Processing your personal data for secondary purposes
An explanation of how UKHSA processes your personal data when you apply to access it for secondary purposes
About UKHSA
On 1 October 2021 the UK Health Security Agency (UKHSA) came into being. UKHSA is an executive agency of the Department of Health and Social Care (DHSC). It combines many of the health protection activities previously undertaken by Public Health England (PHE) together with all of the activities of the NHS Test and Trace Programme and the Joint Biosecurity Centre (JBC).
The processing activities previously undertaken by these organisations and the associated data processors have not changed with the establishment of UKHSA. Individual rights are not affected by this change.
We, the UKHSA, are responsible for planning, preventing and responding to external health threats, and providing intellectual, scientific and operational leadership at national and local level, as well as internationally.
UKHSA will ensure the nation can respond quickly and at greater scale to deal with pandemics and future threats. We collect and use personal information to fulfil our remit from the government.
The DHSC is the data controller for the personal information we collect, store and use to fulfil our remit.
As a data controller, DHSC are required under data protection legislation to notify you of the information contained in this privacy notice.
This privacy notice sets out the types of personal data that we process when our partners and stakeholders make an enquiry, application or amendment to access UKHSA data for secondary purposes (this includes requests to process data for ethically approved research, clinical audit and evaluation). It also sets out how we use that information, how long we keep it for and other relevant information about your data.
For the purpose of this privacy notice the ‘data subjects’ are all former, current and future customers or clients making enquiries about or requesting access to data from UKHSA for secondary purposes.
UKHSA has a general privacy notice and a separate privacy notice explaining how your personal information may be used to fulfil its remit or as part of the response to the coronavirus (COVID-19) pandemic.
These notices explain to the public how personal data is processed.
What information we process
When you approach UKHSA to seek advice or apply to process UKHSA data, we compile and keep an electronic file containing information about you and your co-applicants which relates to your application for data.
This includes:
- your contact details such as your name, your employer and business details, including address, telephone number or email address
- the contact details such as the name, employer, business details including address, telephone number and email address of others involved in your project (including your collaborators or data processors acting under your instruction)
- communications created, stored or transmitted by you or UKHSA to progress an enquiry or application through the data application process
- communications created, stored or transmitted by you or UKHSA in response to a complaint or appeal raised in regard to your data application
- other communications created, stored or transmitted that enable UKHSA to deliver its services to you or to meet any of its legal, financial or procedural obligations
You may also voluntarily provide us with additional personal data within your application, such as details of your employment history or alternative contact information, such as a personal email address. While this is not requested by UKHSA, this personal data will be treated with the same protections as any other data shared with us.
You are only required to provide the data as set out in the UKHSA data application form(s). If you are unable to provide the personal data requested in the UKHSA data application form(s), this will prevent us delivering our service and we will not be able to progress your application.
The information we process may be provided to us by you directly if you:
- send UKHSA speculative enquiries about data access
- submit an application or amendment
- provide UKHSA with feedback about the services we provide
It may also be provided to us indirectly.
For example:
- through colleagues delegated with the responsibility to act on your behalf to enquire or submit an application for data
- public health leaders who have established professional or personal connections with you
- by another health and social care agency or data custodian (such as NHS Digital or the Clinical Practice Research Datalink (CPRD)) you have interacted with about your data application to allow UKHSA to help facilitate your request
The purposes we use your information for
Examples of how we process the personal information of applicants or enquirers, include:
- maintain our project records so we can effectively deliver the application process and assess your application against the Approval Standards
- communicate with you about your data requests, including any decisions about your application or how your request is progressing
- investigate any complaints or appeals in regard to your data application or the services we offer
- request feedback to check the quality of our services and inform improvement
- share service updates and provide access to learning material that will support you in submitting a successful data request
- enter into and administer a data sharing contract with your organisation; including payments, renewal, dispute, audit, enforcement, and other processes related to the performance of a contract
- provide information to a regulator (such as when it is necessary to report a data breach) or to otherwise comply with the law
Your personal data will not be used in any automated decision making (a decision made solely by automated means without any human involvement) or profiling (automated processing of personal data to evaluate certain conditions about an individual).
Who we share your information with
We may share your personal data with third parties where it is necessary to administer a working relationship with you or where we have a lawful basis for doing so. If we do share your personal information, we will only do so where the law allows, and we will only share the minimum amount of information required:
ICT providers
To support, maintain and host our information systems, including the software and hardware infrastructure required for it to operate or be accessible online and to keep a backup of your personal information. All service providers are contractually bound by our instructions, have implemented appropriate technical and organisational measures to protect the rights of data subjects, guarantee an appropriate level of data protection and are carefully monitored by UKHSA.
Our legal and other professional advisers (including accounting and audit services)
To provide us with advice in relation to our services to you, including our legal, financial and other obligations and claims.
Data protection supervisory authority
To provide us with advice in relation to the delivery of your project or to issue instructions related to the delivery of your project as a data processor.
Other data custodians, to whom you have applied to access data or operate as a system provider for UKHSA
To provide us with advice in relation to the delivery of your project or to issue instructions related to the delivery of your project as a data processor.
When we disclose personal data to third parties, we only disclose to them any personal data that is necessary for them to provide their service. Should we instruct a third party to process your data, we will always have contracts in place requiring them to keep your personal data secure and not to use it other than in accordance with our specific instructions.
How we protect your information
We have put in place appropriate security measures to prevent your personal information from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed.
It is stored on computer systems that are kept up-to-date and regularly tested to make sure they are secure and protected from viruses and hacking. Our information technology systems use robust security protections and encryption measures.
Your personal information can only be seen by staff who have been trained to protect your confidentiality and in understanding laws and regulations such as the Data Protection Act 2018 and the UK GDPR.
Strict controls are in place to make sure they can only see your information if they need it to do their job, and they are only provided with access to the minimum necessary information. We may also share information with other organisations. Where we do, we take appropriate measures to ensure your information is protected and used lawfully.
We have put in place procedures to deal with any suspected data security breach and will notify you and any applicable regulator of a suspected breach where we are legally required to do so.
Where we store your information
We store your personal information mainly in the UK and only in other countries, where necessary, if they are formally recognised by the UK government as providing legal protections over privacy at least equivalent to the those that apply here in the UK, such as the countries of the European Economic Area (EEA).
How long we keep your information
We keep your personal data in line with our retention policies and only for as long as is necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, accounting, reporting or compliance requirements related to your application for data or processing of UKHSA data thereafter.
Security
We use appropriate technical, organisational, and administrative security measures to protect any information we hold in our records from loss, misuse, and unauthorised access, disclosure, alteration and destruction. We have written procedures and policies which are regularly audited, and the audits are reviewed at senior level.
Lawful basis for processing your personal data
Our legal basis to collect, use and share your personal information is:
- UK GDPR Article 6(1)(e) ‘processing is necessary for the performance of a task carried out in the public interest’
Your rights
Under data protection law, you have several rights over your personal information. These rights are not absolute and may be limited if the services you are pursuing could not be provided, or a contract to which your organisation is a party could not be performed.
You have the right to:
- ask for a copy of any information we hold about you
- ask for any information we hold about you to be changed if it is inaccurate
- ask us to consider restricting our use of your information, although this is not an absolute right and we may need to continue to use your information (such as where processing is necessary for the performance of a contract or in order to take steps prior to entering into a contract)
- object to us using any information we hold about you, although this is not an absolute right and we may need to continue to use your information (such as where processing is necessary for the performance of a contract or in order to take steps prior to entering into a contract)
- delete any information we hold about you, although this is not an absolute right and we may need to continue to use your information (such as where processing is necessary for the performance of a contract or in order to take steps prior to entering into a contract)
You can exercise any of your rights by contacting us at:
InformationRights@UKHSA.gov.uk
You can also call us on 020 7654 8000.
Where these rights cannot be upheld, you will be informed why.
You will be asked to provide proof of your identity so that we can be sure we only provide you with your personal information.
You will not be asked to pay a charge for exercising your rights. If you make a request, we will respond to you within one month.
How to find out more or raise a concern
If you have any concerns about how we use and protect your personal information, you can contact the Department of Health and Social Care’s Data Protection Officer at data_protection@dhsc.gov.uk or by writing to:
Office of the Data Protection Officer
Department of Health and Social Care
1st Floor North
39 Victoria Street
London SW1H 0EU
You also have the right to contact the Information Commissioner’s Office (ICO) if you have any concerns about how we use and protect your personal information. You can do so by calling the ICO’s helpline on 0303 123 1113, visiting the ICO’s website or writing to the ICO at:
Customer Contact
Information Commissioner's Office
Wycliffe House
Water Lane
Wilmslow
SK9 5AF
About this privacy information
The personal information we collect and use may change so we may need to revise this notice. If we do, the publication date provided at this top of this notice will change.
Contacting the Information Commissioner’s Office
You also have the right to contact the ICO if you have any concerns about how UKHSA uses and protects any personal information it holds about you. You can do so by calling the ICO’s helpline on 0303 123 1113, visiting the ICO’s website or by writing to:
Customer Contact
Information Commissioner's Office
Wycliffe House
Wilmslow
Cheshire
SK9 5AF
Tel: 0303 123 1113