarparu i’w cleifion. Bydd y RCPCH yn edrych ar y wybodaeth hon ac yn rhoi gwybod i dimau lle maent yn gwneud yn dda a beth sydd angen iddynt ei wella. Bydd y RCPCH hefyd yn dweud wrth ysbytai a chlinigau sut maent yn gwneud o gymharu ag eraill sy’n cymryd rhan. Byddwn yn casglu data o bob ysbyty a chlinig i blant a phobl ifanc sydd ag epilepsi yn Lloegr, Cymru a Jersey bob blwyddyn.  

Pa ddata ydym ni’n casglu, a pham?

Mae Epilepsy12 eisiau darganfod sut mae ysbytai a chlinigau yn penderfynu a oes gan blentyn epilepsi ac os felly, sut maent yn gofalu am y plentyn. Er enghraifft, byddwn yn casglu gwybodaeth am y mathau o feddyginiaeth mae plant ag epilepsi yn eu derbyn, a’r meddygon a’r nyrsys sy’n edrych ar eu holau. Gallwch weld rhestr o’r holl wybodaeth mae Epilepsy12 yn casglu ar ein gwefan: www.rcpch.ac.uk/epilepsy12 
Data personol yw’r enw am y wybodaeth y byddwn yn edrych arno. Dyma’r data personol y byddwn yn ei gasglu

  • Enw 
  • Dyddiad geni 
  • Rhyw 
  • Cpost y cartref, a 
  • Rhif GIG. 

Mae rhifau GIG yn helpu ysbytai a chlinigau i adnabod cleifion. Mae eich ysbyty neu glinig eisoes yn casglu’r wybodaeth hon, felly nid yw’n beth newydd i Epilepsy12.

Sail Gyfreithiol ar gyfer Prosesu, Cymru a Lloegr

Mae eich data personol yn cael ei ddiogelu gan gyfraith o’r enw GDPR y DU. Dan GDPR y DU, mae angen i unrhyw un sy’n casglu eich data ddweud wrthych yr holl resymau pam eu bod yn gwneud hynny. Y sail gyfreithiol (legal basis)  yw’r enw am hyn. Am ein bod yn prosesu data meddygol, rhaid i ni gael caniatâd arbennig gan y GIG i wneud hynny. Caniatâd adran 251 yw’r enw am hyn, ac mae’n gadael i ni gasglu data sy’n peri adnabod cleifion heb ganiatâd penodol, oherwydd bod ein nod er lles y cyhoedd. Mae hyn oherwydd y bydd yr archwiliad yn helpu i wella safonau gofal i’r sawl sydd ag epilepsi. I ddod i wybod mwy am ganiatâd adran 251, ewch at wefan yr Awdurdod Ymchwil Iechyd (Health Research Authority website).

Caniateir prosesu dan GDPR ar y seiliau cyfreithiol canlynol:

Erthygl 6 (1) (e) mae prosesu’n angenrheidiol i wneud tasg a gyflawnwyd er budd y cyhoedd neu wrth arfer awdurdod swyddogol a freiniwyd yn y rheolwr. Mae cyfiawnhad dros hyn trwy drefniadau comisiynu sy’n cysylltu’n ôl ag NHS England a Llywodraeth Cymru. (Tasg Gyhoeddus)

Erthygl 9 (2) (i) mae prosesu’n angenrheidiol am resymau budd y cyhoedd ym maes iechyd cyhoeddus (atodlen 1 (1) (3), megis amddiffyn rhag bygythiadau trawsffiniol difrifol i iechyd neu sicrhau safonau uchel o ansawdd a diogelwch gofal iechyd a chynhyrchion meddyginiaethol neu ddyfeisiadau meddygol, ar sail cyfreithiau’r Undeb neu Aelod-Wladwriaethau sy’n gwneud darpariaeth ar gyfer mesurau addas a phenodol i ddiogelu hawliau a rhyddid gwrthrych y data, yn benodol cyfrinachedd proffesiynol. Mae cyfiawnhad dros hyn gan mai nod Epilepsy12 yw sbarduno gwelliannau yn ansawdd a diogelwch gofal a gwella deilliannau i gleifion. Yn sail atodlen 1 (1) (3) DDD 2018 ‘budd iechyd cyhoeddus’ mae Rhan 1 adran 2 Deddf Iechyd a Gofal Cymdeithasol 2012. Mae hon yn gosod dyletswydd ar yr ysgrifennydd gwladol i wella ansawdd gwasanaethau iechyd. (Budd Cyhoeddus Sylweddol)

Ni fydd unrhyw ddata fydd yn peri eich adnabod fyth yn cael ei gyhoeddi.

Fyddwn ni yn rhannu eich data gydag unrhyw un arall?

Ni fydd y RCPCH yn anfon eich data personol at unrhyw un arall oni fydd ganddynt ganiatâd i wneud hynny. Os bydd angen gwybodaeth Epilepsy12 ar gyfer prosiectau eraill megis gwerthuso gwasanaeth archwilio, ymchwil neu ddefnydd eilaidd arall, bydd arnynt angen caniatâd gan HQIP. I HQIP ganiatáu’r cais hwn, rhaid i’r prosiect ddangos eu bod yn dilyn y polisïau diogelu data llym a ddisgrifir yng nghanllawiau HQIP i’r sawl sy’n gwneud cais, a rhaid iddynt fod â’r nod o wella gofal i blant ag epilepsi. Rhennir data ar ffurf wedi ei wneud yn ddienw yn unig, lle mae gwybodaeth a allai beri eich adnabod yn cael ei dynnu ymaith neu roi ffugenw yn ei le (oni fydd gan y sefydliad sy’n gwneud y cais ei sail gyfreithiol ei hun dros ddal data lle gellir adnabod cleifion).

Wedi i’r hyn sy’n peri adnabod cleifion gael ei dynnu o’r data yn y rhaglen hon, gall data gael ei ddefnyddio at ddibenion ymchwil eilaidd. Mae Caniatâd Cyffredinol Cronfa Ddata Ymchwil HQIP ar gyfer yr NCAPOP yn caniatáu ail-ddefnyddio fel hyn dan A.251 Deddf y GIG 2006 (Cyfeirnod 24/CAG/0108).

Am fwy o wybodaeth am rannu data at ddefnydd y tu allan i raglen archwilio Epilepsy12, gweler hysbysiad preifatrwydd yr NCAPOP – HQIP.

Rydym yn dilyn GDPR y DU wrth storio a defnyddio eich data personol er mwyn ei gadw’n ddiogel. Felly, ni fydd eich data personol yn cael ei rannu gyda gwledydd y tu allan i’r DU na’r UE.

Optio allan o Epilepsy12

Yn Lloegr, mae’r gwasanaeth Cenedlaethol Optio Allan o Ddata  yn caniatáu i gleifion 13 oed neu hŷn (neu’r sawl sydd â chyfrifoldeb rhieni dros gleifion dan 13) optio allan o gael eu gwybodaeth wedi ei ddefnyddio at ddibenion y tu hwnt i’w gofal uniongyrchol. Mae’r Ysgrifennydd Gwladol dros Iechyd a Gofal Cymdeithasol, ar ôl ystyried y cyngor gan Grŵp Ymgynghorol ar Gyfrinachedd mewn Ymchwil Iechyd, wedi penderfynu na fydd y gwasanaeth Cenedlaethol Optio Allan o Ddata yn cael ei gymhwyso i Epilepsy12.

Mae hyn oherwydd y gallai cymhwyso’r Optio Allan Cenedlaethol gyflwyno gogwydd i’r data a’i gwneud yn anodd monitro diogelwch ac ansawdd gofal mewn Byrddau ac Ymddiriedolaethau Iechyd. Gallai hyn beryglu ansawdd gofal a diogelwch cleifion. Gallai hefyd leihau effaith y data ar wella gofal yn lleol a chenedlaethol.

Fodd bynnag, gallwch ddal i optio allan o gael eich gwybodaeth bersonol wedi ei ddefnyddio ar gyfer yr archwiliad hwn. Rhowch wybod i’ch tîm clinigol ac fe wnânt hwy eich tynnu allan o’r cyflwyniad fel na fyddwn yn derbyn eich data. Dewis arall yw i chi gysylltu’n uniongyrchol â’r tîm ar epilepsy12@rcpch.ac.uk ac fe wnawn yn siŵr fod unrhyw beth sy’n peri eich adnabod yn bersonol yn cael ei dynnu allan o’n cronfa ddata. 

Alla’i optio allan o’r Epilepsy12 trwy unrhyw ddulliau eraill?

Gallwch. Pryd bynnag y dewch i’r clinig, gallwch optio allan trwy ofyn i’ch tîm clinigol beidio â chyflwyno unrhyw ddata i RCPCH i’w gynnwys yn archwiliad Epilepsy12.

Am ba hyd y byddwch yn cadw data amdanaf?

Mae’r tîm Epilepsy12 yn y RCPCH yn gweithredu fel prosesydd data ar ran yr HQIP, sydd yn rheolwyr data i ddata Epilepsy12. Bydd y RCPCH yn dal data Epilepsy12 cyhyd ag y bydd dan gontract i gyflwyno Epilepsy12. Caiff yr holl ddata ei ddileu neu ei drosglwyddo’n ôl i’r HQIP o fewn pythefnos o derfyn ein contract yn ôl cyfarwyddiadau’r HQIP.

Deall eich hawliau data

Darllenwch ein tudalen ar Ddeall GDPR a’ch Hawliau Data (Understanding GDPR and your data rights)  i weld disgrifiad llawn o’ch hawliau sy’n ymwneud â’ch data personol. Mae’r dudalen hefyd yn esbonio geiriau ac ymadroddion cyffredin a ddefnyddir yn ein hysbysiadau preifatrwydd ac yn disgrifio sut yr ydym yn defnyddio deallusrwydd artiffisial (AI). Os oes gennych unrhyw ymholiadau neu yr hoffech wneud unrhyw geisiadau hawliau yng nghyswllt eich cofnod fe claf, cysylltwch yn uniongyrchol â’ch uned.

O ran y data a gasglwn i archwiliad Epilepsy12, i arfer eich hawliau, darllenwch y manylion isod:

  • Hawl i Gyrchu: Mae’r data personol a ddaliwn amdanoch yn cael ei ddarparu gan eich uned. Gallwn roi gwybod i chi pa gategorïau o ddata a gasglwn ond bydd angen i chi gysylltu’n uniongyrchol â’ch uned am gopi o’ch data personol am mai hwy yw rheolwyr data eich cofnod fel claf.
  • Hawl i Ddileu: Nid yw’r hawl i ddileu yn gymwys i’r archwiliad hwn oherwydd bod eich data yn cael ei brosesu er mwyn gwneud tasg er budd y cyhoedd, sef yn yr achos hwn, sicrhau safonau uchel o ansawdd a diogelwch mewn gofal iechyd. 
  • Hawl i Wrthwynebu: gweler yr adrannau ‘Yn Lloegr, alla’i option allan o Epilepsy12 trwy’r gwasanaeth Cenedlaethol Optio Allan o Ddata?’,‘Alla’i optio allan o Epilepsy12 trwy unrhyw ddulliau eraill?’
  • Hawl to Gywiro: Dylai unrhyw geisiadau i newid neu ddiweddaru eich data gael ei anfon at eich uned gan nad ni yw rheolwyr data’r wybodaeth amdanoch fel claf. Os byddwn yn derbyn unrhyw geisiadau, byddwn yn eu hanfon ymlaen at yr uned.
  • Hawl i Gyfyngu: Dylai unrhyw geisiadau am gyfyngu ar brosesu gael eu hanfon at eich Ymddiriedolaeth ac fe fyddant hwy yn rhoi gwybod i ni lle bo hynny’n gymwys.

 

Gwybodaeth bellach a sut i gysylltu â ni 

Os hoffech fwy o wybodaeth am Epilepsy12, cysylltwch ag epilepsy12@rcpch.ac.uk neu ffoniwch ni ar 020 7092 6167. Os oes gennych unrhyw gwestiynau neu bryderon am y modd y rhennir eich gwybodaeth at ddibenion yr archwiliad, cysylltwch yn gyntaf â’ch tîm epilepsi. 

NHS England a HQIP yw cyd-reolwyr data yr archwiliad hwn. Mae modd cysylltu â HQIP hefyd os oes gennych unrhyw gwestiynau neu bryderon am y modd mae eich gwybodaeth yn cael ei ddefnyddio ar gyfer yr archwiliad: data.protection@hqip.org.uk.  Os oes gennych unrhyw bryderon am y modd mae eich data personol yn cael ei brosesu gan y RCPCH, gallwch hefyd gysylltu â Swyddog Diogelu Data y RCPCH: information.governance@rcpch.ac.uk

Os ydych yn byw yn y DU, mae gennych hawl hefyd i gyflwyno cwyn i’r ICO os oes gennych bryderon am y modd mae eich data personol chi/eich plentyn yn cael ei drin: casework@ico.org.uk.
 

Further information and how to contact us

If you would like more information about Epilepsy12, please contact epilepsy12@rcpch.ac.uk or call us on 020 7092 6157. If you have any questions or concerns about how your information being shared for the purposes of the audit, please first contact your epilepsy clinical team.

HQIP, NHS England and Digital Health and Care Wales are the joint data controllers of this audit. HQIP can also be contacted if you have any questions or concerns how your information is being used for the audit: data.protection@hqip.org.uk. If you have any concerns about how your personal data is being processed by RCPCH, you can also contact RCPCH’s Data Protection Officer: information.governance@rcpch.ac.uk.

If you live in the UK ,you do also have the right to lodge a complaint with the ICO if you have concerns about the way your/your child’s personal data is being handled: casework@ico.org.uk. If you live in Jersey you can complain to the Jersey Office of the Information Commissioner.

Last Updated 10 October 2025