Privacy Notice

CRAB Clinical Informatics (C-Ci) sets a high standard when it comes to contacting people and notifying them about the collection and use of their personal data. Where appropriate, for those we hold and / or process data on we share our Privacy Notice in order for C-Ci to offer individuals genuine choice and control of their data.


What is CRAB?

CRAB predicts the individualised clinical risk for each surgical patient, based on his or her physiology and treatment prescribed. CRAB also tracks avoidable harm for all patients within an organisation. Quality measurement is possible, for both surgical and medical treatment, via a web-based system and monthly reporting that uses local coding data and clinicians are able to review care results that have been attributed to them. This enabling clinicians, managers and commissioners to understand morbidity and avoidable harm across the organisation.



What data categories are processed by CRAB?

 Data Categories required for processing include Care provider Episodes, NON-Identifiable Patient details, Hospital specialties, Consultant details which are pseudonymised unidentifiable data.   This is Hospital Episode Statistics (HES) or Secondary Uses Services (SUS) data and isn’t combined or linked with any other data sources.

Individuals will not be identified by the data processed.



Who is the data shared with and why?

C-Ci provides high level reports of CRAB processed data to Hospital Executive Management, Senior Clinical and Auditing professionals to assist them with making care quality and financial improvements. These are anonymised depending on the data source and the client’s requests.

CRAB reports that are shared with clinicians, hospital managers and national regulatory bodys and commissioners support their understanding on morbidity to prevent avoidable harm across the hospital organisation.


Individual doctors and consultants receive their own activity CRAB processed data of their patients which is anonymised. Individuals will not be identified

Reports are only shared with an approved distribution list as agreed with the client.

C-Ci does not share any processed or un-processed data with the public.



Who is the Data controller and data owner?

C-Ci is the data controller and instructs L2S2 as our critical IM&T partner to process our data on our servers to provide a fair, representative system for monitoring and demonstrating the quality of patient care. L2S2 are therefore the Data Processor.

L2S2 is C-Ci’s critical information and technology supplier, so we may have to share your details with L2S2 in order to carry out our service. They will not contact you with any information other than what C-Ci has requested or approved.


C-Ci as the Data Controller contact details are:

CRAB Clinical Informatics Limited

Address for correspondence:

C-Ci 2a / 2b Oakington Business Park Cambridge CB24 3DQ, England


Registered office:

3, Ye Corner, Aldenham Road, Watford, Herts WD19 4BS UK

Registered Company number: 6601066 VAT

Registration number: GB 936 4035 26

w:    t: 020 8144 6967   e:    w:



How does C-Ci consider and protect people’s rights and interests?

In line with GDPR regulations, C-Ci undertake extra responsibility for considering and protecting people’s rights and interests, with particular consideration given to the processing and protection of children’s data. C-Ci carry out a Data Privacy Impact Assessment (DPIA) and Legitimate Interest Assessment (LIA) before the creation of a database to ensure the processing of data is completely necessary.



How do I opt-out of sharing my data?

Data we hold doesn’t identify individuals, however, if you don’t wish to have your confidential patient information used for research and planning then please visit the NHS national opt-out programme website for further information:     ANNEX 1.



What is C-Ci’s lawfulness of processing?

Under GDPR, C-Ci undertake the processing of data under the following lawful basis.


EU GDPR Article 6:

“Lawfulness of processing”


1.(f) processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.


EU GDPR Article 9:
“Processing of special categories of personal data”

2.(i) processing is necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health or ensuring high standards of quality and safety of health care and of medicinal products or medical devices, on the basis of Union or Member State law which provides for suitable and specific measures to safeguard the rights and freedoms of the data subject, in particular professional secrecy;


The analysis CRAB undertakes on behalf of Health regulators and NHS organisations serves the broader societal interest of ensuring standards of quality and safety are maintained in hospitals and to help inform performance ratings to help people choose care.
– The CRAB analysis cannot be achieved without access to the pseudo-anonymised data.
– All information is pseudonymised when received and analysed data is at an aggregate level (i.e. Trust or speciality level, meaning there are no small volumes) with no patient specific reference.

C-Ci only processes data where absolutely necessary to perform the clinical audit as requested by the client. A Data Privacy Impact Assessment (DPIA) and Legitimate Interest Assessment (LIA) is carried out before the processing of data to ensure it is necessary to create a new client database.

We believe in order to improve care standards it is a reasonable expectation for a patient receiving care to have their fully anonymised details and treatment prescribed included in an aggregate dataset to be processed as part of an assessment of care-giver’s performance for the future benefit of that patient and all other patients.

We also believe that in order to improve care standards it is a wholly reasonable expectation for a care giver/ consultant providing care to have their prescribed treatment assessed and processed.

Where C-Ci happens to notice a potential risk to patient safety, C-Ci without any charge provide this information to the regulator to act upon to prevent further untoward harm to patients.

See ANNEX 2 for link to GDPR article 6.

See ANNEX 3 for link to GDPR article 9.



How does the lawfulness for processing link with the Data Protection Act?

C-Ci’s lawful basis for the processing of special categories of personal data under Article 9: EU GDPR, 2. (i) is supported through the Data Protection Act 2018 Schedule 1, Part 1, section 2: Health or social care purposes 2 (1) and (2) and Public Health (3).


Health or social care purposes

2 (1) This condition is met if the processing is necessary for health or social care purposes.


(2) In this paragraph “health or social care purposes” means the purposes of—

(a) preventive or occupational medicine,

(b) the assessment of the working capacity of an employee,

(c) medical diagnosis,

(d) the provision of health care or treatment,

(e) the provision of social care, or

(f) the management of health care systems or services or social care systems or services.


Public health

3 This condition is met if the processing—

(a) is necessary for reasons of public interest in the area of public health, and

(b) is carried out—

(i) by or under the responsibility of a health professional, or

(ii) by another person who in the circumstances owes a duty of confidentiality under an enactment or rule of law.

See ANNEX 4 for link to Data Protection Act 2018.



Where does C-Ci obtain its data from?

Data is obtained from NHS Digital, NHS hospital trusts, private Healthcare Organisations.

Data from different sources isn’t combined in any way and each data source has their own dedicated database containing their own data.


  • C-Ci Privacy Notice is shared with the key client contact within 1 month.
  • When obtaining personal data from other sources, under GDPR, C-Ci does not need to provide individuals with privacy information if:
  • the individual already has the information;
  • providing the information to the individual would be impossible;
  • providing the information to the individual would involve a disproportionate effort;
  • providing the information to the individual would render impossible or seriously impair the achievement of the objectives of the processing;
  • you are required by law to obtain or disclose the personal data; or
  • you are subject to an obligation of professional secrecy regulated by law that covers the personal data.



How long does C-Ci retain the data for?

Unless specified through a separate agreement, data is retained on our servers for 10 months at which point the project start up Data Privacy Impact Assessment and Legitimate Interests Assessment are reviewed to see if the database should be deleted or retained as an ongoing project for a further 10 months, unless otherwise instructed by the data owner (Hospital Organisation/ NHS Digital/ Private data provider).



Where is data stored and processed?

Data is stored and processed in England and remains on the servers in England only. No data is transferred across borders unless permission from the data owner is expressively given in writing.



How can I make a complaint?

If you wish to make a complaint please contact us at

Contact Details

Senior Information Risk Owner (SIRO) Dr Mark Ratnarajah
Caldicott Guardian and Data Protection Officer Mr Graham Copeland
Information Governance Manager Ms Claire Bale


or visit the Information Commissioners Office





NHS national opt out



GDPR Article 6.



GDPR Article 9.



Data Protection Act 2018.