Guidance

UKHSA privacy notice

Updated 10 July 2024

About UKHSA

On 1 October 2021, the UK Health Security Agency (UKHSA) came into being. An executive agency of the Department of Health and Social Care (DHSC), UKHSA combines many of the health protection activities previously undertaken by Public Health England (PHE), together with all of the activities of the NHS Test and Trace Programme and the Joint Biosecurity Centre (JBC).

We are responsible for planning, preventing and responding to external health threats, and providing intellectual, scientific and operational leadership at national and local level, as well as internationally. UKHSA will ensure the nation can respond quickly and at greater scale to deal with pandemics and future threats.

We collect and use personal information to fulfil our government remit.

Our main purposes for processing personal information are to:

  • prevent – anticipate threats to health and help build the nation’s readiness, defences and health security
  • detect – use cutting-edge environmental and biological surveillance to proactively detect and monitor infectious diseases and threats to health
  • analyse – use world-class science and data analytics to assess and continually monitor threats to health, identifying how best to control and mitigate the risks
  • respond – take rapid, collaborative and effective actions nationally and locally to mitigate threats to health when they materialise
  • lead – lead strong and sustainable global, national, regional and local partnerships designed to save lives, protect the nation from public health threats, and reduce inequalities

DHSC is the data controller for the personal information we collect, store and use to fulfil our remit.

This privacy notice explains the personal information we collect, how we use it and who we may share it with for these purposes. It explains what your rights are if we hold your personal information and how you can find out more or raise a concern.

The information we collect

The types of personal information we may collect about you include:

  • demographic information – for example, we may collect your name, date of birth, sex, ethnic group, NHS number, national insurance number, occupation and contact details (such as your address, postcode, phone number and email address)
  • health information – for example, we may collect information about your physical health, mental wellbeing, symptoms and medical diagnoses, and health risk factors
  • treatment information – for example, we may collect information about your hospital admissions, clinic attendances, laboratory test results, prescriptions and vaccination history

How we collect your information

We collect personal information in 3 main ways:

  • directly from you
  • from the providers of health and care services
  • from other organisations supporting the health and care system in the UK

Directly from you

For example, we may ask you to:

  • complete a health protection questionnaire or test registration form to collect your demographic information, information about infectious disease symptoms – and details of the people you have been in close contact with who may have been infected
  • provide information about yourself so that we can provide you with a service such as supplying a radon measurement pack or a test kit

From health and care service providers

For example, we may collect your demographic, health and treatment information from:

  • GPs and doctors – all doctors in England must inform us if you have an infectious disease such as COVID-19, tuberculosis or measles
  • diagnostic laboratories and other point of care test providers: all laboratories and other test providers must inform us if your test results show you have a serious disease-causing virus or bacterial infection
  • hospitals and other health treatment services – for example, we collect your information from hospitals if you have been diagnosed with a hospital-acquired infection
  • care homes – these organisations share information with us to report infectious disease cases and outbreaks

From other organisations

For example, we may collect your demographic, health and treatment information from:

  • NHS England – we ask NHS England (which includes the former NHS Digital) for your information if you receive hospital, emergency care or community-based prevention or treatment services relating to infectious diseases and other public health threats
  • Office for National Statistics (ONS) – we ask the ONS for information on all births and deaths in England
  • other organisations, such as schools, universities and restaurants – for example, we may ask these organisations to provide information that we use to respond to infectious disease outbreaks

We may also collect information from other organisations if this is necessary and proportionate to enable us to fulfil our remit.

Whenever possible, we collect information in ways that do not identify you. For example, we collect information on sexual health clinic attendance but only in a form that does not identify patients. But there will be times when we do need to collect your personal information. If this is necessary, we will only use the minimum we need.

The purposes we use your information for

Examples of how we may use your personal information to fulfil our remit from the government include:

Preventing threats to public health

To control clusters and outbreaks of infectious disease by taking action, such as tracing your close contacts to provide them with public health advice to prevent infections from spreading.

Detecting threats to public health

To undertake laboratory tests to identify if you or others have an infectious disease or disease-causing virus or bacteria such as COVID-19, tuberculosis or norovirus.

To monitor whether you develop a hospital-acquired or drug-resistant infection, to help provide guidance and advice to the NHS on how to manage these serious threats to the safety and effectiveness of the care provided to patients.

To monitor whether you have any adverse reactions to vaccines and medicines, to help ensure these treatments are safe and effective in controlling and preventing infectious diseases.

Analysing threats to public health

To identify trends and monitor the sources and epidemiology of a wide range of infectious diseases and other risks to public health. For example, we may link your laboratory test results to information about the care you receive to understand how effective your treatment has been and to help improve the way these public health threats are controlled and prevented in future.

Responding to threats to public health

To control cases of infectious disease by providing you with advice on self-isolation, testing and treatment to prevent infections from spreading to others.

To provide you with public health advice if you have been exposed to chemical, radiological and environmental risks to public health such as water-borne diseases and sources of radiation.

Leading partnerships for public health

To share health and related information with other countries or healthcare organisations to help control and prevent the global spread of infectious diseases and other risks to public health as part of the UK’s obligations under the International Health Regulations.

Who we share your information with

We may share your personal information with other organisations to provide you with individual care or for other purposes not directly related to your health and care.

If we do share your personal information, we will only so where the law allows, and we will only share the minimum amount of information that is necessary to protect public health.

With your doctor and hospital

We provide specialist laboratory services and give to your doctor the results of the tests we are asked to carry out. We may also share your personal information with your GP and hospital to help them provide you and other patients with better care by auditing and evaluating the safety and effectiveness of the service they provide.

With local authorities and mayoral and combined authorities

Local authorities have responsibilities for protecting the health of their residents, so we may share your personal information with your local authority and mayoral and combined authority, if you live in an area with one, to help us jointly manage clusters and outbreaks of infectious disease and other incidents that present a threat to public health.

With NHS England

NHS England leads the NHS in England to deliver high-quality services for all. As part of this, it provides information and technology services to the health and care system. It also collects and analyses data about health and care across England. We share personal information with NHS England on infectious disease test results and hospital admissions for diseases such as COVID-19 for these purposes.

With researchers

We may share your personal information with university and other formally accredited researchers who are subject to independent oversight and control.

We only share your personal information with researchers who have approval from a medical ethics committee and have obtained either your consent or special permission from the Secretary of State for Health and Social Care or the Health Research Authority’s Confidentiality Advisory Group to use your confidential information. The Confidentiality Advisory Group provides independent advice to the Secretary of State on whether the use of confidential information is in the interests of patients and the public. This is known as ‘section 251’ approval. Section 251 of the NHS Act 2006 provides for the use of confidential information under certain circumstances. We never share personal information with researchers without these approvals.

You can opt out of us sharing your information with researchers if you choose – on this page you will:

  • see what is meant by confidential patient information
  • find examples of when confidential information is used for individual care and examples of when it is used for purposes beyond individual care
  • find out more about the benefits of sharing data
  • be able to access the system to view, set or change your opt-out setting
  • see the situations where the opt-out will not apply

We will not share your personal information with researchers if you register a choice to opt out.

With data processors

We may share your information with data processors. A data processor is an organisation other than us that we have a contract with to assist us in collecting, storing or managing your personal information.

Data processors can only use your information in the ways that we have directed them. They are not allowed to use your personal information for any purposes other than those specified by us, they are not allowed to keep your information once their work for us has ended, and they must comply with strict data security and protection requirements when processing your information on our behalf.

With international organisations

We may share your personal information with the World Health Organization or other international health organisations to help with international contact tracing. These are restricted transfers made for public interest reasons for which we rely on derogations under Article 49(1)(d) of the UK General Data Protection Regulation (UK GDPR).

With other organisations

We may also share your personal information with other organisations, as required to perform our tasks, and for the purposes described in this notice. For example, we may share information with the NHS and the public health agencies in Northern Ireland, Scotland and Wales, and government departments such as the Home Office. This is to support the UK response to health protection threats by coordinating communications, interacting with local authorities and monitoring international travel to prevent and control infectious diseases and other threats to public health.

This is to support the UK response to health protection threats by coordinating communications, interacting with local authorities and monitoring international travel to prevent and control infectious diseases and other threats to public health.

Other sharing of your information

We may also share your personal information with other organisations for public health purposes. For example, as part of the UK’s obligations under the International Health Regulations, we may share your personal information with other countries if you test positive for a notifiable disease and have recently travelled internationally. This is to help with international contact-tracing.

Wherever possible, the information we share with other organisations does not directly identify you, but there may be times when it is necessary for your personal information to be used. Any information we share that identifies you will be lawful and the minimum necessary for the purpose.

How we protect your information

We have put in place a range of organisational processes and technical security measures to protect your personal information from loss, misuse and unauthorised access, disclosure, alteration and destruction.

Your information is stored on computer systems that are kept up-to-date and regularly tested to make sure they are secure and protected from viruses and hacking. Our information technology systems use robust security protections and encryption measures.

Your personal information can only be seen by staff who have been trained to protect your confidentiality and in understanding laws and regulations such as the Data Protection Act 2018 and the UK GDPR.

Strict controls are in place to make sure they can only see your information if they need it to do their job, and they are only provided with access to the minimum necessary information. Where we share information with other organisations, we take appropriate measures to ensure this is used lawfully and protected.

Whenever possible, we only use your information in a form that does not directly identify you. For example, we can replace your name and NHS number with pseudonyms (a non-identifying phrase or number) and substitute your date of birth with age in years to help protect your confidentiality.

No information that could identify you will ever be published by us.

Where we store your information

We store your personal information mainly in the UK and only in other countries, where necessary, if they are formally recognised by the UK government as providing legal protections over privacy at least equivalent to the those that apply here in the UK, such as the countries of the European Economic Area (EEA).

There may be circumstances in which the only viable data processor is one that processes data in other countries. Where that is the case, the processing of your personal information will be risk-assessed and necessary controls put in place.

This is only done on a case-by-case basis by UKHSA’s specialist legal team and senior managers. If our data processors store your personal information outside of the UK, we always ensure that this processing fully complies with data protection law to ensure your rights are protected.

How long we keep your information

We will only keep your personal information for as long as we need it to protect public health or as otherwise required by law.

Most of the time, we will keep your information in accordance with the time periods specified in the Records Management Code of Practice for Health and Social Care 2021. For example, the Code sets out an 8-year retention period for general medical records.

As one of our purposes for collecting personal information is to recognise trends and monitor the impact of diseases and conditions that have a long natural history, we may need to keep your information for longer.

Your rights over your information

Under data protection law, you have several rights over your personal information. You have the right to:

  • ask for a copy of any information we hold about you
  • ask for any information we hold about you to be changed if it is inaccurate
  • ask us to consider restricting our use of your information, although this is not an absolute right and we may need to continue to use your information in the interests of public health – we will tell you why if this is the case
  • object to us using any information we hold about you, although this is not an absolute right and we may need to continue to use your information: we will tell you why if this is the case
  • delete any information we hold about you, although this is not an absolute right and we may need to continue to use your information – we will tell you why if this is the case
  • ask us, in appropriate circumstances, to transfer your personal information to a recognised health authority in another country
  • ask us, in appropriate circumstances, to transfer your personal information to a recognised health authority both in the UK and in other countries, but also to you or your private health provider in a machine-readable format

You can exercise any of your rights by contacting us at InformationRights@UKHSA.gov.uk or by calling us on 020 7654 8000.

You will be asked to provide proof of your identity so that we can be sure we only provide you with your personal information.

You will not be asked to pay a charge for exercising your rights. If you make a request, we will respond to you within one month.

Our legal basis to collect, use and share your personal information may vary according to the purpose we use it for.

We process both personal information and special categories of personal information, including data about health and ethnic group. In most cases where we process your personal data to fulfil our remit, the sections of the UK GDPR and the Data Protection Act 2018 that apply will be:

  • UK GDPR Article 6(1)(e) ‘processing is necessary for the performance of a task carried out in the public interest’
  • UK GDPR Article 9(2)(i) ‘processing is necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health’
  • UK GDPR Article 9(2)(h) ‘processing is necessary for the provision of health or social care or treatment or the management of health or social care systems and services’
  • UK GDPR Article 9(2)(g) ‘substantial public interest’
  • Data Protection Act Schedule 1 Part 1 (3) ‘public health’
  • Data Protection Act Schedule 1 Part 1 (2) ‘health or social care purposes’
  • Data Protection Act Schedule 1 Part 2 (6) ‘substantial public interest’

Where we process personal data to comply with a legal duty, the following section of the law may also apply:

  • UK GDPR Article 6(1)(c) ‘processing is necessary for compliance with a legal obligation’

Where we use personal information for research purposes, the sections of the law that may also apply are:

  • UK GDPR Article 9(2)(j) ‘archiving purposes in the public interest, scientific or historical research purposes or statistical purposes’
  • Data Protection Act 2018 Schedule 1 Part 1 (4) ‘research’

Where personal data is shared with other countries for the purpose of international contact tracing, the following UK GDPR derogation for specific situations applies:

  • UK GDPR Article 49(1)(d) ‘the transfer is necessary for important reasons of public interest’

Our duty of confidentiality

To fulfil our remit, we may need to use your confidential patient information without asking for your consent.

We have ‘section 251’ approval from the Secretary of State for Health and Social Care to do this for the purpose of diagnosing, recognising trends, controlling and preventing, and monitoring and managing infectious diseases and other risks to public health.

The part of the law that applies here is section 251 of the National Health Service Act 2006 and Regulation 3 of the associated Health Service (Control of Patient Information) Regulations 2002.

How to find out more or raise a concern

If you have any concerns about how we use and protect your personal information, you can contact the Department of Health and Social Care’s Data Protection Officer at data_protection@dhsc.gov.uk or by writing to:

Office of the Data Protection Officer
Department of Health and Social Care
1st Floor North
39 Victoria Street
London SW1H 0EU

You also have the right to contact the Information Commissioner’s Office if you have any concerns about how we use and protect your personal information. You can do so by calling the ICO’s helpline on 0303 123 1113, visiting the ICO’s website at www.ico.org.uk or writing to the ICO at:

Customer Contact
Information Commissioner's Office
Wycliffe House
Water Lane
Wilmslow
SK9 5AF

About this privacy information

The personal information we collect and use may change so we may need to revise this notice. If we do, the publication date provided at this top of this notice will change.