Transparency Notice
How we use your personal data
This notice explains how we use personal data, in line with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. It also sets out your rights, and how you can exercise them.
Who we are
NHS Digital was the national body responsible for collecting, analysing and publishing health and care data, and for providing national technology and information systems.
In February 2023, NHS Digital merged with NHS England. This means NHS England is now responsible for NHS Digital’s previous functions, including information standards, data services, cyber security support, and the management of national NHS systems.
Our legal duties include:
Collecting, analysing and publishing health and care data
Providing technology systems and digital infrastructure
Producing information standards
Supporting health and care organisations with data and cyber security
Controller
NHS England (incorporating the former NHS Digital) is the data controller for most of our processing of personal data, registered with the Information Commissioner’s Office (ICO) as required by law.
Data Protection Officer (DPO)
Our Data Protection Officer (DPO) is responsible for monitoring compliance and advising on data protection obligations.
You can contact the DPO at:
📧 england.dpo@nhs.net
📮 NHS England, Quarry House, Quarry Hill, Leeds, LS2 7UE
Legal basis for processing
We process personal data where there is a clear legal basis under UK GDPR. This includes:
Legal obligation – where the law requires us to process data
Public task – where processing is necessary for official NHS functions in the public interest
Depending on the legal basis, not all data subject rights apply. For example:
If processing is under public task, rights such as erasure and portability may not apply
If processing is under legal obligation, rights such as erasure, portability, objection, automated decision-making and profiling may not apply
Your rights
You have rights over your personal data. These include:
Right to be informed
Right of access
Right to rectification
Right to erasure (where applicable)
Right to restrict processing
Right to data portability (where applicable)
Right to object (where applicable)
Rights in relation to automated decision making and profiling (where applicable)
👉 More detail: Your data protection rights – ICO
National data opt-out
You can choose whether your confidential patient information is used for research and planning purposes. This choice is called the national data opt-out.
👉 More detail: National data opt-out
Requesting a copy of your information
If you would like a copy of personal data processed by NHS England (formerly NHS Digital):
Please complete a Subject Access Request (SAR) form, available on the NHS England website
Email or post the completed form to the Holes Lane Medical Centre (cmicb-war.recholeslane@nhs.net)
Sharing information
We only share information where it is lawful, necessary and proportionate.
Organisations requesting access to health and care data must apply through the Data Access Request Service (DARS).
We do not share information with marketing or insurance companies without explicit consent.
All approved data releases are published on our Data Release Register.
Data retention
We follow NHS England’s Records Management Policy, which sets out how long information is kept and when it will be securely destroyed. Specific retention periods vary depending on the purpose of processing.
Complaints
If you are unhappy with how your data has been used, you can:
Contact our Data Protection Officer (Lindsey Bate – cmicb-war.recholeslane@nhs.net)
Raise a complaint via the NHS England complaints procedure
Contact the Information Commissioner’s Office (ICO) at any time:
👉 ICO website
📞 0303 123 1113
✅ This transparency notice has been updated to reflect NHS Digital’s merger into NHS England and is correct for patients in Warrington, Cheshire (October 2025).
