Greater Manchester Lancs & South Cumbria Senate

Privacy Notice


NHS England (or the NHS Commissioning Board, which is our legal name) uses personal and confidential information for a number of purposes. This Privacy Notice provides a summary of how we use your information. To ensure that we process your personal data fairly and lawfully we are required to inform you:

  • Why we need your data
  • How it will be used and
  • Who it will be shared with

This document also explains what rights you have to control how we use your information. More detailed information about different aspects of our work can be found on our website.

The law determines how organisations can use personal information. The key laws are: the Data Protection Act 1998 (DPA), the Human Rights Act 1998 (HRA), relevant health service legislation, and the common law duty of confidentiality.

This document describes instances where NHS England is the “Data Controller”, for the purposes of the Data Protection Act 1998, and where we direct or commission the processing of patient data to help deliver better healthcare, or to assist the management of healthcare services.

NHS England recognises the importance of protecting personal and confidential information in all that we do, all we direct or commission, and takes care to meet its legal duties.

What information do we collect about you?

We only collect and use your information for the lawful purposes of administering the business of NHS England. These purposes include:

  • Accounting and Auditing
  • Accounts and records
  • Advertising, marketing & public relations
  • Consultancy and Advisory services
  • Crime prevention and prosecution of offenders
  • Education
  • Health administration and services
  • Information and databank administration
  • Research
  • Sharing and matching of personal information for national fraud initiative
  • Staff administration

Details for staff can be found in the Privacy Notice for Staff.

Your Information

This part of the Privacy Notice outlines what personal information we hold, why we use it and how we protect it.

What types of personal data do we handle?

We process personal information to enable us to support the provision of healthcare services to patients, maintain our own accounts and records, promote our services, and to support and manage our employees. We also process personal information about health care professionals that deliver services throughout the NHS.

We also use information to support and monitor the health services commissioned in England to enable the delivery of high quality healthcare. This type of information will usually be provided to NHS England in an aggregate or anonymised form, so that we cannot identify an individual

The types of personal information we use include:

  • personal details such as names, addresses, telephone numbers
  • family details for example next of kin details
  • education, training, mostly frequently of clinicians such as GPs
  • employment details, for example for those that work for us either directly or are commissioned by us to provide a service
  • financial details, where we provide payment for services or access to funds for individual patients
  • services, for example details of the services access or offered by providers
  • lifestyle and social circumstances
  • visual images, personal appearance and behaviour, for example if CCTV images are used as part of building security
  • details held in the patient’s record, where we hold or manage the patient’s record
  • responses to surveys, where individuals have responded to surveys about healthcare issues

We also process sensitive classes of information that may include:

  • racial and ethnic origin
  • offences (including alleged offences), criminal proceedings, outcomes and sentences
  • trade union membership
  • religious or similar beliefs
  • employment tribunal applications, complaints, accidents, and incident details

This information will generally relate to our staff, covered by the Privacy Notice for Staff, or for those health care professionals we manage.

In terms of patient information, information may include:

  • physical or mental health details
  • sexual life

Information for job applicants 

NHS England will process information provided by applicants for the management of their application and the subsequent selection process. This involves providing details to the short-listing and selection panels. Other details are kept to help fulfil our obligations to monitor equality and diversity within the organisation and in the application process. You can find more information about the use of personal data throughout the application process. 

Information will be retained on interview performance and the application in line with the retention periods of NHS England. 

For more information about your application and personal data contact the Customer Care Centre, details are included in this notice. 

Applicants to roles with hosted bodies, such as Commissioning Support Units, should contact that organisation directly.

How will we use information about you? 

Your information is used to run and improve the NHS in England. It may be used to: 

  • Check and report on how effective NHS England and the services it commissions has been
  • Ensure that money is used properly to pay for the services it provides
  • Investigate complaints, legal claims or important incidents 
  • Make sure that NHS England gives value for money 
  • Make sure services are planned to meet patients’ needs in the future 
  • Review the care given to make sure it is of the highest possible standard 
  • To manage specialised services that NHS England commissions 

We may keep your information in written form or on a computer. Whenever possible all information that identifies you will be removed.

Sharing your information

There are a number of reasons why we share information. This can be due to: 

  • Our obligations to comply with current legislation
  • Our duty to comply with a Court Order 
  • You have consented to disclosure 

NHS England is responsible for protecting the public funds it manages. To do this we may use the information we hold about you to detect and prevent crime or fraud. We may also share this information with other bodies that inspect and manage public funds.

Security of your information 

We take our duty to protect your personal information and confidentiality seriously. We are committed to taking all reasonable measures to ensure the confidentiality and security of personal data for which we are responsible, whether computerised or on paper. 

We have appointed a Senior Information Risk Owner (SIRO) who is accountable for the management of all information assets and any associated risks and incidents, and a ‘Caldicott Guardian’ who is responsible for the management of patient information and patient confidentiality. Deputy SIROs have also been appointed in region teams and local Caldicott Guardians have been appointed in region and area teams. 

All staff are required to undertake annual information governance training and are provided with an information governance user handbook that they are required to read, understand and agree to adhere to. The handbook ensures that staff are aware of their information governance responsibilities and follow best practice guidelines ensuring the necessary safeguards and appropriate use of person-identifiable and confidential information. 

Under the NHS Confidentiality Code of Conduct, all our staff are also required to protect your information, and inform you of how your information will be used. This includes, in most circumstances, allowing you to decide if and how your information can be shared. 

Everyone working for the NHS is subject to the common law duty of confidentiality. Information provided in confidence will only be used for the purposes advised and consented to by the service user, unless it is required or permitted by the law.

Retaining information 

We will only retain information for as long as necessary. Records are maintained in line with the NHS England retention schedule which determines the length of time records should be kept.

How can you get access your personal information? 

The Data Protection Act 1998 gives you the right to see the information that NHS England holds about you and why. Requests must be made in writing and you will need to provide: 

  • adequate information [for example full name, address, date of birth, NHS number, etc.] so that your identity can be verified and your information located. 
  • an indication of what information you are requesting to enable us to locate this in an efficient manner. 

A request for information from a health record has to be made with the appropriate data controller, this will be your GP or relevant hospital trust where you were treated. 

NHS England is only the data controller of GP health records where an individual is currently not registered with a GP or is deceased. For access to GP health records in these circumstances please use the list below to direct the request to the appropriate service (the list is by the geographical area of the GP:

All other personal information requests held by NHS England send your request to the Customer Contact Centre (details can be found in this notice.). 

Where a fee is applicable under the terms of the Data Protection Act and subsequent legislation, we will inform you in writing. In due course our disbursement scheme (which outlines these fees) will be available. 

We aim to comply with requests for access to personal data as quickly as possible. We will ensure that we deal with requests within 40 days of receipt unless there is a reason for delay that is justifiable under the Data Protection Act. 

We want to make sure that your personal information is accurate and up to date. If you think any information is inaccurate or incorrect then please let us know through the Customer Contact Centre.

Who we are 

NHS England has eight directorates, four regional teams and twenty seven local area teams. It acts as a single organisation operating with one Board. Not all parts of NHS England hold personal data or identifiable patient information, Those that do include: 

Nursing Directorate 

This directorate is responsible for developing a strategic approach to ensuring people have a positive experience of care and treatment and that people are cared for in a safe environment. 

The directorate holds contact details for individuals and correspondence who have participated in surveys.

Operations Directorate 

The Operations Directorate is split into two main work areas: Operations and Delivery and Commissioning

The Operations and Delivery National Support Team is responsible developing an annual planning framework and ensuring that all NHS commissioning bodies develop plans in that context. The team is also responsible for Emergency Preparedness Resilience and Response 

The Direct Commissioning National Support Team is responsible for several key pieces of work within direct commissioning including: 

  • Specialised Services 
  • Primary Care (which includes GPs, pharmacists, dentists, and optometrists) 
  • Public Health 
  • Health and Justice 
  • Services for Armed Forces and their Families 
  • Primary Care Support Services Transformation Programme.  

These services are commissioned locally by the Area Teams of NHS England. In carrying out its role there may be instances where this directorate uses personal information for the benefit of its services.

Patients and Information Directorate 

The patients and information directorate ensures that the NHS in England is open, responsive and transparent by giving patients, carers, public, and those who serve them, the information and support they need to make the best possible decisions.

The Patient and Information directorate commissions a number of programme that involve personal data but do not provide access to identifiable patient information to NHS England. For example, many involve patient feedback processes. 

The programmes this directorate are involved include: 

Care Connect 

NHS England commissions Care Connect - a new initiative designed to give patients a say in the delivery of NHS services in England. The service is part of the government’s commitment to ensuring the NHS is accountable to its customers. 

Patients can Share your experience, Ask a question or Report a Problem. For more information about how Care Connect uses and protects personal data visit: 

More information about Care Connect can be found at:

NHS England and the Health and Social Care Information Centre are joint data controllers for The aim of is to ensure that the best possible evidence is available to improve the quality of care for all. 

NHS England direct the Health & Social Care Information Centre (HSCIC) to collect and process personal data for this programme. 

NHS England does not have access to any identifiable patient information collected as part of the programme. For example, only the HSCIC would be able to respond to any subject access requests. 

For more information see the FAQs which can be found at: 

or the NHS England internet page at: 

Policy Directorate  

This directorate is responsible for the Customer Contact Centre and has a contract with the HSCIC to provide a call logging system.  

This directorate uses identifiable personal information to investigate legal, complaints and information requests.  

Human Resources Directorate 

Details about how the Human Resources Directorate processes the personal data of staff can be found in the Privacy Notice for NHS England Staff.  

NHS Commissioning Support Units (CSUs)  

The NHS Commissioning Support Units provide commissioning and support services to Clinical Commissioning Groups, Area Teams and other clients.  

Further information regarding each CSUs processing of personal data can be found on their individual websites and Privacy Notices  

A list of Commissioning Support Units is available at:

We keep our Privacy Notice under regular review and we will place any updates on this webpage. This notice was last updated on 21/03/2014. 

Data Protection Notification  

NHS England is a ‘data controller’ under the DPA. We have notified the Information Commissioner that we process personal data and the details are publicly available from the:-  

Information Commissioner’s Office
Wycliffe House
Water Lane,
Wilmslow SK9 5AF  

How to contact us  

Please contact us if you have any questions about our privacy notice or information we hold about you: 

Customer Contact Centre  


NHS England
PO Box 16738
B97 9PT  


Phone: 0300 311 22 33 available Monday to Friday 8am to 6pm, excluding Bank Holidays in England