NHS England is a data controller under the EU General Data Protection Regulation and the Data Protection Act 2018. Our legal name is the NHS Commissioning Board. Our head office address is:
NHS England London
80 London Road
Please contact us if you have any questions about our privacy notice or information we hold about you:
Customer Contact Centre
Telephone: 0300 311 22 33
Post: NHS England, PO Box 16738, Redditch, B97 9PT
Our opening hours are: 8am to 6pm Monday to Friday, except Wednesdays when we open at the later time of 9.30am.
Contact details of our Data Protection Officer
NHS England’s Data Protection Officer is:
Head of Corporate Information Governance and Data Protection Officer
Transformation & Corporate Operations Directorate
The role of the Data Protection Officer
As a public authority, NHS England is required to appoint a data protection officer (DPO). This is an essential role in facilitating ‘accountability’, and the organisation’s ability to demonstrate compliance with the GDPR. The essential qualities of the role are to provide support, advice and assurance of all NHS England’s activities that involve processing personal data. She reports on compliance to our senior management team, and is empowered to raise data protection matters with our Board if necessary.
Carol has expert knowledge of data protection law and practices, and a detailed understanding of how NHS England processes personal data. As Head of Corporate Information Governance, she oversees a dedicated DPO team, and information governance staff whose job it is to support NHS England centrally and across our regions.
NHS England has a comprehensive suite of policies and procedures that addresses all aspects of information governance and data protection. These govern how we ensure that the personal data we are responsible is processed and shared lawfully, and that peoples’ data protection rights are respected.
Our legal basis for processing personal data
NHS England is a public body established by the NHS Act 2006 as amended by the Health and Social Care Act 2012. As such our business is based upon statutory powers which underpin the legal bases that apply for the purposes of the GDPR. The legal bases for the majority of our processing is:
- Article 6(1)(e) – processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
For entering into and managing contracts with the individuals concerned, for example our employees the legal basis is:
- Article 6(1)(b) – processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract.
Where we have a specific legal obligation that requires the processing of personal data, the legal basis is:
- Article 6(1)(c) – processing is necessary for compliance with a legal obligation to which the controller is subject.
Where we process special categories data, for example data concerning including health, racial or ethnic origin, or sexual orientation, we need to meet an additional condition in the GDPR. Where we are processing special categories personal data for purposes related to the commissioning and provision of health services the condition is:
- Article 9(2)(h) – processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services…
Where we process special categories data for employment or safeguarding purposes the condition is:
- Article 9(2)(b) – processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment and social security and social protection law…
NHS England may also process personal data for the purpose of, or in connection with, legal proceedings (including prospective legal proceedings), for the purpose of obtaining legal advice, or for the purpose of establishing, exercising or defending legal rights. Where we process personal data for these purposes, the legal basis for doing so is:
- Article 6(1)(e) – processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller; or
- Article 6(1)(c) – processing is necessary for compliance with a legal obligation to which the controller is subject; or
- Article 6(1)(f) – processing is necessary for the purposes of legitimate interests pursued by the controller.
- Where we process special categories of personal data for these purposes, the legal basis for doing so is:
- Article 9(2)(f) – processing is necessary for the establishment, exercise or defence of legal claims; or
- Article 9(2)(g) – processing is necessary for reasons of substantial public interest.
In How we use your information we set out most of the key ways in which we may process your personal data for the purposes of, or in connection with our statutory functions. If you want to know more about how we process your data please contact our Customer Contact Centre.
How long do we keep information about you?
You can obtain a copy of our Corporate Records Retention and Disposal Schedule and Primary Care Services Retention Schedule from our Privacy Notice web site, or by contacting our Customer Contact Centre. We also comply with the Records Management Code of Practice for Health and Social Care published by the Information Governance Alliance.
The GDPR includes a number of rights that are more extensive that those in the Data Protection Act 1998. We must generally respond to requests in relation to your rights within one month, although there are some exceptions to this.
The availability of some of these rights depends on the legal basis that applies in relation to the processing of your personal data, and there are some other circumstances in which we may not uphold a request to exercise a right. Your rights and how they apply are described below.
Right to be informed
Your right to be informed is met by the provision of this privacy notice, and similar information when we communicate with you directly – at the point of contact.
Right of access
You have the right to obtain a copy of personal data that we hold about you and other information specified in the GDPR, although there are exceptions to what we are obliged to disclose.
A situation in which we may not provide all the information is where in the opinion of an appropriate health professional disclosure would be likely to cause serious harm to your, or somebody else’s physical or mental health.
Right to rectification
You have the right to ask us to rectify any inaccurate data that we hold about you.
Right to erasure (‘right to be forgotten’)
You have the right to request that we erase personal data about you that we hold. This is not an absolute right, and depending on the legal basis that applies, we may have overriding legitimate grounds to continue to process the data.
Right to restriction of processing
You have the right to request that we restrict processing of personal data about you that we hold. You can ask us to do this for example where you contest the accuracy of the data.
Right to data portability
This right is only available where the legal basis for processing under the GDPR is consent, or for the purposes of a contract between you and NHS England. For this to apply the data must be held in electronic form. The right is to be provided with the data in a commonly used electronic format.
Right to object
You have the right to object to processing of personal data about you on grounds relating to your particular situation. The right is not absolute and we may continue to use the data if we can demonstrate compelling legitimate grounds.
Rights in relation to automated individual decision-making including profiling
You have the right to object to being subject to a decision based solely on automated processing, including profiling. Should we perform any automated decision-making, we will record this in our privacy notice, and ensure that you have an opportunity to request that the decision involves personal consideration.
Right to complain to the Information Commissioner
You have the right to complain to the Information Commissioner if you are not happy with any aspect of NHS England’s processing of personal data or believe that we are not meeting our responsibilities as a data controller. The contact details for the Information Commissioner are:
Information Commissioner’s Office
Wilmslow SK9 5AF