Your Data Matters to the NHS
Information about your health and care helps us to improve your individual care, speed up diagnosis, plan your local services and research new treatments. The NHS is committed to keeping patient information safe and always being clear about how it is used.
How your data is used
Information about your individual care such as treatment and diagnoses is collected about you whenever you use health and care services. It is also used to help us and other organisations for research and planning such as research into new treatments, deciding where to put GP clinics and planning for the number of doctors and nurses in your local hospital. It is only used in this way when there is a clear legal basis to use the information to help improve health and care for you, your family and future generations.
Wherever possible we try to use data that does not identify you, but sometimes it is necessary to use your confidential patient information.
You have a choice
You do not need to do anything if you are happy about how your information is used. If you do not want your confidential patient information to be used for research and planning, you can choose to opt out securely online or through a telephone service. You can change your mind about your choice at any time.
Will choosing this opt-out affect your care and treatment?
No, choosing to opt out will not affect how information is used to support your care and treatment. You will still be invited for screening services, such as screenings for bowel cancer.
What do you need to do?
If you are happy for your confidential patient information to be used for research and planning, you do not need to do anything.
To find out more about the benefits of data sharing, how data is protected, or to make/change your opt-out choice visit www.nhs.uk/your-nhs-data-matters
Download a copy of the patient leaflet
We are undertaking a range of work to support the government response to the coronavirus outbreak. This notice details our legal bases for processing personal data in the course of this work. A link to the following information is available at:
Purposes for which we may process your data
The health and social care system is taking action to manage and mitigate the spread and impact of the current outbreak of coronavirus (COVID-19).
Action to be taken requires the collection, analysis and sharing of information, including confidential patient information where necessary and lawful, amongst health organisations and other appropriate bodies. This is due to the urgent need to protect public health and respond to the COVID-19 outbreak. This notice describes how we may use your information to protect you and others during the COVID-19 outbreak.
To support the healthcare response to COVID-19, NHS Digital has been directed by the Secretary of State for Health and Social Care (the Secretary of State) and NHS England under the COVID-19 Directions to:
- establish information systems to collect and analyse data in connection with COVID-19; and
- develop and operate IT systems to deliver services in connection with COVID-19
COVID-19 Public Health Directions 2020
COVID-19 Public Health Directions 2020
A Direction given by the Secretary of State for Health and Social Care requiring NHS Digital to establish and operate information systems to collect and analyse data in connection with COVID-19, and develop and operate information and communication systems to deliver services in connection with COVID-19.
COVID-19 Public Health NHS England Directions 2020
COVID-19 public health NHS England Directions 2020
Directions given by NHS England requiring NHS Digital to establish and operate information systems to collect analysis data in connection with COVID-19 and develop and operate information and communication systems to deliver services in connection with COVID-19.
We may also be requested by the NHS in Scotland, Wales and Northern Ireland to collect, analyse and disseminate data for them, including information about residents of these countries.
Examples of some of the purposes for which NHS Digital may process personal data under the COVID-19 Directions and in response to these requests may include processing personal data for the purposes of:
- understanding COVID-19 and risks to public health, trends in COVID-19 and such risks, and controlling and preventing the spread of COVID-19 and such risks
- identifying and understanding information about patients or potential patients with, or at risk of COVID-19, information about incidents of patient exposure to COVID-19 and the management of patients with or at risk of COVID-19 including: locating, contacting, screening, flagging and monitoring such patients and collecting information about and providing services in relation to testing, diagnosis, self-isolation, fitness to work, treatment, medical and social interventions and recovery from COVID-19
- understanding information about patient access to health services and adult social care services as a direct or indirect result of COVID-19, and the availability and capacity of those services
- monitoring and managing the response to COVID-19 by health and social care bodies and the Government including providing information to the public about COVID-19 and its effectiveness and information about capacity, medicines, equipment, supplies, services and the workforce within the health services and adult social care services
- delivering services to patients, clinicians, the health services and adult social care services workforce and the public about and in connection with COVID-19, including the provision of information, fit notes and the provision of health care and adult social care services
- research and planning in relation to COVID-19
Examples of some of the specific work we have done and how we have used data for COVID-19 purposes
Coronavirus (COVID-19) response information governance hub
Find out how NHS Digital is using your data in its work to support the government response to coronavirus (COVID-19).
The controller of your personal data
Under the General Data Protection Regulation 2016 (GDPR), NHS Digital is the controller of your personal data where we are directed or requested to process personal data for COVID-19 purposes. We are also a joint controller with the person who has directed or requested us to do this work. This may be the Secretary of State for Health and Social Care, NHS England or an NHS body in Scotland, Northern Ireland or Wales.
Where we share data, NHS Digital is usually the sole controller, unless we have been directed to share the data by the Secretary of State or NHS England, in which case we will be joint controllers.
Our legal basis under GDPR
Where we are directed to process personal data for COVID-19 purposes, this is a legal obligation and we are allowed to do this under Article 6 (1)(c) of GPDR.
Where we process personal data as part of our statutory functions, including where requested by other bodies, for example. by the NHS in Scotland, Wales or Northern Ireland, this is part of our public task. We are allowed to do this under Article 6(1)(e) of GDPR.
Where we need to process health data and other special categories of personal data, we will only do this where it is necessary as part of our statutory functions. Under GPDR we are allowed to do this where it is necessary for substantial public interest reasons (Article 9(2)(g)), where it is necessary for healthcare purposes (Article 9(2)(h)), where it is necessary for public health purposes (Article 9(2)(i)) or where it is necessary for scientific research or statistical purposes (Article 9(2)(j)).
We are also allowed to share your personal data under GDPR where it is necessary for us to do so for one of the purposes explained above.
More information can be found in the Who we share your data with section.
Types of personal data we process
The types of personal data we may process in response to COVID-19 include:
- demographic data – your name, date of birth, sex, NHS number and your contact details such as your address, telephone numbers and email address
- health information – information relating to your health and the care you have been provided - this may include information about medical conditions, treatments, prescription information, care episodes, hospital admission and discharge information, test results, including tests relating to COVID-19, information on whether you are self-isolating
- information collected as part of our online services which we need to help maintain the security and performance of our website and also to help us understand how our services are used so that we can make improvements. This may include information such as your IP address, technical log events, the type of browser you’re using and the actions you took when using these services
We will only process the minimum data necessary to achieve our purposes.
How we obtain your personal data
Collecting personal data from you directly
We may collect personal data from you directly, in which case we will tell you at the time the purposes for which we will use your data in a privacy or transparency notice.
Examples of where we have done this for COVID-19 purposes are the Isolation Note Service and the service to Get text messages from the NHS about coronavirus. We will not collect more information than we require, and we will ensure that any personal data collected is treated with the appropriate safeguards.
Collecting personal data from other organisations
We may also collect personal data from other organisations, including health and social care organisations, for example from Public Health England, NHS Trusts, GP Practices, Local Authorities, NHS England, the Department of Health and Social Care and other government departments.
Usually we do this by issuing the organisation with a Data Provision Notice. This requires or requests those organisations to provide us with data where this is necessary for us to perform our functions under the Health and Social Care Act 2012.
Examples of our Data Provision Notices
Data Provision Notices (DPNs)
When we receive a Direction or Request to collect data, we issue a Data Provision Notice (DPN). It provides details about the data collection, including: purpose, benefits, frequency and method of collection.
NHS Digital also has a number of legal powers under the Health and Social Care Act 2012 to share data with organisations where it is necessary for particular purposes.
We may, therefore, share your personal data using these powers, or under the legal notice mentioned above, with other health and care organisations for the purposes of your individual care and treatment or for planning, commissioning and research purposes.
We may also share your personal data with approved researchers, including for the purposes of carrying out clinical trials. We will only share your data with other organisations where this is lawful and and in line with data protection law.
Types of organisations we may share your data with
The types of organisations we may share your data with include:
- the Department of Health and Social Care and other government departments, as part of the government response to coronavirus
- NHS England
- Public Health England
- Clinical Commissioning Groups
- Local Authorities
- other NHS, health, or social care organisations
- NHS bodies in Scotland, Wales and Northern Ireland
- research bodies, such as universities and hospitals
We may also share your information with organisations who process personal data for us on our behalf. They are called Processors. Where we use Processors we have contracts in place with them which means that they can only process your personal data on our instructions. Our Processors are also required to comply with stringent security requirements when processing your personal data on our behalf.
We will also publish data we have obtained for COVID-19 purposes which is anonymous, so that no individuals can be identified from that data. This will enable NHS and other organisations to use this anonymous data for statistical analysis and for planning, commissioning and research purposes as part of the response to coronavirus.
Examples of data we have published as part of our response to COVID-19
NHS Digital response to coronavirus (COVID-19)
How we are supporting health and care as part of the government response to coronavirus (COVID-19).
How long we keep your personal data for
We will only retain your personal data for as long as is necessary for the purposes for which we obtained it and in accordance with the following:
NHS Digital's Records Management Policy
Other organisations with whom we share your personal data have obligations to keep it for no longer than is necessary for the purposes for which we have shared your personal data. Information about this will be provided in their transparency or privacy notices which are published on their websites.
Where we store the data
NHS Digital only stores and processes your personal data within the United Kingdom.
Fully anonymous data, for example, statistical data, which does not allow you to be identified, may be stored and processed outside of the UK. Some of our Processors may process your personal data outside of the UK. If they do we will always ensure that the transfer outside of the UK complies with data protection laws.
Your rights over your personal data and further information
To read more about the health and care information NHS Digital collects, our legal basis for collecting this information, and what choices and rights you have, see How we look after your health and care information and our General transparency notice.
We may make changes to this transparency notice. If we do, the date at the top of the notice will also change. Any changes to this notice will apply immediately from the date of any change