Brief summary of changes

Following an annual review of this policy:

• sections from policy section moved to scope section
• key terms moved to Annex A
• roles and responsibilities summarised
• breach of policy section moved to end of section 3
• links in additional resource section corrected

1. Introduction

1.1 This is NHS England’s overarching policy for data protection (policy). It explains how NHS England aims to meet the highest data protection standards.   

1.2 This policy is supported by other more detailed NHS England data protection policies, standards, procedures, processes, and guidance documents. It should also be read alongside the Information governance framework policy and related cyber, information security and ICT acceptable use policies, procedures, processes, and guidance documents.

1.3 This policy sets out:

a. key definitions used in the policy
b. the information to which this policy applies
c. the key data protection laws of the UK and how they are enforced
d. NHS England’s approach to data protection
e. your responsibilities for complying with the data protection principles
f. your responsibility for compliance with individual rights and requests made by individuals to exercise their rights
g. your responsibilities for identifying and reporting potential personal data breaches
h. the consequences of breaching this policy
i. roles and responsibilities

2. Scope 

2.1 All NHS England directorates and regions fall within the scope of this policy.  This includes staff who are employed on a permanent, fixed term or zero-hours basis, contractors, temporary staff, secondees and volunteers.  It also covers nonexecutive directors and nonexecutive associate directors. We use the terms ‘staff’ within this policy to cover all of these different types of staff.  

2.2 Staff of the following NHS areas are also within the scope of this policy:  

a. all commissioning support units  
b. all other NHS England hosted bodies, such as strategic clinical networks and clinical senates 

2.3 Compliance with this policy is mandatory. 

The information to which this Policy applies

2.4 This policy applies to all personal data we process, or which is processed by others on our behalf, and for which we are responsible, regardless of whether that data relates to NHS patients, NHS England staff or others. This policy therefore applies to all personal data we process whether as a controller, a joint controller or as a processor.

2.5 Although not covered by data protection legislation, this policy also applies to all information relating to an identified or identifiable person who has died, including patients and staff who have died, as we take the same steps to protect and appropriately process data about individuals who have died as we do to data about the living.

Glossary of terms

2.6 In the glossary in Appendix A we set out the meaning of terms used in this policy.

Data protection laws 

2.7 We are required to comply with laws relating to data protection including:

a. The UK General Data Protection Regulation (UK GDPR)
b. The Data Protection Act 2018 (DPA 2018)
c. The common Law Duty of Confidentiality
d. The Privacy and Electronic Communications (EC Directive) Regulations 2003

2.8 The Information Commissioner’s Office (ICO) is the UK regulator with responsibility for overseeing and enforcing data protection law. The ICO sets standards on data protection, issues guidance, considers complaints and has a range of regulatory powers to require and enforce compliance with data protection law.

3. Policy statement

NHS England’s approach to data protection 

3.1 Data protection and information governance are the responsibility of everyone within NHS England. This policy and our related confidentiality, records management, other information governance and security policies set out what we expect from you when handling personal data. This enables NHS England to comply with data protection laws and regulatory requirements and guidance and meet the highest data protection, information governance and security standards.

3.2 We recognise that meeting the highest data protection, information governance and security standards is essential for NHS England to maintain public trust and confidence in the organisation and the wider NHS.  

3.3 Protecting the confidentiality, availability and integrity of personal data is a critical responsibility that we take seriously, at all times.  

Your responsibility for compliance with the data protection principles 

3.4 Everyone to whom this policy applies is responsible for ensuring that we always comply with the 6 data protection principles set out in the UK GDPR when processing personal data. the data protection principles form the spine of the data protection laws in the UK. we generally assess how we satisfy each of these principles when we carry out a data protection impact assessment (DPIA).  Any failure to comply with the principles can potentially:

a. seriously and adversely impact individuals, causing harm, damage and distress
b. damage public trust in the NHS’s use of personal data
c. result in enforcement action against NHS England by the ICO
d. result in legal action against NHS England, including for compensation

3.5 The data protection principles require:

a. Personal data to be processed lawfully, fairly and transparently (lawfulness, fairness and transparency). This means that we must ensure that:

• We have a legal basis under UK GDPR, the Common Law Duty of Confidentiality and as part of our statutory functions to process all personal data. There are additional legal requirements that apply to us when we process special category data and criminal conviction and offences data. This includes:
• • putting in place an ‘appropriate policy document’ for processing special category data and criminal offences personal data. this policy is our appropriate policy document
  • where we process special category data about health, we should also comply with the Caldicott Principles and the Confidentiality policy.

• We only obtain and process personal data fairly, in a way that people would expect.
• We provide information about the personal data we process, including explaining the legal basis and purposes for which we process personal data, how long we keep it, and who we may share it with in privacy notices or transparency notices that we publish.

b. Personal data to be collected only for specified, explicit and legitimate purposes (purpose limitation).
c. Personal data to be adequate, relevant and limited to what is necessary in relation to the purposes for which it is used (data minimisation).
d. Personal data to be accurate and kept up to date (accuracy).
e. Personal data not to be kept in a form which permits identification of individuals for longer than is necessary for the purposes for which the data is used (storage limitation). This includes complying with our Records management policy in relation to the processing of documents and records containing personal data.
f. Personal data to be processed in a manner that ensures its security using appropriate technical and organisational measures to protect against unauthorised or unlawful use and against accidental loss, destruction or damage (security, integrity and confidentiality). this means that we must ensure that:

• we take all reasonable steps to protect the security of personal data including protecting our IT systems and personal data from cyber-attacks, but also from internal misuse and accidental loss or disclosure
• we implement appropriate physical, technical and organisational measures and controls to ensure a level of security appropriate to the risks to individuals from a breach of security.

g. That we are responsible for and must be able to demonstrate compliance with the data protection principles listed above (accountability). This means that we must ensure that:

• We have appropriate policies and procedures in place and staff have suitable training and are aware of their responsibilities when processing personal data
• We implement privacy by design when we process personal data. This means we should develop and operate our products, services, carry out our business operations and exercise our statutory functions with privacy and compliance with the data protection principles and individuals’ rights designed in by default.
• We meet certain compliance requirements set out in data protection legislation including:
  • carrying out data protection impact assessments (DPIAs) when we process personal data that may give rise to high risks to individuals. This includes where we process personal data about health. Our Data protection impact assessment procedure provides detailed guidance on carrying out DPIAs, including when they must be carried out and updated, who is responsible for this and the procedure for carrying them out and approving them before processing occurs
  • ensuring we have written contracts in place with processors who process personal data on our behalf which comply with data protection law. We do this through putting in place data processing agreements
  • ensuring we document arrangements for processing personal data with other controllers where we are joint controllers, we do this through putting in place joint controller agreements or tables of responsibility
  • maintaining records of our processing of personal data
  • we will be publishing a separate International data transfer policy with details of how we do this
  • appointing a data protection officer.

Your responsibility for compliance with individuals’ rights and requests made by individuals to exercise their rights

3.6 Individuals have certain rights in relation to their personal data under data protection law which NHS England must respect and respond to generally within 1 month. 

3.7 Right of access to personal data: 

This includes responding to requests from individuals for access to the personal data we process about them, including providing copies of it. This is called a subject access request. 

a. If you receive a request in writing from an individual for access to their personal data, you should send this immediately to dpo@nhs.net in accordance with the subject access request procedure.
b. Do not alter, deface, block, erase, destroy or conceal records with the intention of preventing disclosure in response to a subject access request as this may be a criminal offence.

3.8 Other rights: NHS England must also consider and respond to:

a. Objections to our processing of personal data, or to requests to restrict our processing of personal data.
b. Requests to rectify the personal data we process where it is inaccurate or incomplete, and in limited circumstances, requests to delete personal data.

If you receive a request in writing from an individual to exercise any of these rights, you should send this immediately to the Data Protection and Trust team at england.dpo@nhs.net

Your responsibility for identifying and reporting personal data breaches 

3.9 We have a duty to report certain personal data breaches to the ICO within 72 hours of becoming aware of them. In certain circumstances we must also notify those individuals impacted by a personal data breach without undue delay. We also need to take appropriate action to mitigate the impact of a personal data breach and minimise the risk to individuals quickly. 

3.10 It is therefore critical that if a potential personal data breach occurs, that staff recognise this may be a personal data breach and report this immediately to the National Service Desk on 0113 518 0000 in accordance with the incident reporting procedure. This will initiate a personal data breach investigation process involving the Data Protection Officer’s team. 

Breaches of this policy and criminal offences

3.11 A breach of this policy may result in disciplinary proceedings and in certain circumstances the commission of a criminal offence.

3.12 Under section 170(1) of the DPA 2018, it is a criminal offence for a person to knowingly or recklessly: 

a. Obtain or disclose personal data without the consent of the controller (for example, NHS England). For example, accessing personal data about an individual on NHS England IT systems when you have no legitimate business need to do so. This includes accessing healthcare records in appropriately.
b. Procure the disclosure of personal data to another person without the consent of the controller (for example, NHS England).
c. After obtaining personal data, to retain it without the consent of the person who was the controller in relation to the personal data when it was obtained.

3.13 Under section 171 of the DPA 2018, it is a criminal offence for a person to knowingly or recklessly re-identify information that is de-identified personal data without the consent of the controller (for example, NHS England) who was responsible for de-identifying the personal data. For example, re-identifying data which has been pseudonymised in a dataset when you have no legitimate business need to do so.

3.14 It is a criminal offence under section 173 of the DPA 2018 to alter, deface, block, erase, destroy or conceal information with the intention of preventing disclosure of all or part of the information that the person making a subject access request would have been entitled to receive.

3.15 A breach of this policy through intentional or reckless misuse of personal data, including accessing personal data about an individual on NHS England IT systems when you have no legitimate business need to do so, may also constitute a criminal offence under the Computer Misuse Act 1990.

4. Roles and responsibilities

The roles and responsibilities relating to data protection and information governance within NHS England are set out below. 

All NHS colleagues and others who this policy applies to

It is the responsibility of everyone to whom this policy applies to adhere to this policy and all associated data protection, information governance and information security policies and procedures.

Everyone to whom this policy applies is required to:

• ensure that they take into account and comply with the data protection principles when processing or planning to process personal data
• ensure they identify and send any subject access request immediately to dpo@nhs.net
• ensure they identify and send individual rights requests immediately to the DPO at dpo@nhs.net
• ensure they do not transfer or allow personal data to be accessed from outside the UK without ensuring the processing complies with the law through following the global data transfer procedure
• ensure they identify and report any potential or actual personal data breaches immediately to the National Service Desk on 0113 518 0000

Chief executive

Overall accountability for procedural documents across the organisation lies with the chief executive as the accounting officer that has overall responsibility for meeting all statutory, legal and regulatory requirements relating to data protection, information governance and information security in relation to processing by NHS England of personal data.

Caldicott Guardian

The Caldicott Guardian is an advocate for patients and acts as the conscience of the organisation for patient information, patient confidentiality, patient information sharing issues and the proper management of patient information. The role of the Caldicott Guardian is advisory. Within NHS England the Caldicott Guardian responsibility is under the remit of the national medical director.

The day-to-day responsibilities of the Caldicott Guardian are carried out by the Deputy Caldicott Guardian and the Caldicott Guardian team. As the functions of the Caldicott Guardian and the data protection officer overlap, the Caldicott Guardian and Data Protection and Trust team often work together.

Senior information risk owner (SIRO)

The SIRO is a senior advocate for data protection and security matters at board-level.

The responsibilities of the SIRO include:

• staying informed about information risks, including data security and protection risks, and managing those risks
• signing off key elements of the Data security and protection toolkit
• providing leadership during a major incident or breach, ensuring that the organisation’s approach to information risk is communicated to all staff and effective in terms of resource, commitment and execution

Data protection officer (DPO)

It is a legal requirement under UK GDPR for NHS England to appoint a DPO. The DPO is an independent data protection advisory role held by an expert in data protection (deputy director of data protection and trust). The DPO and the Data Protection and Trust team are part of the Privacy, Transparency, and Trust Sub-Directorate.

Information asset owners (IAOs)

IAOs need to ensure information is used in compliance with all legal requirements, including data protection and information governance requirements.

5. Equality and health inequalities assessment 

As part of the development of this policy, its impact on equality has been analysed and no detriment identified.

6. Additional resources

Supporting data protection and information governance policies, procedures, standards, templates, guidance and advice can be found below:

• NHS England’s information governance and data protection policies and procedures, including:
  • Confidentiality policy
  • Records management policy
  • Procedure for data protection impact assessments  
• NHS England’s information governance intranet page
• NHS England’s Information Governance Query Management Portal
• Information Commissioner’s Office website

Appendix A – Key definitions used in this policy

The following terms are used in this policy and have the meanings set out below:

Caldicott Principles

The Caldicott Principles apply to the use of confidential information within health and social care organisations and when such information is shared with other organisations and between individuals, both for individual care and for other purposes. The principles are: 

• Principle 1: We shall justify the purpose(s) for using confidential information.
• Principle 2: We shall use confidential information only when it is necessary.
• Principle 3: We shall use the minimum necessary confidential information.
• Principle 4: Access to confidential information should be on a strict need-to-know basis.
• Principle 5: Everyone with access to confidential information should be aware of their responsibilities.
• Principle 6: We shall comply with the law.
• Principle 7: The duty to share information for individual care is as important as the duty to protect patient confidentiality.
• Principle 8: We shall inform patients and service users about how their confidential information is used.

Controller

A controller is the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data or who is obliged under legislation to process the personal data.

Criminal offence and conviction data

Personal data relating to criminal convictions and offences, including the alleged commission of offences by a person. Also proceedings for an offence committed or alleged to have been committed, including sentencing. 

Data protection 

The protection of personal data and the actions we take to ensure that we comply with the law.

Data protection principles

The principles set out in Article 5 of the UK GDPR and section 3.5 of this policy. 

DPIA(s)

Data protection impact assessments (DPIAs) in a form that meets the requirements of UK GDPR.

Incident

An actual or suspected security breach or data loss incident.

ICO

Information Commissioner’s Office.

Information governance

This is our overall strategy and framework we apply for managing information within our organisation. Good information governance supports our compliance with our data protection obligations.

Joint controller

Where 2 or more controllers jointly determine the purposes and means of processing, they are joint controllers.

Personal data

Has the meaning given in UK GDPR being any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to 1 or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. For the purposes of this DPIA this also includes information relating to deceased patients or service users. Personal data can be directly identifiable personal data or pseudonymised data.

Personal data breach

Has the meaning given in UK GDPR being a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored, or otherwise processed.

Privacy notice

Means a notice providing transparency and privacy information to the public as required by UK GDPR.

Process or processing

Has the meaning given in UK GDPR being any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction.

Processor

Has the meaning given in UK GDPR being a natural or legal person, public authority, agency, or other body which processes personal data on behalf of the controller.

Pseudonymisation

Has the meaning given in UK GDPR being the processing of personal data in such a manner that the personal data can no longer be attributed to a specific individual without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person.

Pseudonymised data

Personal data that has undergone pseudonymisation.

Subject access request

A request from individuals for access to the personal data we process about them, including providing copies of it.

Special category personal data

Means the special categories of personal data defined in Article 9(1) of UK GDPR being personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation.

UK GDPR

UK GDPR as defined in and read in accordance with the Data Protection Act 2018.