Epilepsy12 - transparency and open data

Outlier policy

The Epilepsy12 audit manages outlier identification using the RCPCH detection and management of outlier status policy. This includes the outlier measures, identification and notification processes.

The two epilepsy indicators used for outlier analyses are:

• Access to Epilepsy specialist nurse (ESN): The proportion of children and young people diagnosed with epilepsy who were seen by an ESN in their first year of care
• Tertiary input: The proportion of children and young people diagnosed with epilepsy, meeting defined criteria for tertiary input, that had tertiary input in their first year of care

'Non-participation' outliers are identified from 2025 to align with NHS England guidance:

• Eligible Health Boards and Trusts that did not submit any first year of care forms for the current cohort

Download the Epilepsy12 outlier policy below 

See outlier results of the latest report

Information governance

The aim of Epilepsy12 is to help improve the standard of care for children and young people with epilepsies and to be able to do this the audit will collect and process patient-identifiable data.

By collecting and processing such information the audit is able to highlight areas where hospitals and clinics are doing well and also identify areas in which they need to improve.

Download our Data Protection Impact Assessment (DPIA)

National Data Opt-Out exemption (England only)

Epilepsy12 has an exemption to the National Data Opt-Out (NDO) - as granted by the Secretary of State for Health and Social Care, having considered advice from the Health Research Authority Confidentiality Advisory Group - because applying the NDO would introduce biases to the data and make it difficult to monitor care safety and quality at Trust level, thus risking quality of care and patient safety.

This means:

• Healthcare providers do not need to screen patients again on the NDO list prior to data entry
• However, patients can still opt out of Epilepsy12 separately from the NDO

See how we use patient data and how patients can withdraw from Epilepsy12  

See NHS Digital guidance on compliance with NDO and about NDO for health and care staff

Download our CAG letters below 

Data protection impact assessment

Epilepsy12 aims to help improve the standard of care for children and young people with epilepsies. In order to highlight areas where hospitals and clinics are doing well and areas in which they need to improve, we collect and process patient-identifiable data.

Download our Data Protection Impact Assessment (DPIA)

Privacy

RCPCH and Epilepsy12 project team members take their responsibilities for maintaining the security of patient-identifiable data extremely seriously.

See Epilepsy12 privacy notice (in English and Welsh)

What is Epilepsy12?

Epilepsy12 is an important national project which helps epilepsy services to measure and improve the quality of care for children and young people with epilepsies. The Royal College of Paediatrics and Child Health (RCPCH) are commissioned by the Healthcare Quality Improvement Partnership (HQIP), as part of their National Clinical Audit and Patient Outcomes Programme (NCAPOP). This means that we were chosen to run Epilepsy12 on behalf of NHS England, Jersey and the Welsh government. 

Why are hospitals and clinics taking part in Epilepsy12?

We want to get better at looking after children and young people who have epilepsy. Hospitals and clinics can help by collecting important information on the care that they provide to their patients. The RCPCH will look at this information and let teams know where they are doing well and what they need to get better at. The RCPCH will also tell hospitals and clinics how they are doing, compared with others who are taking part. 

All hospitals and clinics in England, Jersey and Wales that care for children and young people with epilepsy should take part in Epilepsy12.  

What information does Epilepsy12 collect?

Epilepsy12 wants to find out how hospitals and clinics decide if a child has epilepsy and how they look after them if they do. For example, we collect information on the types of medicine that children with epilepsy receive and the doctors and nurses that look after them. You can see a list of all the information that Epilepsy12 collects on our website: www.rcpch.ac.uk/epilepsy12.

The private information, known as personal data, collected by Epilepsy12 includes patient’s name, date of birth, gender, home postcode and something called their "NHS" number. NHS numbers help hospitals and clinics to identify patients. Your hospital or clinic already collects this information, so this isn't something new for Epilepsy12.

International Transfer of Data between England and Jersey 

As Jersey is outside of the UK, this is considered an international transfer under UKGDPR, so additional checks need to be undertaken to ensure that any personal data has an equivalent level of data protection in both countries. The UK is deemed adequate by the Jersey Office of the Information Commissioner, and the UK have deemed Jersey as having an adequate level of protection, so no further steps are required to ensure the transfer of your personal data between the UK and Jersey. 

NHS numbers help hospitals and clinics to identify patients. ‘URN’ numbers are used in Jersey in place of NHS numbers. Your hospital or clinic already collects this information, so this isn't something new for Epilepsy12.

What happens to the private information?

Epilepsy services enter your information collected for Epilepsy12 onto a safe and secure website. This website can only be accessed by staff working in hospitals and clinics who have the right access permissions, or those working on the Epilepsy12 project at the RCPCH.

The RCPCH will not send your private information to anyone else unless they have permission to do so. If Epilepsy12 information is needed for other projects to compare services in England, Jersey and Wales, they will need permission from HQIP. For HQIP to approve this request, the project must show that they follow the strict data protection policies described in HQIP’s guidance to applicants and must aim to improve care for children with epilepsy. Data will only ever be shared in a pseudonymised format, which is where information that could identify you is removed or replaced (unless the requesting institution has its own legal basis for holding patient-identifiable data).

We follow the UK Data Protection laws when storing and using your private information to keep it secure. So, your personal data will not be shared with countries outside the UK or European Union.

The results of the Epilepsy12 audit are published in our annual reports and patient and parent guides, which are publicly available on our website and via https://data.gov.uk/. All data is reported at the level of individual NHS Trusts so that no information that could identify you will ever be published.

What if I don't want my information to be collected for Epilepsy12?

If you do not want your personal information to be collected for the Epilepsy12 audit, please let your paediatric epilepsy team know and they will remove you from the submission so that we don't receive the data. Alternatively, you can contact the Epilepsy12 team directly at epilepsy12@rcpch.ac.uk and we will ensure that your personal identifiers are removed from our database.

In England, the National Data Opt-Out service allows patients to opt out of their information being used for research or planning purposes. The National Opt-Out service does not remove your information from Epilepsy12.

In England, the National Data Opt-Out (NDO) service allows patients aged 13 or over (or those with parental responsibility for patients under 13) to opt out of their information being used for purposes beyond their direct care. The Secretary of State for Health and Social Care, having considered the advice from the Health Research Authority Confidentiality Advisory Group, has decided that the NDO will not be applied to Epilepsy12.

This is because applying the NDO would introduce biases to the data and make it difficult to monitor care safety and quality and because of the importance of the data collection for improving patient care. Personal data collected by Epilepsy12 is not for research; it is processed to make sure epilepsy care is being provided safely and that health services meet national standards for care quality.

Opting Out in Jersey 
To exercise your right to opt-out of your data being used for National Audit and research, you can email the Clinical Audit team at HSSClinicalAuditDepartment@health.gov.je. You can also request that the processing of your data for national audit purposes is restricted through the online form found at your personal data rights. Data of Jersey patients who have opted out will be excluded from data flows to England. 

How long do you keep my personal information for?

The Epilepsy12 team at the RCPCH acts as the data processor on behalf of the Healthcare Quality Improvement Partnership (HQIP), NHS England and Digital Health and Care Wales, who are the data controllers for Epilepsy12 data. The RCPCH will hold your information for as long as it is commissioned by HQIP to deliver the Epilepsy12 audit. All data will be deleted or transferred back to HQIP within two weeks of the end of our contract.

Why didn't anyone ask me if they could collect my personal information for Epilepsy12?

The legal reason is that it is in the public interest for the RCPCH Epilepsy12 project to use your personal data. Epilepsy12 has section 251 approval to collect patient identifiable data in England, Jersey and Wales without explicit patient consent as it improves epilepsy care for children. To find out more about section 251 approval, visit the Health Research Authority website.

Epilepsy12 relies on the following for the processing of personal data; Schedule 1 (1)(3)DPA- underpinned by Health and Social Care Act 2012 Part 1 Section 2, the Secretary of State’s duty for improvement in the quality of services.

Processing is permitted under the UK General Data Protection Regulation (GDPR) on the following legal bases:

• Article 6 (1) (e) processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.

This is justified through commissioning arrangements which link back to NHS England, Jersey and the Welsh Government.

• Article 9 (2) (i) processing is necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health or ensuring high standards of quality and safety of health care and of medicinal products or medical devices, on the basis of Union or Member State law which provides for suitable and specific measures to safeguard the rights and freedoms of the data subject, in particular professional secrecy.

This is justified as Epilepsy12 aims to drive improvements in the quality and safety of care and to improve outcomes for patients.

This means the audit does not need to ask permission from everybody. However, we take your privacy seriously, so we offer you the option to opt-out if you do not want to take part. The section below ‘What rights do I have?’ explains how you can do this and more about your rights.

Jersey
In Jersey, processing is permitted under the Data Protection (Jersey) Law 2018 under the following legal bases: Public interest under the common law of duty of confidentiality. 

What rights do I have?

If you have any questions or would like to make any rights requests, please contact your unit directly. For the data we collect for Epilepsy12, you have the following rights:

• Right of access: The personal data we hold about you is provided by your unit. We can let you know which categories of data we collect, depending on the type of submission, but you will need to contact your unit directly for a copy of the information as they are data controllers of your patient record.
• Right to erasure and Right to object: The right of erasure does not apply to this audit because your data is being processed for the purposes of performing a task in the public interest, which in this case is for ensuring high standards of quality and safety health care. However, if you want to opt out of future audit rounds, please let your unit know and they will remove you from the submission so that we don't receive the data. Alternatively, you can contact the Epilepsy12 team directly at epilepsy12@rcpch.ac.uk and we will ensure that your personal identifiers are removed from our database.
• Right to rectification of inaccurate data: Any requests to amend or update your personal data should be sent to your unit as a data controller. If we receive any requests, we will forward these to the unit.
• Right to restriction: Any requests for restriction of processing should be sent to your Trust and they will inform us where applicable.

Who should I contact if I need more information?

If you would like more information about Epilepsy12, please contact epilepsy12@rcpch.ac.uk or call us on 020 7092 6168. You can also contact the College’s data protection officer for queries about how the college process personal data: information.governance@rcpch.ac.uk. If you have any further questions or concerns about how your information is being shared for the purposes of the audit, please first contact your hospital team.

HQIP are the joint data controllers with NHS England and Digital Health and Care Wales for the England and Wales elements of the audit respectively. HQIP can also be contacted if you have any questions or concerns about how your information is being used for the audit: data.protection@hqip.org.uk.

You do also have the right to lodge a complaint with the Information Commissioner’s Officer (ICO) at casework@ico.org.uk, if you have concerns about the way your/your child’s personal data is being handled.

If you live in the UK, you do also have the right to lodge a complaint with the ICO if you have concerns about the way your/your child’s personal data is being handled: casework@ico.org.uk. If you live in Jersey you can complain to the Jersey Office of the Information Commissioner. 

Processing data

Under GDPR the following legal bases apply to Epilepsy12 for processing personal data: processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.

(Article 6 (1) (e) and (Article 9 (2) (i) processing is necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health or ensuring high standards of quality and safety of health care and of medicinal products or medical devices, on the basis of Union or Member State law which provides for suitable and specific measures to safeguard the rights and freedoms of the data subject, in particular professional secrecy.

Under the Common Law Duty of Confidentiality (CLDC), Epilepsy12, as delivered by the RCPCH, uses Section 251 as its legal basis to meet the CLDC.

Epilepsy12 currently has section 251 approval to collect patient identifiable data without explicit patient consent (reference: 17/CAG/0184); this is reviewed annually. Epilepsy12 relies on the following for the processing of personal data; Schedule 1 (1)(3)DPA- underpinned by Health and Social Care Act 2012 Part 1 Section 2, the Secretary of State’s duty for improvement in the quality of services. The 2025 duration amendment has been aligned to match the contract extension provided by HQIPP. You can download the approval letter below, as well as the amended approvals including the NDO exemption and the new data entry platform. 

More information on the section 251 approval process is available on the Confidentiality Advisory Group pages of the NHS Health Research Authority website.

Information for patients

Epilepsy12 has provided each participating Health Board and Trust with Round 4 flyers which can be displayed in clinic areas and shared with patients, parents and carers. These materials introduce the audit and signpost the full privacy notice.

Data disclosure policy

The Epilepsy12 audit collects data from children and young people with a first paediatric assessment for paroxysmal episodes in England Jersey and Wales. In order to maintain patient confidentiality, Epilepsy12 applies a number of disclosure control techniques. These techniques aim to reduce the amount of detailed information enclosed within Epilepsy12 outputs to prevent unlawful disclosure of identifiable information. Disclosure control aims to minimise the risk of disclosure to a very low level, as it is unfeasible to completely eliminate risk.

Within Epilepsy12 outputs, disclosure control methods include:

• Aggregation. Combining data into broader categories or ranges to reduce granularity (e.g. deprivation quintiles and ethnic groups).
• Suppression. Epilepsy12 will supress data where figures are less than 3 but not equal to 0. Secondary suppression of the next smallest figure is also necessary to avoid the deduction of small numbers

These strategies are applied consistently through all forms of public reporting.

NHS England Quality Accounts List

Epilepsy12 is one of the national audits within the National Clinical Audit and Patient Outcomes Programme (NCAPOP) which NHS England advises Trusts to prioritise for participation and inclusion in the NHS England Quality Accounts list for 2023-24, 2024-25 and 2025-26.

The information below may be used to support Trusts in England for their Trust Quality Account submission - 2024-25 audit: 

• Annual data submission deadline – 13 January 2026 (for clinical audit patient ‘Cohort 7’ & 2025 organisational audit)
• Participation - paediatric services within Health Boards and Trusts in England, Jersey and Wales
• Coverage - Patients with a paediatric assessment for a first suspected seizure episode (or episodes), followed for 12 months of subsequent care
• Number of patients entered - Please contact the clinical lead at the service.
• National report publication date - July 2026

UPCARE tool

The Understanding Practice in Clinical Audit and Registries (UPCARE) tool is a protocol to describe the key features of clinical audits and registries designed by HQIP. It has been designed to provide a "one-stop" summary of the key information about how clinical audits and registries have been designed and carried out. It is designed to help people understand the methods, evaluate the quality and robustness of the data and find information and data that is most relevant to them.

Download the UPCARE tools below 

Data access requests

If you are a researcher and wish to access patient level data, or request a novel analysis, you will need to read our data access request policy, consult with the Epilepsy12 team and then make a formal application to HQIP’s Data Access Request Group (DARG).

Download the Epilepsy12 data access request policy

Contact

The Epilepsy12 project team members are available to respond to any related queries at epilepsy12@rcpch.ac.uk or on 020 7092 6157 / 6056 

Please note that we cannot host any patient identifiable information on our email servers, including NHS Numbers. Please call the team on the number above if you need to discuss these sensitive details.