Guidance

UKHSA privacy notice

Updated 24 May 2022

© Crown copyright 2022

This publication is licensed under the terms of the Open Government Licence v3.0 except where otherwise stated. To view this licence, visit nationalarchives.gov.uk/doc/open-government-licence/version/3 or write to the Information Policy Team, The National Archives, Kew, London TW9 4DU, or email: psi@nationalarchives.gov.uk.

Where we have identified any third party copyright information you will need to obtain permission from the copyright holders concerned.

This publication is available at https://www.gov.uk/government/publications/ukhsa-privacy-notice/ukhsa-privacy-notice

About UKHSA

On 1 October 2021, the UK Health Security Agency (UKHSA) came into being. An executive agency of the Department of Health and Social Care (DHSC), UKHSA combines many of the health protection activities previously undertaken by Public Health England (PHE), together with all of the activities of the NHS Test and Trace Programme and the Joint Biosecurity Centre (JBC).

The processing activities previously undertaken by these organisations and their associated data processors have not changed with the establishment of UKHSA. Individual rights are not affected by this change.

We are responsible for planning, preventing and responding to external health threats, and providing intellectual, scientific and operational leadership at national and local level, as well as internationally. UKHSA will ensure the nation can respond quickly and at greater scale to deal with pandemics and future threats.

We collect and use personal information to fulfil our remit from the government.

Our main purposes for processing personal information are to:

  • prevent – anticipate threats to health and help build the nation’s readiness, defences and health security
  • detect – use cutting-edge environmental and biological surveillance to proactively detect and monitor infectious diseases and threats to health
  • analyse – use world-class science and data analytics to assess and continually monitor threats to health, identifying how best to control and mitigate the risks
  • respond – take rapid, collaborative and effective actions nationally and locally to mitigate threats to health when they materialise
  • lead – lead strong and sustainable global, national, regional and local partnerships designed to save lives, protect the nation from public health threats, and reduce inequalities

DHSC is the data controller for the personal information we collect, store and use to fulfil our remit.

This privacy notice explains the personal information we collect, how we use it and who we may share it with for these purposes. It explains what your rights are if we hold your personal information and how you can find out more or raise a concern.

UKHSA has a separate privacy notice that explains how your personal information may be used as part of the response to the coronavirus (COVID-19) pandemic.

The information we collect

The types of personal information we may collect about you include:

  • demographic information – for example, we may collect your name, date of birth, sex, ethnic group, NHS number, national insurance number, occupation, contact details (such as your address, postcode, phone number and email address) and – in specific cases – other data, such as vehicle registration number, employment information, location history, and unique identifying codes
  • health information – for example, we may collect information about your physical health, mental wellbeing, symptoms and medical diagnoses, and health risk factors such as your height and weight, smoking habits and alcohol consumption
  • treatment information – for example, we may collect information about your hospital admissions, clinic attendances, laboratory test results, prescriptions and vaccination history

How we collect your information

We collect personal information in 3 main ways: directly from you, from the providers of health and care services, and from other organisations supporting the health and care system in the UK.

Directly from you

For example, we may ask you to:

  • complete a health protection questionnaire or test registration form to collect your demographic information, information about infectious disease symptoms – and details of the people you have been in close contact with who may have been infected
  • provide information about yourself so that we can provide you with a service such as supplying a radon measurement pack or a test kit

From health and care service providers

For example, we may collect your demographic, health and treatment information from:

  • GPs and doctors – all doctors in England must inform us if you have a communicable disease such as COVID-19 or tuberculosis
  • diagnostic laboratories and other point of care test providers: all laboratories and other test providers must inform us if your test results show you have a serious disease-causing virus or bacterial infection
  • hospitals and other health treatment services – for example, we collect your information from hospitals if you have been diagnosed with a hospital-acquired infection
  • care homes – these organisations share information with us to book tests and report test results

From other organisations

For example, we may collect your demographic, health and treatment information from:

  • NHS Digital – we ask NHS Digital for your information if you receive hospital, emergency care or community service treatment for an infectious disease or other public health threat
  • NHS England and NHS Improvement – we ask NHS England and NHS Improvement for information about your COVID-19 vaccination history
  • National Pathology Exchange – we ask the National Pathology Exchange for your information if you have been tested for COVID-19 at a regional or mobile testing station or at home
  • Office for National Statistics (ONS) – we ask the ONS for information on all births and deaths in England
  • other organisations, such as schools, universities and restaurants – for example, we may ask these organisations to collect information that we use to control infectious disease outbreaks

We may also collect information from other organisations if this is necessary and proportionate to enable us to fulfil our remit.

Whenever possible, we collect information in ways that do not identify you. For example, we collect information on sexual health clinic attendances but only in a form that does not identify patients.

But there will be times when we do need to collect your personal information. If this is necessary, we will only use the minimum we need.

The purposes we use your information for

Examples of how we may use your personal information to fulfil our remit from the government include:

Preventing threats to public health

To control clusters and outbreaks of communicable disease by taking action, such as tracing your close contacts to provide them with public health advice to prevent infections from spreading.

Detecting threats to public health

To undertake laboratory tests to identify if you or others have a communicable disease or disease-causing virus or bacteria such as COVID-19, tuberculosis or norovirus.

To monitor whether you develop a hospital-acquired or drug-resistant infection, to help provide guidance and advice to the NHS on how to manage these serious threats to the safety and effectiveness of the care provided to patients.

To monitor whether you have any adverse reactions to vaccines and medicines, to help ensure these treatments are safe and effective in controlling and preventing communicable diseases.

Analysing threats to public health

To identify trends and monitor the sources and epidemiology of a wide range of communicable diseases and other risks to public health. For example, we may link your laboratory test results to information about the care you receive to understand how effective your treatment has been and to help improve the way these public health threats are controlled and prevented in future.

Responding to threats to public health

To control cases of communicable disease by providing you with advice on self-isolation, testing and treatment to prevent infections from spreading to others.

To provide you with public health advice if you have been exposed to chemical, radiological and environmental risks to public health such as water-borne diseases and sources of radiation.

Leading partnerships for public health

To share health and related information with other countries or healthcare organisations to help control and prevent the global spread of communicable diseases and other risks to public health as part of the UK’s obligations under the International Health Regulations.

Who we share your information with

We may share your personal information with other organisations to provide you with individual care or for other purposes not directly related to your health and care.

If we do share your personal information, we will only so where the law allows, and we will only share the minimum amount of information that is necessary to protect public health.

With your doctor and hospital

We provide specialist laboratory services and give to your doctor the results of the tests we are asked to carry out. We may also share your personal information with your GP and hospital to help them provide you and other patients with better care by auditing and evaluating the safety and effectiveness of the service they provide.

With local authorities and mayoral and combined authorities

Local authorities have responsibilities for protecting the health of their residents, so we may share your personal information with your local authority and mayoral and combined authority, if you live in an area with one, to help us jointly manage clusters and outbreaks of communicable disease and other incidents that present a threat to public health.

With NHS Digital

NHS Digital provides information and technology services to the health and care system. It is a public body reporting to the DHSC and collects and analyses data and information about health and care services across England.

NHS Digital has been directed by the Secretary of State for Health and Social Care and NHS England to collect and analyse data relating to COVID-19 and develop and operate IT systems to deliver services to respond to COVID-19. We share personal information on coronavirus test results and hospital admissions for COVID-19 with NHS Digital for it to use for these purposes.

With NHS England and NHS Improvement

NHS England and NHS Improvement is responsible for managing the health service in England. We share personal information about coronavirus test results and hospital admissions for COVID-19 to help it support the NHS in responding to coronavirus.

With researchers

We may share your personal information with university and other formally accredited researchers who are subject to independent oversight and control.

We only share your personal information with researchers who have approval from a medical ethics committee and have obtained either your consent or special permission from the Secretary of State for Health and Social Care or the Health Research Authority’s Confidentiality Advisory Group to use your confidential information. The Confidentiality Advisory Group provides independent advice to the Secretary of State on whether the use of confidential information is in the interests of patients and the public. This is known as ‘section 251’ approval. Section 251 of the NHS Act 2006 provides for the use of confidential information under certain circumstances. We never share personal information with researchers without these approvals.

You can opt out of us sharing your information with researchers if you choose – on this page you will:

  • see what is meant by confidential patient information
  • find examples of when confidential information is used for individual care and examples of when it is used for purposes beyond individual care
  • find out more about the benefits of sharing data
  • be able to access the system to view, set or change your opt-out setting
  • see the situations where the opt-out will not apply

We will not share your personal information with researchers if you register a choice to opt out.

With data processors

We may share your information with data processors. A data processor is an organisation other than us that we have a contract with to assist us in collecting, storing or managing your personal information.

Data processors can only use your information in the ways that we have directed them. They are not allowed to use your personal information for any purposes other than those specified by us, they are not allowed to keep your information once their work for us has ended, and they must comply with strict data security and protection requirements when processing your information on our behalf.

With international organisations

We may share your personal information with the World Health Organization or other international health organisations to help with international contact tracing. These are restricted transfers made for public interest reasons for which we rely on derogations under Article 49(1)(d) of the UK General Data Protection Regulation (UK GDPR).

With other organisations

We may also share your personal information with other organisations, as required to perform our tasks, and for the purposes described in this notice. For example, we may share information with the NHS, the public health agencies in the Devolved Administrations, and government agencies such as the Home Office, the Department for Levelling Up, Housing and Communities or the Cabinet Office.

This is to support the UK response to health protection threats by coordinating communications, interacting with local authorities and monitoring international travel to prevent and control infectious diseases and other threats to public health.

Other sharing of your information

We may also share your personal information with other organisations for public health purposes. For example, as part of the UK’s obligations under the International Health Regulations, we may share your personal information with other countries if you test positive for a notifiable disease and have recently travelled internationally. This is to help with international contact-tracing.

Wherever possible, the information we share with other organisations does not directly identify you, but there may be times when it is necessary for your personal information to be used. Any information we share that identifies you will be lawful and the minimum necessary for the purpose.

How we protect your information

We have put in place a range of organisational processes and technical security measures to protect your personal information from loss, misuse and unauthorised access, disclosure, alteration and destruction.

Your information is stored on computer systems that are kept up-to-date and regularly tested to make sure they are secure and protected from viruses and hacking. Our information technology systems use robust security protections and encryption measures.

Your personal information can only be seen by staff who have been trained to protect your confidentiality and in understanding laws and regulations such as the Data Protection Act 2018 and the UK GDPR.

Strict controls are in place to make sure they can only see your information if they need it to do their job, and they are only provided with access to the minimum necessary information. We may also share information with other organisations. Where we do, we take appropriate measures to ensure your information is used lawfully and protected.

Whenever possible, we only use your information in a form that does not directly identify you. For example, we can replace your name and NHS number with pseudonyms (a non-identifying phrase or number that replaces your personal information) and substitute your date of birth with age in years to help protect your confidentiality.

No information that could identify you will ever be published by us.

Where we store your information

We store your personal information mainly in the UK and only in other countries, where necessary, if they are formally recognised by the UK government as providing legal protections over privacy at least equivalent to the those that apply here in the UK, such as the countries of the European Economic Area (EEA).

There may be circumstances in which the only viable data processor is one that processes data in other countries. Where that is the case, the processing of your personal information will be risk-assessed and necessary controls put in place to protect your personal data.

This is only done on a case-by-case basis by UKHSA’s specialist legal team and senior managers. If our data processors store your personal information outside of the UK, we always ensure that this processing fully complies with data protection law to ensure your rights over your data are protected.

How long we keep your information

We will only keep your personal information for as long as we need it to protect public health or as otherwise required by law.

Most of the time, we will keep your information in accordance with the time periods specified in the Records Management Code of Practice for Health and Social Care 2021. For example, the Code sets out an 8-year retention period for general medical records.

As one of our purposes for collecting personal information is to recognise trends and monitor the impact of diseases and conditions that have a long natural history, we may need to keep your information for longer.

Your rights over your information

Under data protection law, you have several rights over your personal information. You have the right to:

  • ask for a copy of any information we hold about you
  • ask for any information we hold about you to be changed if it is inaccurate
  • ask us to consider restricting our use of your information, although this is not an absolute right and we may need to continue to use your information in the interests of public health – we will tell you why if this is the case
  • object to us using any information we hold about you, although this is not an absolute right and we may need to continue to use your information: we will tell you why if this is the case
  • delete any information we hold about you, although this is not an absolute right and we may need to continue to use your information – we will tell you why if this is the case
  • ask us, in appropriate circumstances, to transfer your personal information to a recognised health authority in another country
  • ask us, in appropriate circumstances, to transfer your personal information to a recognised health authority both in the UK and in other countries, but also to you or your private health provider in a machine-readable format

You can exercise any of your rights by contacting us at InformationRights@UKHSA.gov.uk or by calling us on 020 7654 8000.

You will be asked to provide proof of your identity so that we can be sure we only provide you with your personal information.

You will not be asked to pay a charge for exercising your rights. If you make a request, we will respond to you within one month.

Our legal basis to collect, use and share your personal information may vary according to the purpose we use it for.

We process both personal information and special categories of personal information, including data about health and ethnic group. In most cases where we process your personal data to fulfil our remit, the sections of the UK GDPR and the Data Protection Act 2018 that apply will be:

  • UK GDPR Article 6(1)(e) ‘processing is necessary for the performance of a task carried out in the public interest’
  • UK GDPR Article 9(2)(i) ‘processing is necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health’
  • UK GDPR Article 9(2)(h) ‘processing is necessary for the provision of health or social care or treatment or the management of health or social care systems and services’
  • UK GDPR Article 9(2)(g) ‘substantial public interest’
  • Data Protection Act Schedule 1 Part 1 (3) ‘public health’
  • Data Protection Act Schedule 1 Part 1 (2) ‘health or social care purposes’
  • Data Protection Act Schedule 1 Part 2 (6) ‘substantial public interest’

Where we process personal data to comply with a legal duty, the following section of the law may also apply:

  • UK GDPR Article 6(1)(c) ‘processing is necessary for compliance with a legal obligation’

Where we use personal information for research purposes, the sections of the law that may also apply are:

  • UK GDPR Article 9(2)(j) ‘archiving purposes in the public interest, scientific or historical research purposes or statistical purposes’
  • Data Protection Act 2018 Schedule 1 Part 1 (4) ‘research’

Where personal data is shared with other countries for the purpose of international contact tracing, the following UK GDPR derogation for specific situations applies:

  • UK GDPR Article 49(1)(d) ‘the transfer is necessary for important reasons of public interest’

Where personal information from the COVID-19 contact tracing service is provided to the Police to investigate if someone is not self-isolating, the sections of the law that may also apply are:

  • UK GDPR Article 10 ‘data relating to criminal convictions and offences’
  • Data Protection Act 2018 Schedule 1 Part 2 (6) ‘statutory etc. and government purposes’

Where we process personal information as part of the UK response to the COVID-19 pandemic, the sections of the law that may also apply are:

  • Data Protection Act Schedule 1 Part 1 (1) ‘employment, social security and social protection’
  • Data Protection Act Schedule 1 Part 2 (6) ‘statutory etc. and government purposes’
  • Data Protection Act Schedule 1 Part 2 (19) ‘processing for archiving, research and statistical purposes: safeguards’

Our duty of confidentiality

To fulfil our remit, we may need to use your confidential patient information without asking for your consent.

We have ‘section 251’ approval from the Secretary of State for Health and Social Care to do this for the purpose of diagnosing, recognising trends, controlling and preventing, and monitoring and managing communicable diseases and other risks to public health.

The part of the law that applies here is section 251 of the National Health Service Act 2006 and Regulation 3 of the associated Health Service (Control of Patient Information) Regulations 2002.

How to find out more or raise a concern

If you have any concerns about how we use and protect your personal information, you can contact the Department of Health and Social Care’s Data Protection Officer at data_protection@dhsc.gov.uk or by writing to:

Office of the Data Protection Officer
Department of Health and Social Care
1st Floor North
39 Victoria Street
London SW1H 0EU

You also have the right to contact the Information Commissioner’s Office if you have any concerns about how we use and protect your personal information. You can do so by calling the ICO’s helpline on 0303 123 1113, visiting the ICO’s website at www.ico.org.uk or writing to the ICO at:

Customer Contact
Information Commissioner's Office
Wycliffe House
Water Lane
Wilmslow
SK9 5AF

About this privacy information

The personal information we collect and use may change so we may need to revise this notice. If we do, the publication date provided at this top of this notice will change.

Back to top