Frequently asked questions | National Diabetes Experience Survey

About the survey Confidentiality and data protection The results

Please note the 2024 survey has now closed.

The information in this section explains how and why we used people's personal data for this survey. We also outline your rights and how to contact us if you have any questions or concerns about the use of your data.

Your details

How did you get my details?

NHS England is the data controller for this survey. NHS England holds a list of people who are living with diabetes, called the National Diabetes Audit (NDA). If you were invited to take part, your name was chosen at random from this list. NHS England matched this information with contact details from the list of patients registered with a GP, called the Personal Demographic Service (PDS). Ipsos, as data processor, are carrying out this survey on behalf of NHS England. An independent group, which included members of the public, gave their support for confidential patient information to be used to identify people living with diabetes and invite them to take part in this survey.

Who were my details shared with?

The following data was shared with Ipsos so they could select people to take part in the survey, and to ensure that the anonymised survey data matched the profile of the NDA population as closely as possible: sex, age band, ethnicity, type of diabetes, date of diagnosis, care processes/clinical outcomes, treatment targets, treatment type, GP practice code, Lower Layer Super Output Area (LSOA), and NHS number.

The following data was shared with Ipsos so they could contact those selected to take part in the survey: name, address, mobile number (where available), and month and year of birth.

Once the survey is finished, Ipsos will securely destroy your personal details.

Ipsos is working with certain supplier organisations to run the survey. Ipsos needed to share your contact details with the following supplier organisations to invite you to take part:

Formara (printing letters and questionnaires): name, address and type of diabetes
Text Local (distributing text message invitations): mobile number
The Delivery Group and Royal Mail (distribution and postage): name and address

Ipsos also work with Rackspace UK to collect online survey responses. All internet facing systems are hosted in the RackSpace UK data centre, including the interviewing platform, Dimensions, used to carry out market research fieldwork. All applications and data are managed by Ipsos.

All these suppliers are approved and compliant with the UK General Data Protection Regulation.

How are my personal data held and processed?

Personal data are held in accordance with the UK General Data Protection Regulation and Data Protection Act 2018. If you were invited to take part, NHS England’s Privacy Notice describes how they used personal data and explains how you could contact them and invoke your rights as a data subject. NHS England will protect your information in line with the requirements of the Data Protection Act 2018.

What was your legal basis for processing my personal data?

NHS England carried out this survey to help provide better care and support for people living with diabetes. The survey will help NHS England to deliver the general commitments around improving the quality of services outlined in the Health and Social Care Act 2023: 13E Duty.

NHS England and Ipsos obtained Section 251 support (of the NHS Act 2006 and Health Service (Control of Patient Information) Regulations 2002). This was provided by the Confidentiality Advisory Group at the Health Research Agency ahead of any personal information being shared by NHS England with Ipsos. The support was granted following a review of the purposes and governance arrangements for the survey by an independent group. This group, which included members of the public, gave their support for confidential patient information to be used to identify people living with diabetes and invite them to take part in this survey. This provided a legal basis for patient information to be used to carry out the survey.

NHS England is the data controller for the processing of personal data for the National Diabetes Experience Survey, which means that they are responsible for making sure that the processing complies with the UK General Data Protection Regulation (UK GDPR).

NHS England’s lawful basis for carrying out the survey is covered as a ‘public task’ under Article 6(1)(e) of the UK GDPR. This provides a lawful basis for processing personal data where:
“…processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller”.
In addition, NHS England’s lawful basis for using special category data (such as data about health, racial or ethnic origin or sexual orientation) to carry out the survey is covered under Article 9(2)(h) of the UK GDPR:
“9(2)(h) processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services on the basis of Union or Member State law or pursuant to contract with a health professional and subject to the conditions and safeguards referred to in paragraph 3…”

This means that NHS England can use the personal data they hold about you for service evaluation with appropriate safeguards in place. Ipsos is the data processor acting on instructions of NHS England to deliver the survey.

By taking part in the survey, participants consented to the use of the information they provide in the questionnaire.

How does Ipsos ensure that my personal information is secure?

Ipsos takes its information security responsibilities seriously and applied various precautions to ensure information was protected from loss, theft, or misuse. Security precautions included appropriate physical security of offices and controlled and limited access to computer systems. Stringent measures have been taken to ensure personal information was securely stored and seen only by the personnel directly involved in the project.

Ipsos has regular internal and external audits of its information security controls and working practices and is accredited to the International Standard for Information Security, ISO 27001.

Individual answers to the questions were not linked to names or contact details. Ipsos, and approved NHS England staff and researchers, treat individual answers as confidential. They adhered to all aspects and terms of the UK General Data Protection Regulation and all other relevant legislation, including requirements for secure storage.

Where are my personal data be held and processed?

If you have been invited to take part, all of your personal data used and collected for this survey were stored by Ipsos in data centres and servers within the United Kingdom hosted by RackSpace UK. RackSpace UK provide Ipsos group managed hosted services, this is dedicated infrastructure for Ipsos only. RackSpace provide support up to the operating system level and Ipsos manage their installed applications and data.

Will I receive this survey if I have opted out via the National Data Opt Out?

You may have still received an invitation to take part in the survey if you have opted out via the National Data Opt Out. The Department of Health and Social Care confirmed that this survey has been made exempt from the National Data Opt Out. The list of exemptions and policy postponements provides more information.

Your answers

This section explains what happened to your answers if you took part in the survey.

What happened to my answers? Will the healthcare professional(s) I see know that I have taken part in this survey?

No one involved in your care will know whether you have taken part in the survey.

Ipsos has put your answers together with the answers from other people and publish the results of the survey. Your answers have been kept confidential. Nobody can identify you in any published results.

Ipsos sent all the survey responses to NHS England. NHS England removed any personal details which could have been used to identify you from the data. They will link the survey responses with information in the National Diabetes Audit and other healthcare databases. The NHS will use this information to plan diabetes services. You could have asked for your survey responses to not be given to NHS England. Now that NHS England has received the survey data, your responses cannot be deleted.

NHS England may have shared your survey answers with approved researchers, but only in a way that doesn’t identify you. NHS England only shared your answers in line with strict rules about data processing.

By taking part in the survey, you gave permission for your personal information to be used in these ways.

Who are approved researchers and how can they use the findings?

In order to be able to use the survey data at the individual patient level, all researchers, including those employed by NHS England and other organisations, must apply for permission. Each application must go through a rigorous approval process, setting out the work that will be done, with an agreement that any publication will only refer to completely anonymised data. All other users may only access anonymised data at national or Integrated Care System (ICS) level.

How long will Ipsos hold my personal data and identifiable responses?

If you have taken part in the survey, Ipsos will only hold your data in a way that can identify you for as long as is necessary to support the survey and findings. In practice, this means that once Ipsos have reported the anonymous findings in an acceptable way, they will securely remove your personal, identifying data from their systems and those of any suppliers. For this study, Ipsos will securely remove your personal data from their systems 2 months after publication (estimated deletion date of February 2025).

Website

Does the website use cookies? If so, how?

Some online surveys collect information through the use of "cookies". These are small files stored on your computer. These files are used as sparingly as possible and only for quality control and validation. They also prevent us sending you reminders for an online survey you have already completed. It is possible for you to delete "cookies" or to prevent their use by changing the browser settings on your computer. Ipsos also automatically capture information about your operating system, display settings and browser type to ensure that the survey questionnaire was delivered in a form suited to the software your computer is using. Ipsos do not capture any other information from your computer. For more information, please see our Privacy notice.