Purposes for processing

NHS England has a power under the Health and Social Care Act 2012 to direct NHS Digital to collect information from health organisations. The general purpose for doing this is to establish collections of information that can be used to monitor how well the NHS is performing and the quality of care provided.  As the data is held centrally it can be linked to provide information that would not otherwise be possible.

Below is a list of the directions we have issued to NHS Digital for personal data collections.

• Assuring Transformation Data Collection (2015)
• Children and Young People’s Health Services (CYPHS)
• Data Services for Commissioners (2015)
• Dementia Prevalence (2015)
• Diabetes Prevention Programme Audit Pilot
• Diagnostic Imaging Data Set Service (2015)
• Emergency Care Data Set Collection (2017)
• General Practice Appointments Data Collection in Support of Winter Pressures (2017)
• Genetic Testing Rates Information System (2017)
• GP Workload (2017)
• Maternity Services (2015)
• Mental Health Services (2015)
• NHS 111 Pathways Data Collection (2017)
• NHS 111 Online
• National Audit of Pulmonary Hypertension (2016)
• National Cancer Waiting Times (SCCI0147)
• National Diabetes Audit (2017)
• Personal Health Budget Collection (2017)
• Primary Care Registration Management (2018)
• Retrospective Audit of Data for Mesh Procedures Data Analysis (2018)
• GP Streaming Audit (2018)
• Citizen Identity Services (2018)

These can also be accessed on the NHS Digital website.

Sources of the data

The information may be collected from any organisation that provides health services to the NHS, including NHS Trusts, NHS Foundation Trusts, GP Practices and other primary care providers and local authorities.

Categories of personal data

The details of the individual collections are specified in the directions. This may include records representing individual items of care, or summarised information including just numbers. Where information about individual patients and their care is collected, this will usually include their NHS Number, other similar identifiers, postcode and date of birth. These are needed to make sure that the data is correct, and to allow linkage to other data. The data will include information about the health care received, administrative information, and may include ethnicity.

Categories of recipients

A benefit of this approach is that personal data is held only by NHS Digital, who only release it to other organisations, including NHS England, where there is a specific legal power (See for example Assuring Transformation).  Data is also released in a form that is anonymised in line with the Information Commissioner’s Anonymisation code of practice. All requests for data form NHS Digital are dealt with by the Data Access Request Service.

Legal basis for processing

For GDPR purposes NHS England’s lawful basis for processing when directing NHS Digital using its powers under the Health and Social Care Act 2012 is Article 6(1)(e) – ‘…exercise of official authority…’. For the processing of special categories (health) data the basis is 9(2)(h) – ‘…health or social care…’, and/or 9(2)(j) – ‘…research purposes or statistical purposes…’.

When NHS Digital processes personal data under directions from NHS England, the two organisations are acting jointly as data controllers.