Skip to main content

Privacy Notice for BAUS Audits

If you would like to make a Subject Access Request for any data about your
operation that is held on the BAUS audits, please complete and return this form

Why the data is collected

BAUS runs a number of national audits and endeavours to collect data from all urologists undertaking the procedures listed below.  The purpose of collecting the data is to monitor the performance of urological surgeons, so that we can improve the outcomes of urological surgery and ensure patient safety. The audits also provide comparative information to patients, commissioners, and regulators of healthcare professionals.

BAUS currently collects data on the following procedures:

  • Nephrectomy (removal or partial removal of a kidney);
  • Radical prostatectomy;
  • Cystectomy (removal of the bladder);
  • Surgery for female stress urinary incontinence;
  • Urethroplasty (surgery to repair urethral strictures);
  • Percutaneous nephrolithotomy, PCNL (the breakdown & removal of kidney stones using a telescope placed into the kidney through a small puncture in the back); and
  • Penile implant surgery (personal data on penile implant surgery can only be collected if the patient has given explicit consent).

What personal data is collected?

The information entered by the surgeon, or a member of the surgical team, includes the medical history of the disease, the investigations performed, the treatments given and the operative outcomes achieved. The information importantly also contains some personal information about the patient as follows:

  • Forename
  • Surname
  • Gender
  • NHS number or another identifier such as hospital number
  • Date of birth
  • Date of operation
  • Date of discharge (or death)
  • Cause of death


  • Date of birth and date of operation generate the age at surgery - required for analysis;
  • Date of operation and date of discharge (or death) - required to calculate hospital length of stay; and
  • Date of death and cause of death - required to enable us to report on mortality (for example, it is important to know if the cause of death is related to the surgery).

What is the legal basis for the BAUS Audits?

The collection of data for the BAUS audits has been approved by the Confidentiality Advisory Group of the NHS Health Research Authority under Regulation 5 of the Health Service (Control of Patient Information) Regulations 2002.  The CAG has agreed that “the activity has a clear medical purpose in the publication of audit information around the urological surgical procedures identified, and it was agreed that the activity is important and in the public interest”.

Surgeons are encouraged to seek consent from their patients for their data to be entered on the national registries.  Patients do not have to give consent for personal data to be entered but, if a refusal of consent is recorded, the person entering data cannot enter personal data, although the details of the operation can still be entered. Where a patient has not been asked to consent, their consent is recorded as "unknown" and, in these circumstances, BAUS has permission to collect details for these patients under Section 251 of the NHS Act 2006, in the interests of ensuring patient safety and patient outcomes.

How is the data processed?

Surgeons (or designated members of their teams) add the information to the online BAUS data and audit system using secure data transfer methods.  All data is stored in a secure facility with access controlled by authenticated usernames and passwords. Access is very tightly controlled; clinicians and their teams can only access data about their own patients.

Although BAUS staff can download the surgical data for analysis, they cannot access any patient identifiable data, and all outputs are aggregated so that individual patients cannot be identified.

The information collected is used to generate reports; these are detailed reports which can show national patterns and trends, and allow individual surgeons and units to compare their performance.  Surgeon and unit data is available for the public to view in the Surgical Outcomes Audit section of the BAUS website.  BAUS also shares some aggregated data with the NHS for display on NHS Choices.

Who controls the use of the data?

BAUS is the data controller and is responsible for how the data is used.  The release of any data is subject to rigorous controls and no personal data is released.

Who processes the data?

The data is processed by Dendrite Clinical Systems Ltd.  Their data security policy is fully implemented and complies with current management and control guidelines described in ISO 27001/2 standards. Dendrite Clinical Systems is assessed against NHS Information Governance standards, which includes both physical and organisational security measures.

How long will this information be kept for?

By collecting a large amount of information, it is easier to identify the most effective treatments which can benefit patients.  We hold patient identifiable data dating from 2012, and we anticipate that we will retain these data for at least 10 years to enable us to collect, assess and report on complications, and on outcomes of treatment.  Data retention practices and policy are reviewed on an annual basis.