Public health

Transfer of Public Health functions to NHS England

On 1 October 2021 a number of public health functions will transfer from Public Health England to NHS England. From this date, NHS England will be the Controller for personal data that is processed to support these functions under the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. Other than the change in Controller there will be no changes to patients’ personal data to discharge these functions, how it is processed or the services received by patients as a result.

During this period of transition the Public Health England Privacy Notice will continue to apply as it did before. This privacy notice explains the personal information we collect, how we use it and who we may share it with for these purposes. It explains what your rights are if we hold your personal information and how you can find out more or raise a concern.

Purposes for processing

We process personal information of staff transferring into NHS England for the purposes of staff employment. Please see Our Workforce section of our privacy notice to find out how we use personal data about our employees.

We use personal information to fulfil the Secretary of State for Health and Social Care’s duty to protect and improve public health and reduce health inequalities. We may process personal information in order to provide:

  • Regional and National Healthcare Public Health services
  • Regional and Local Screening functions and Immunisation Commissioning Support and Expert Advice
  • Screening Quality Assurance Services.

How we collect your personal information

We collect personal information in 3 main ways:

  • Directly from you
  • From the providers of health and care services
  • From other organisations supporting the health and care system in England.

The information we collect

The types of personal information we may collect about you include:

  • Demographic information – for example, we may collect your name, date of birth, sex, ethnic group, NHS number, address and postcode, occupation, and contact details such as your phone number
  • Health information – for example, we may collect information about your physical health, mental wellbeing, symptoms and medical diagnoses, and health risk factors such as your height and weight, whether you smoke and what your occupation is
  • Treatment information – for example, we may collect information about your hospital admissions, clinic attendances, screening appointments, laboratory test results, prescriptions and vaccination history.

Who we share your information with

We may share your personal information with other organisations to provide you with individual care or for other purposes not directly related to your health and care.

  • Your doctor and hospital to help them provide you and other patients with better care by auditing and evaluating the safety and effectiveness of the service they provide
  • Data processors: We may share your personal information with organisations we have contracted to help us fulfil our remit
  • With other organisations, where such sharing is necessary, proportionate and allowed by law, which may include universities and other researchers.

Legal basis for processing

We process both personal data and special categories of personal data, including data about your health and ethnic group. Our legal basis to collect your personal information may vary according to the purpose we use it for. In most cases, the sections of the General Data Protection Regulation and the Data Protection Act 2018 that apply will be:

  • GDPR Article 6(1)(e) ‘processing is necessary for the performance of a task carried out in the public interest’
  • GDPR Article 6(1)(a) ‘consent’ where processing for surveys and public consultations for changes.

Where we need to use special categories of personal data, the lawful bases will be:

  • GDPR Article 9(2)(i) ‘processing is necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health’
  • GDPR Article 9(2)(h) ‘processing is necessary for the provision of health or social care or treatment or the management of health or social care systems and services’
  • GDPR Article 9(2)(a) ‘explicit consent’
  • Data Protection Act Schedule 1 Part 1 (3) ‘public health’.