Skip to main content

Cardiovascular Disease Prevention audit (CVDPREVENT audit)


Why and how we process your data in the Cardiovascular Disease Prevention Audit (CVDPREVENT audit) and your rights.

Controller NHS Digital (in relation to processing the personal data) and NHS England (in relation to determining the purpose for processing the data through the issuing of a direction to NHS Digital).
How we use the information (processing activities)

The Cardiovascular Disease Prevention Audit (CVDPREVENT Audit) supports the implementation of the NHS Long Term Plan which identifies cardiovascular disease (CVD) as a clinical priority. CVD is the single biggest condition where lives can be saved by the NHS over the next 10 years, currently causing a quarter of all deaths in the UK and is the largest cause of premature deaths in deprived areas. The audit will initially make use of historical General Practice information and then every three months, extracts will be taken from the data held by General Practice's via the General Practice Extraction Service (GPES). The extracts will include diagnostic codes, recording of risk factors such as smoking and alcohol, physical measurements such as blood pressure and body mass index, blood tests such as kidney function and cholesterol, as well as drug treatment and lifestyle interventions. The data will support professionally led quality improvements, allowing local systems to clearly identify gaps, inequalities and opportunities for improvement in the diagnosis and management of the high risk conditions for CVD. Using aggregated data It will show Primary care Networks (PCNs) and Clinical Commissioning Groups (CCG) where to focus there energies to prevent heart attacks and strokes at scale in their populations and to reduce health inequalities, NHS services and for research via NHS Digital Data Access Request Service (DARS).

Does this contain sensitive (special category) data such as health information? Yes
Who are recipients of this data?

Primary Care Networks (PCNs), Clinical Commissioning Groups (CCG), Data recipients are recorded in the Register of Approved Data Releases for DARS disseminations. 

Is data transferred outside the UK? Not for the purposes of processing it by NHS Digital. It may be transferred outside of the UK if this approved by NHS Digital through the DARS process for any particular dissemination.
How long the data is kept 20 years minimum from the date of the extract from the General practice system.
Our lawful basis for holding this data Legal obligation
Your rights
  • Tick Be informed
  • Tick Get access to it
  • Tick Rectify or change it
  • Cross Erase or remove it
  • Tick Restrict or stop processing it
  • Cross Move, copy or transfer it
  • Cross Object to it being processed or used
  • Cross Know if a decision was made by a computer rather than a person
How can you withdraw your consent?

Consent is not the basis for processing, Patients can request a type 1 objection via their General Practice to restrict use of their data. 

Is the data subject to decisions made solely by computers? (automated decision making) No
Where does this data come from? General Practice (GP) medical records via General Practice Extraction Service (GPES).
The legal basis for collecting this data

GDPR: Article 6(1)(c) Legal Obligation (Cardiovascular Disease Prevention Audit Direction 2020), Article 9(2)(g) Substantial public interests, supplemented by DPA 2018 schedule 1, part 2, statutory etc and government purposes. 
Article 9(2)(h) Management of health or social care systems and services, supplemented by DPA 2018 Schedule 1, Part 1, health or social care purpose.