We are a ‘controller’ for the information we hold about people which we collect, use and share (unless we state otherwise). This means that we are responsible for how and why we use that information.

Our head office address is:

NHS England
Wellington House
133-155 Waterloo Road
London
SE1 8UG

How to contact us

Please contact us if you have any questions about our privacy notice or information we hold about you:

Customer Contact Centre

Telephone: 0300 311 22 33
Email: england.contactus@nhs.net
Post: NHS England, PO Box 16738, Redditch, B97 9PT

Our opening hours are 8am to 6pm Monday to Friday, except Wednesdays when we open at the later time of 9.30am.

Contact details of our Data Protection Officer

Our Data Protection Officer (DPO) is Jon Moore. The DPO is responsible for providing us with independent advice on data protection matters and is the person to contact if you have any questions or concerns regarding our use of your information.

You can contact Jon by post or email:

Jon Moore, Data Protection Officer
NHS England
7 and 8 Wellington Place
Leeds
West Yorkshire
LS1 4AP

Email: england.dpo@nhs.net

Find out more about the role and responsibilities of a DPO.

How to make a data protection compliant

If you have a complaint which relates to our use of your personal information, or our compliance with our data protection responsibilities, you can contact our DPO using the details above.

If our DPO is not able to resolve your data protection complaint, you have the right to make a complaint to the Information Commissioner’s Office (ICO). The ICO is the UK’s data protection regulator. However, the ICO will expect you to raise your concerns with Jon in the first instance. The ICO’s contact details are:

Information Commissioner’s Office
Wycliffe House
Water Lane
Wilmslow
SK9 5AF

Website: ico.org.uk

Telephone number: 0303 123 1113

Our legal basis for using your information

About legal basis

Under data protection law, we must have a ‘legal basis’ when we use your information for a particular purpose.  There are seven lawful basis to choose from which are set out Article 6 of the UK General Data Protection Regulation (UK GDPR).

Some categories of information require extra levels of protection. Those categories are known as ‘special categories of data’ and include information about a person’s health. When we use special categories of data, we need an additional lawful basis which is set out in Article 9 of the UK GDPR.

Our legal basis for using patient information

We are a public body and we were created by statute (which is a type of law).  We were established by the NHS Act 2006 which was amended by the Health and Social Care Act 2012.

If you are an NHS patient, when we use your information, we rely on our powers as a public body which means that our legal basis for using information will often be:

• public task: We use your information when it is necessary for us to perform our tasks which we carry out in the public interest or in the exercise of our official authority (Article 6(1)(e), UK GDPR)

In some cases, we will have a legal obligation to use your information for a particular purpose. For example, when we are directed by the Secretary of State for Health and Social Care. In those cases, our legal basis will be:

• legal obligation: We use your information when it is necessary to comply with our legal obligations (Article 6(1)(c), UK GDPR).

Where we use special categories of data, such as information about your health, for purposes related to providing or commissioning health services, we also rely on the following legal basis:

• health and social care: we use your information when it is necessary for preventive or occupational medicine, for medical diagnosis, to provide health or social care or for the treatment or management of health or social care systems and services (Article 9(2)(h), UK GDPR)
• substantial public interest: we use your information when it is necessary for reasons of ‘substantial public interest’ (Article 9(2)(g), UK GDPR)

Our legal basis for using colleague information

If you are part of the NHS England workforce, we will need to use information about you.  When we do, we will typically rely on:

• contract: our use of your information is necessary to perform our role under our employment contract or contract for your services (Article 6(1)(b), UK GDPR)

If you are part of our workforce, we are likely to need special categories of data about you.  For example, information about your health, information about your race or ethnicity, information about your trade union membership. If we need to use special categories of data, we will usually rely on the following legal basis:

• employment: we need to use your information in order to carry out our responsibilities relating to your employment (Article (9)(2)(b), UK GDPR)

Our legal basis for using information relating to a legal claim

If you are involved in a legal claim, or potential legal claim, which also involves us, we may need to use information about you in relation to that claim or to obtain legal advice. When we use your information for this purpose, our legal basis will likely be:

• public task: we use your information when it is necessary for us to perform our tasks which we carry out in the public interest or in the exercise of our official authority (Article 6(1)(e), UK GDPR)
• legal obligation: We use your information when it is necessary to comply with our legal obligations (Article 6(1)(c), UK GDPR)

Where we use special categories of data relating to a legal claim, our legal basis for doing so is:

• legal claim: our use of your information is necessary to establish, exercise or defend a legal claim (Article 9(2)(f), UK GDPR); or
• substantial public interest: we use your information when it is necessary for reasons of ‘substantial public interest’ (Article 9(2)(g), UK GDPR)

How we use your information

You can find out more about how we use your information here.  If you have any questions about our use of your information, please contact us.

How long do we keep information about you?

We keep different information for different lengths of time.  The length of time we hold the information, and whether we delete or it move it to another organisation after that time, will depend on the nature of the information and our legal obligations.

Our Corporate records retention and disposal schedule, and primary care services retention schedule explain how long we keep different types of information.  You can access the schedules here or by contacting our Customer Contact Centre.

Your rights

Under data protection law, you have a range of different rights which may apply when we use information about you. The rights which are available to you will depend on our reason for using your information.

Find out more about your rights.

Right to be informed

You have the right to be informed about our use of your information. A purpose of this privacy notice is to explain the different purposes for using your information, where we collect it from, why we use it and who we share it with. If you have any questions about our use of your information, please contact us.

Right of access

You have the right to request a copy of your information which we hold.  This right always applies, regardless of the purpose for holding your information. There are some exceptions to the right which means that you may not receive all of your information which we hold.

Further information about the right of access, including potential exemptions, can be found on the ICO website.

Right to rectification

You have the right to ask us to rectify any of your information which you consider is inaccurate. This right also extends to completing information that you feel is incomplete. For more information on your right to rectification, please visit the ICO website.

Right to erasure (‘right to be forgotten’)

You have the right to request that we erase information that we hold about you in certain circumstances. This right only applies in some circumstances, for more information about your right to get information deleted, please visit the ICO website

Right to restriction of processing

You have the right to request that we restrict processing of any information that we hold about you, including asking us not to delete your information. This is not an absolute right, and there are some circumstances where we may not be able to comply with your request.

Right to data portability

You have the right to get the information we hold about you in a way that is commonly used, accessible and electronic format (for example, in a csv file). This right only applies to information that you have given us, and it only applies if we are processing information based on your consent, or for the purposes of a contract between you and NHS England. For this right to apply the information must already be held in electronic form.

Right to object

You have the right to object to us processing your information at any time. However, this right only applies in certain circumstances, and we may need to continue processing your information if we have strong, legitimate reasons for doing so. For more information on your right to object, please visit the ISO website.

Rights in relation to automated individual decision-making including profiling

You have the right to object to being subject to a decision based solely on automated processing, including profiling. Should we perform any automated decision-making, we will record this in our privacy notice, and ensure that you have an opportunity to request that the decision involves personal consideration.

Find out more about how to access your personal information or make a request in relation to other rights.