Privacy and cookies
This Privacy Notice tells you what to expect when NHS Digital collects personal information.
By providing us with your details, you are giving your consent that your personal information may be processed for the purposes necessary to conduct and improve our services. When collecting your personal information we will explain what we intend to do with it.
Information captured by our website
Cookies are small text files that are placed on your computer by websites that you visit. They are widely used in order to make websites work, or work more efficiently, as well as to provide information to the owners of the site.
Most web browsers allow some control of cookies through the browser settings. To find out more about cookies, including how to see what have been set and how to manage and delete them, visit www.allaboutcookies.org.
If you do nothing other than read pages or download information, we will capture and store information about your visit. This information will not identify you, it relates to:
- The internet domain (e.g. www.bbc.co.uk) and IP address from which you access the website
- The type of browser (Internet Explorer or Firefox etc) and operating system you use (Windows, Mac OS, UNIX)
- The date and time of your visit
- The pages you visit
- The address of the web site from which you linked to us (if applicable)
What do we use the information for?
We use this information to make each visit more rewarding and to provide us with information to help improve our service. We do not know (and do not wish to know) the identities of the individuals who visit our website.
Receiving communications from NHS Digital
If you do not wish to receive any information from us please let us know at the point you first contact us or by emailing email@example.com.
If you already receive correspondence from NHS Digital and no longer want to, please email firstname.lastname@example.org and let us know what you want to unsubscribe from. We will remove your details from any tools or products that you tell us you are registered for, and will stop any communications updates.
In messages to some of our mailing lists, we automatically add a piece of code that requests a small image from our web servers. When a reader opens the email, the image is downloaded. The download is recorded as an "open" for that specific message to your email address.
This information is used to monitor the effectiveness of our mailing lists. We only use it in summary form, for example "2,000 people opened the message".
You can control whether this information is downloaded onto your computer one of two ways:
You can configure your mail software to not download the image, or
You can unsubscribe or choose not to sign up to the mailing list.
By default, most mail software will be configured to not download the image. If you wish to check or configure it yourself, you can read more about how to do this.
When you sign up to one of our mailing lists, we do not pass your email address to any third parties. We also do not sign you up to our other mailing lists, only the one you have chosen to subscribe to.
In order to meet our public task as the national source of health and social care information NHS Digital collects and process a range of information relating to individuals in their capacity as service users or patients. This includes information on:
- public health
- audits and performance
- mental health
- primary care
- hospital care
- adult social care
- NHS workforce and estates
In addition to the above, NHS Digital collects and processes information relating to its customers and stakeholders for business purposes. All personal information is handled with the utmost care and attention - whether on paper, electronically, or other means - and safeguards are in place to ensure the Data Protection Act 1998 is adhered to. You can read more about how we look after personal information.
NHS Digital regards the fair and lawful processing of personal information as essential in order to successfully achieve its objectives and ensure the support and confidence of the general public and stakeholders.
Notification is a statutory requirement and every organisation that processes personal information must notify the Information Commissioner's Office (ICO), unless they are exempt. Failure to notify is a criminal offence.
As a data controller NHS Digital provides the ICO with details about their processing of personal information. The ICO publishes certain details in the register of data controllers, including the name and address of data controllers and a description of the kind of processing they do. You can read this register on the ICO website (external).
The Principles of The Data Protection Act 1998, as set out below are fully endorsed by NHS Digital. The eight principles require that personal information:
1. Shall be processed fairly and lawfully and, in particular, shall not be processed unless specific conditions are met.
2. Shall be obtained only for one or more specified and lawful purposes, and shall not be further processed in any manner incompatible with that purpose of those purposes.
3. Shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed
4. Shall be accurate and, where necessary, kept up to date
5. Shall not be kept for longer that is necessary for the specified purpose(s)
6. Shall be processed in accordance with the rights of data subjects under the Act
7. Should be subject to appropriate technical and organisational measures to prevent the unauthorised or unlawful processing of personal data, or the accidental loss, destruction, or damage to personal data
8. Shall not be transferred to a country or territory outside the European economic area unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.
Access to your personal information
You are entitled to obtain a copy of the personal information held about you by NHS Digital. Any request to access or obtain a copy of this information will be considered under Section 7 of the Data Protection Act.
To make a request for personal information, email email@example.com
or write to:
Information Governance Compliance Team
Health and Social Care Information Centre
1 Trevelyan Square
There are robust security measures in place for all personal information held by NHS Digital to protect against the loss or alteration of information under the organisation's control. If you have any questions about our privacy notice or the information we hold please contact us at the above address.
Privacy Impact Assessment
We have completed a Privacy Impact Assessment [527kb] which tells you what NHS Digital does with personal information and what effect that might have on privacy. It also explains what steps NHS Digital takes to protect privacy. The Privacy Impact Assessment will be looked at every year to see if it needs to be updated.
Our privacy notice only relates to information that we obtain from you. If you visit a website operated by a third party through a link included on this website your information may be used differently by the operator of the linked website. When you are moving to another site you are advised to read the privacy notice relating to that website.