Privacy Notice

CRAB Clinical Informatics (hereafter C2-Ai) sets a high standard when it comes to contacting people and notifying them about the collection and use of their personal data. Where appropriate, for those we hold and / or process data on we share our Privacy Notice in order for C2-Ai to offer individuals genuine choice and control of their data.

What is CRAB?

CRAB predicts the individualised clinical risk for each surgical patient, based on his or her physiology and treatment prescribed. CRAB also tracks avoidable harm for all patients within an organisation. Quality measurement is possible, for both surgical and medical treatment, via a web-based system and monthly reporting that uses local coding data and clinicians are able to review care results that have been attributed to them. This enabling clinicians, managers and commissioners to understand morbidity and avoidable harm across the organisation.


Who is the data shared with and why?

C2-Ai provides high level reports of CRAB processed data to Hospital Executive Management, Senior Clinical and Auditing professionals to assist them with making care quality and financial improvements. These are anonymised depending on the data source and the client’s requests.

CRAB reports that are shared with clinicians, hospital managers national regulators and commissioners to support their understanding on morbidity to prevent avoidable harm across the hospital organisation.

Individual doctors and consultants receive their own activity CRAB processed data of their patients which is anonymised. Individuals will not be identified

Reports are only shared with an approved distribution list as agreed with the client.

C2-Ai does not share any processed or un-processed data with the public.


Who is the Data controller and data owner?

C2-Ai is the data controller and instructs L2S2 as our critical IM&T partner to process our data on our servers to provide a fair, representative system for monitoring and demonstrating the quality of patient care. L2S2 are therefore the Data Processor.

L2S2 is C2-Ai’s critical information and technology supplier, so we may have to share your details with L2S2 in order to carry out our service. They will not contact you with any information other than what C2-Ai has requested or approved.

C2-Ai as the Data Controller contact details are:

C2-Ai (trading name)
CRAB Clinical Informatics Limited (registered name)
2 Oakington Business Park,
CB24 3DQ,
Registered Company number: 6601066 VAT Registration number GB 936 4035 26
w:     t: 020 8144 6967   e:


How does 2-Ai consider and protect people’s rights and interests?

In line with GDPR regulations, C2-Ai undertake extra responsibility for considering and protecting people’s rights and interests, with particular consideration given to the processing and protection of children’s data. C2-Ai carry out a Data Privacy Impact Assessment (DPIA) and Legitimate Interest Assessment (LIA) before the creation of a database to ensure the processing of data is completely necessary.


What are my rights as an individual?

Opting out, and my right to erasure.

Under Article 17 of the GDPR individuals have the right to have personal data erased. This is also known as the ‘right to be forgotten’. The right is not absolute and only applies in certain circumstances.

To have your data removed from the NHS Hospital Trust where you received care please contact that hospital directly.

For further information please visit the Information Commissioners Office: ANNEX 1.


What is C2-Ai’s lawfulness of processing?

Under GDPR, C2-Ai undertake the processing of data under the following lawful basis.

EU GDPR Article 6:

“Lawfulness of processing”

1.(f) processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.

C2-Ai process NHS Trust level analysis of pseudo-anonymised HES data sourced from NHS digital and SUS data sourced directly from NHS trusts to identify risk adjusted outcomes aggregated by Trust (HES data) and specialty for mortality and complications (HES and SUS data). Thereby, with NHS HES data the CQC can identify outlying NHS Trusts as the basis for risk-based inspections, and remedial and preventative actions by the NHS Trusts being inspected. NHS Trusts can review their CRAB processed SUS data to the same effect. CRAB processed data enables you to review any cause and effect improvement measures that may have been implemented to improve the standard of patient care. Without CRAB processed national HES from NHS Digital, CQC inspectors would have no quantitative analysis of morbidity in particular to benchmark NHS trusts. This would restrict their ability to undertake inspections based on informed data and identification of poorly performing NHS Trusts early (prior to avoidable mortality becoming an issue). Hospital outliers might be missed and untoward harm may occur to patients where it could potentially be avoided.


EU GDPR Article 9:
“Processing of special categories of personal data”

2.(j) processing is necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) based on Union or Member State law which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject;

 The analysis CRAB undertakes on behalf of Health regulators and NHS organisations serves the broader societal interest of ensuring standards of quality and safety are maintained in hospitals and to help inform performance ratings to help people choose care.
– The CRAB analysis cannot be achieved without access to the pseudo-anonymised data.
– All information is pseudonymised when received and analysed data is at an aggregate level (i.e. Trust or speciality level, meaning there are no small volumes) with no patient specific reference.

C2-Ai only processes data where absolutely necessary to perform the clinical audit as requested by the client. A Data Privacy Impact Assessment (DPIA) and Legitimate Interest Assessment (LIA) is carried out before the processing of data to ensure it is necessary to create a new client database.

We believe in order to improve care standards it is a reasonable expectation for a patient receiving care to have their fully anonymised details and treatment prescribed included in an aggregate dataset to be processed as part of an assessment of care-giver’s performance for the future benefit of that patient and all other patients.

We also believe that in order to improve care standards it is a wholly reasonable expectation for a care giver/ consultant providing care to have their prescribed treatment assessed and processed.

Where C2-Ai happens to notice a potential risk to patient safety, C2-Ai without any charge provide this information to the regulator to act upon to prevent further untoward harm to patients.

See ANNEX 2 for link to GDPR article 6.

See ANNEX 3 for link to GDPR article 


Where does C2-Ai obtain its data?

Data is obtained from NHS Digital (national HES data), directly from the NHS hospital trusts (Hospital SUS data), private Healthcare Organisations (private data).

Data from different sources isn’t combined in any way and each data source has their own dedicated database containing their own data.


How long does C2-Ai retain the data for?

Unless specified through a separate agreement, data is retained on our servers and reviewed regularly through the latest Data Privacy Impact Assessment and Legitimate Interests Assessment for that database which are reviewed to see if the database should be deleted or retained as an ongoing project, unless otherwise instructed by the data owner (Hospital Organisation/ NHS Digital/ Private data provider).

Data from NHS Digital is held on a rolling 3 years basis and no more than 4 years’ worth of data is retained on our servers as per our agreement.


What data categories are processed by CRAB?

 Data Categories required for processing include Care provider Episodes, NON-Identifiable Patient details, Hospital specialties, Consultant details which are pseudonymised unidentifiable data.   This is sources from Hospital Episode Statistics (HES) or Secondary Uses Services (SUS) data and isn’t combined or linked with any other data sources.

Individuals will not be identified by the data processed.


Where is data stored and processed?

Data is stored and processed in England and remains on the servers in England only. No data is transferred across borders unless permission from the data owner is expressively given in writing.


How can I make a complaint?

If you wish to make a complaint please contact us at
Contact Details



Senior Information Risk Owner (SIRO)

Dr Mark Ratnarajah

Caldicott Guardian and Data Protection Officer

Mr Graham Copeland

Information Governance Manager

Ms Claire Bale

 or visit the Information Commissioners Office


ICO information on individuals right to erasure.


GDPR Article 6.


GDPR Article 9.

Privacy Settings
We use cookies to enhance your experience while using our website. If you are using our Services via a browser you can restrict, block or remove cookies through your web browser settings. We also use content and scripts from third parties that may use tracking technologies. You can selectively provide your consent below to allow such third party embeds. For complete information about the cookies we use, data we collect and how we process them, please check our Privacy Policy
Consent to display content from - Youtube
Consent to display content from - Vimeo
Google Maps
Consent to display content from - Google
Consent to display content from - Spotify
Sound Cloud
Consent to display content from - Sound