Public health

Transfer of Public Health functions to NHS England

On 1 October 2021, as part of the government’s strategy to transform the public health system in England, responsibility for a number of public health functions transferred from Public Health England (PHE) to NHS England. NHS England is now therefore the controller for personal data processed to support these functions under the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. Other than the change in Controller there was no changes to patients’ personal data to discharge these functions, how it is processed or the services received by patients as a result.

More information on NHS England’s public health functions and commissioning activities can be found on our website.

Information about how we process personal data for the purposes of our screening programmes can be found at National population screening programmes: the information we use and why, and your options – GOV.UK (

From January 2023 the responsibility for the management of the National Disease Registries, a collection of data on all cancers, rare diseases and congenital anomalies diagnosed each year in England from NHS Digital to NHS England the privacy information can be found here NHS Digital website: National Disease Registration Service: NHS Digital Transparency Notice.

Purposes for processing

We process personal information of staff transferring into NHS England for the purposes of staff employment. Please see Our Workforce section of our privacy notice to find out how we use personal data about our employees.

We use personal information to fulfil the Secretary of State for Health and Social Care’s duty to protect and improve public health and reduce health inequalities. We may process personal information in order to provide:

  • Regional and National Healthcare Public Health services
  • Regional and Local Screening functions and Immunisation Commissioning Support and Expert Advice
  • Screening Quality Assurance Services.

How we collect your personal information

We collect personal information from the following sources:

The information we collect

The types of personal information we may collect about you include:

  • Demographic information – for example, we may collect your name, date of birth, sex, ethnic group, NHS number, address and postcode, occupation, and contact details such as your phone number
  • Health information – for example, we may collect information about your physical health, mental wellbeing, symptoms and medical diagnoses, and health risk factors such as your height and weight, whether you smoke and what your occupation is
  • Treatment information – for example, we may collect information about your hospital admissions, clinic attendances, screening appointments, laboratory test results, prescriptions and vaccination history.

Who we share your information with

We may share your personal information with other organisations to provide you with individual care or for other purposes not directly related to your health and care.

  • Your doctor and hospital to help them provide you and other patients with better care by auditing and evaluating the safety and effectiveness of the service they provide
  • Data processors: We may share your personal information with organisations we have contracted to help us fulfil our remit
  • With other organisations, where such sharing is necessary, proportionate and allowed by law, which may include universities and other researchers.

Legal basis for processing

We process both personal data and special categories of personal data, including data about your health and ethnic group. Our legal basis to collect your personal information may vary according to the purpose we use it for. In most cases unless stated below Section 7A of the National Health Service Act 2006 satisfies the UK General Data Protection Regulation and the Data Protection Act 2018 that apply below:

  • GDPR Article 6(1)(e) ‘processing is necessary for the performance of a task carried out in the exercise of official authority vested in the controller.
  • GDPR Article 6(1)(a) ‘consent’ where processing for surveys and public consultations for changes.

Where we need to use special categories of personal data, the lawful bases will be:

  • GDPR Article 9(2)(i) ‘processing is necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health’
  • GDPR Article 9(2)(h) ‘processing is necessary for the provision of health or social care or treatment or the management of health or social care systems and services’
  • GDPR Article 9(2)(a) ‘explicit consent’
  • Data Protection Act Schedule 1 Part 1 (3) ‘public health’.