GPES data collection transparency notice

Transparency notice: how we use your personal data

This page sets out how we use personal data, in line with the General Data Protection Regulation (GDPR). It includes a register of processing activities, and your rights if information about you is included.

NHS Digital is the name we operate under. Our official name is the Health and Social Care Information Centre, which was created by the Health and Social Care Act 2012 as an executive non-departmental public body reporting to the Department of Health and Social Care.

Our legal duties include collecting, analysing and publishing health and care data, providing national technology infrastructure, producing information standards and providing advice and support on information and cyber security. Read more about NHS Digital.

This transparency notice provides information on our data processing activity.


NHS Digital is the Controller for most of our processing of personal data and is registered as required by Data Protection legislation.

Our Data Protection Officer is Kevin Willis, whose duties include monitoring internal compliance and advising the organisation on its data protection obligations, and can be contacted via [email protected].

Legal basis for processing

As an executive non-departmental body reporting to the Department of Health and Social Care most of our processing activity is directed by the Secretary of State for Health and Social Care. These directions create a legal obligation for our processing. Where we have a different legal basis to support a processing purpose this will be explained.

Your rights

Data protection laws in the UK give people a number of rights concerning their personal data. Not all rights apply equally to all our processing activity as certain rights are not available depending on the lawful basis for the processing.

When you view an entry in our register of processing activities, we have highlighted which rights apply and which may not. To help understand why some may not apply the following should help.

Examples of where rights may not apply – where our lawful basis is:

  • Public Interest (Task) then rights of erasure, portability do not apply.
  • Legal Obligation then rights of erasure, portability, objection, automated decision making and profiling do not apply

If you require further detail each link below will take you to the Information Commissioner’s Office’s website where further detail is provided in section ‘When does the right apply’.

These rights are:

  1. Right to be informed
  2. Right of access
  3. Right to rectification
  4. Right to erasure
  5. Right to restrict processing
  6. Right to data portability
  7. Right to object
  8. Rights in relation to automated decision making and profiling.

We want you to feel confident that we look after everyone’s personal data in line with the law. If you have any questions about your rights, you can get in touch with us at [email protected].

Your choices

You can also read more about other choices you have, including the national data opt out, which are provided over and above the rights that Data Protection Legislation gives you, giving you more control and confidence over how we use your data.

Requesting a copy of your information

Typically, we collect information from health and care organisations providing your care and would advise contacting them directly for a more complete record of your care or treatment. We do not hold your whole medical or care record.

Where we store and use personal data collected from care and treatment records, it is mostly held as codes rather than words. We will provide a list of codes used to help you understand the information we give you. If you would like to request a copy of your personal data that NHS Digital is processing then you will need to complete a Subject Access Request Form and email or post it to the contact details on the form.

Following your request, we may write back to you within the 30-day timeframe to request you to narrow or modify your requirements. This may also result in an extension of a further 60 days whilst we examine your request.

Sharing information

There are very strict rules about who can access the personal data we process, and what it can be used for. When information is shared with other organisations, these organisations have to go through our Data Access Request Service to make sure they will store it safely and legally, and they have a good reason for using it that will benefit health and care. Information is never passed to marketing or insurance companies without consent. We publish all of our data releases on our data release register

Data retention

All data is retained and erased in accordance with our Records Management Policy. Specific retention periods are identified within each processing purpose listed below. If a specific purpose requires a different retention period outside of our policy this will be explained.


If you wish to raise a complaint concerning NHS Digital’s processing activity, visit our Feedback and Complaints page. You also have the right to raise a concern with the Information commissioner’s Office at any time.