Details of information used for specific purposes : Serious Incident reports


Data Controller(s)

NHS Sheffield CCG


The CCG collects and uses information from Serious Incident reports from Primary and Secondary Care Providers to ensure incidents are dealt with appropriately and lessons learnt.

Type of information Used

Identifiable:   Personal (such as name, address, date of birth) and Special Category (health information)

Legal basis

GDPR Article 6(1)(e) ‘processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority…’

Related legislation:

NHS Act 2006/Health and Social Care Act 2012.

GDPR Article 9(2)(h) processing is necessary for the purposes of the provision of health or social care or treatment or the management of health or social care systems and services.

How we collect (the source) and use the information

We are statutorily required to fully investigate and review incidents and will receive information from Primary and Secondary Care Providers. Where there is a requirement to provide incident reports externally, the information will be anonymised unless there is a legal requirement to provide your details. You will be kept informed of the requirements we are required to meet where information is to be shared externally.

Data Processors


Your Rights

With regards to Serious Incident Reports under GDPR you have the right:

  • To be informed about the processing of your information (this notice)
  • Of access to the information held about you
  • To have the information corrected in the event that it is inaccurate
  • Not to be subject automated decision-taking or profiling
  • To be notified of data breaches

How long we will keep the information

30 Years from Date of Incident

Who we will share the information with (recipients)

Your information may be shared with Primary and Secondary healthcare providers involved in the incident.

This is a printable version of