The term “nosocomial” is derived from the ancient Greek term “nosokomeîon” (νοσοκομεῖον) for hospital. While the term “nosocomial infections” has been used in different contexts, sometimes including all kinds of healthcare-associated infections (including infections associated to non-hospital healthcare), the traditional definition comprises infections that occur during hospitalisation without being the actual reason for admission to hospital. For this reason, they are also called hospital-acquired infections (HAI).

These are complications of treatment whose occurrence depends on a range of factors, such as age, the underlying illness, or invasive measures. Given that nosocomial infections can be partially prevented by infection prevention and control measures, their consistent implementation is therefore an important goal from a patient safety perspective.

While the overarching objective is prevention of nosocomial infections, the frequency of their occurrence in a unit, hospital, or country, as well as the trend over time, is often unknown due to a lack of measurement. This makes it hard to identify risk factors, plan and evaluate interventions, educate students, staff, and parents, inform public health agencies and policymakers, and perform scientific research in that field.

Surveillance approaches these problems by continuously providing accurate, quality information on nosocomial infections by pragmatically collecting the relevant data from patient records and healthcare workers, and interpreting and consolidating it to make it useable for further evaluation and quality improvement on the local level and, after anonymisation, also at the national, and even global level.

The data collected through a surveillance system helps all stakeholders understand the risk factors for healthcare-associated infections and to develop effective strategies to prevent them. This means that all patients will receive care that is informed by research and best practices.

Backed by a wealth of evidence, surveillance is the groundwork for any attempt to reduce the burden of hospital-acquired infections and improve the patients’ short-term and long-term outcomes.

The use of antibiotics in hospitals is a significant factor contributing to the development and spread of antibiotic resistance and MDROs by increasing the selective pressure and the risk of transmission of resistant strains. While any use of antimicrobial substances contributes to the development of antimicrobial resistance, overuse and misuse, especially of broad-spectrum antibiotics, are modifiable targets for antibiotic stewardship programmes. These programmes aim to optimise the use of antibiotics to improve patient outcomes and reduce the development of antibiotic resistance, and monitoring antibiotic use is one of their key components.

When looking at typical epidemiological information from HAI surveillance, such as 2.99 bloodstream infections per 1000 patient days or 22.21 antibiotic treatment days per 100 patient days, we tend to forget that each of these infections does not just happen, but affects an individual patient, and that antibiotics are not simply used in a hospital but are used to treat individual patients.

It may not be obvious to everyone that all the data needed to calculate these rates is usually collected from health records of individual patients that have been treated in hospitals. This means that staff (typically healthcare professionals with special training in surveillance) and/or computer programmes need to access these patient records, extract, and interpret the relevant information and consolidate it so that it can be interpreted in a meaningful way. The consolidation, as well as additional validation, aggregation and report generation typically happens in a surveillance database that can either be maintained locally or by a larger surveillance network that supports the hospital with tools and methods to perform surveillance, and generates reference information that can be used for benchmarking local infection rates.

While the information in surveillance databases does not contain information that is typically used to identify a person (like names) it may still need to contain information (e.g. age or body measures) that could at least potentially be used to identify a patient and therefore could be subject to data privacy rules that require specific documentation and the maintenance of technical and organisational measures to ensure data security and guarantee anonymity of patients in public reports and data sets.

One of the most fundamental principles of data protection is that personal data shall only be collected for specified, explicit and legitimate purposes and may only be further processed in a manner that is compatible with those purposes [1]. In some circumstances, this happens with explicit consent from the individual involved, but it may also happen with implicit consent or even without any consent if certain very special prerequisites, like the protection of the vital interests of the data subject or of another natural person, are met [2].

When patients are treated in hospitals, they (or their legal guardians) give explicit or implicit consent to the collection of data related to their health and other information that is typically considered as confidential and they generally expect data to be processed under the obligation of professional secrecy.

While the exact purposes of this data collection may not always be specified explicitly, they regularly cover medical diagnosis, the provision of health care and treatment, the management of health systems as well as the establishment, exercise, or defence of legal claims.

When patients are physically or legally incapable of giving consent, the collection and processing of data may occur to protect their vital interest of receiving adequate health care.

As a well-established means of ensuring high standards of treatment quality and patient safety, surveillance of nosocomial infections is considered a fundamental component of routine patient care and as such would be compatible with the purposes of data collection in hospitals as mentioned above.

When healthcare data are processed in a surveillance network for reasons of public interest in the area of public health (such as protecting against the serious cross-border threat to health that multidrug-resistant organisms pose or ensuring high standards of quality and safety of health care by making the occurrence of hospital-acquired infections measurable),  the rules of professional secrecy apply in the same way as the hospital initially treating the patient [3] [4].

Patients in a hospital, like everybody else, have rights regarding data protection (e. g., right of access [1], right to rectification [2], right to erasure [3], right to restriction of processing [4], right to data portability [5], right to object [6]), and they can exercise those rights.

The primary controller of the data being processed in the context of hospital treatment is the company or organisation operating the hospital and there is no difference when it comes to surveillance data, with the addition that there may be another controller responsible for the generation of benchmarking information and quality assurance within the surveillance network. Hospitals often have designated privacy officers or compliance officers responsible for handling data protection matters. Patients can reach out to these individuals to address their concerns or seek clarification about data protection practices.

Although many people do not know or care about the physical location of the servers they use, and terms like “the cloud” intentionally blur out the problem of data location, it still has a high relevance regarding legal matters since the laws governing data privacy are ultimately country specific.

When the legislators of the EU member states conceived the rules for the GDPR, it was an explicit goal to harmonise the data processing legislation and to remove any restrictions of the free movement of personal data within the Union for reasons connected with the protection of natural persons with regard to the processing of personal data [1].

Because of this, the exact location of a hospital’s or a surveillance network’s data centre within the European Union is typically of subordinate importance but this does not automatically apply to countries that do not belong to the Union (so called third countries) for which cross-border transmission of personal data may be restricted or need explicit international agreements.

For this reason, surveillance data that has been collected within the European Union usually cannot leave the Union unless it has been fully anonymised and hospitals participating in surveillance networks will typically ensure this via bilateral contracts. Similar rules typically also apply to other countries and may affect data being sent to the EU.

Access our step-by-step guide and surveillance materials.