Purposes for processing

NHS England is committed to the delivery of safe and efficient services, and will communicate safety critical information and guidance to the NHS under various policy and procedural structures.

An Alert may be issued to prevent or avoid unexpected or avoidable death, harm or injury to patient, carer, staff or visitor, or in order to prevent fraud.

Sources of the data

Alerts can be generated across the organisation, and instigated from systems and services commissioned by NHS England. Under numerous protocols including regulations for Controlled Drugs, Patient Safety, Medical Devices etc., and these alerts will be cascaded to relevant parts of the NHS to ensure patient safety and protection.

Categories of personal data

The data received by NHS England includes a record for each Alert including (if relevant) patient or staff name, NHS Number and other personal details, including relevant healthcare records and information about the Alert, including others involved or potentially impacted by the Alert.

Categories of recipients

Alerts can be cascaded throughout the NHS, and are directed, on a necessary and proportionate bases, to any relevant team within (or outside) NHS England. When Alerts are sent to relevant people they may include action to be taken, or raise awareness of potential harm to which staff need to be aware.

Please see the MHRA CAS Pages for details and NHS England Alerting Systems  framework for more information.

Legal basis for processing

For GDPR purposes NHS England’s lawful basis for processing is Article 6(1)(e) ‘…exercise of official authority…’. For the processing of special categories data the basis is Article 9(2)(h) ‘…health or social care…’.