Privacy information
Updated 30 September 2021
On 1 October 2021 a number of public health functions will transfer from Public Health England (PHE) to NHS England. From this date, NHS England will be the controller for personal data that is processed to support these functions under the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. Other than the change in controller there will be no changes to patients’ personal data to discharge these functions, how it is processed or the services received by patients as a result. Please see the NHS England Privacy Notice for more information on how NHS England processes your personal data.
The responsibility for the management of the National Disease Registries, a collection of data on all cancers, rare diseases and congenital anomalies diagnosed each year in England, is transferring from PHE to NHS Digital on 1 October 2021. NHS Digital will become the data controller for this data. See our transparency notice for more information on how we collect and process your data and your rights.
About Public Health England
PHE exists to protect and improve the nation’s health and wellbeing, and reduce health inequalities.
We collect and use personal information to fulfil our remit from the government. Our main purposes for processing personal information are to:
- fulfil the Secretary of State for Health and Social Care’s duty to protect public health
- fulfil the Secretary of State’s duties to improve public health and reduce health inequalities
- improve population health by supporting sustainable health and care services
- ensure the public health system has the capability and capacity to tackle current and emerging public health challenges
This privacy notice explains the personal information we collect, how we use it and who we may share it with for these purposes. It explains what your rights are if we hold your personal information and how you can find out more or raise a concern.
Data controller
PHE is an executive agency of the government, sponsored by the Department Health and Social Care. We are listed under the Department’s registration with the Information Commissioner’s Office (ICO).
We are the data controller for the personal information we collect and use to fulfil our remit.
The information we collect
The types of personal information we may collect about you include:
- demographic information – for example, we may collect your name, date of birth, sex, ethnic group, NHS number, address and postcode, occupation, and contact details such as your phone number
- health information – for example, we may collect information about your physical health, mental wellbeing, symptoms and medical diagnoses, and health risk factors such as your height and weight, whether you smoke and what your occupation is
- treatment information – for example, we may collect information about your hospital admissions, clinic attendances, screening appointments, laboratory test results, prescriptions and vaccination history
How we collect your information
We collect personal information in 3 main ways:
- directly from you
- from the providers of health and care services
- from other organisations supporting the health and care system in England
Directly from you
For example, we may ask you to:
- complete a health protection questionnaire to collect your demographic information, information about infectious disease symptoms, and details of the people you have been in close contact with who may have been infected
- provide your information in a digital app or website we have developed to help promote healthy lifestyles
- provide your information so that we can provide you with a service such as supplying a radon measurement pack
From health and care service providers
For example, we may collect your demographic, health and treatment information from:
- GPs and doctors – all doctors in England must inform us if you have a communicable disease such as COVID-19 or tuberculosis
- diagnostic laboratories – all laboratories in England must inform us if your test results show you have a serious disease-causing virus or bacterial infection
- hospitals – for example, we collect your information from hospitals if you have been diagnosed with cancer or develop a hospital-acquired infection
- screening services – we collect your information from cancer, abdominal aortic aneurysm and other screening services
- other health treatment services – for example, we collect your information if you attend an alcohol and drug use treatment service or a sexual health clinic
From other organisations
For example, we may collect your demographic, health and treatment information from:
- NHS Digital – for example, we ask NHS Digital for your information if you receive hospital, emergency care, community service or mental health service treatment; we also ask NHS Digital to provide us with information about cancer treatments and waiting times, health and risk factors such as children’s height and weight, and information on deaths in England
- National Pathology Exchange – we ask the National Pathology Exchange for your information if you have been tested for COVID-19 at a regional or mobile testing station or at home
- the Office for National Statistics (ONS) – we ask the ONS for information on all births and deaths in England
We also collect information from a range of other organisations to enable us to fulfil our remit.
Whenever possible, we only collect information that does not directly identify you. For example, we collect information on children’s height and weight and about people admitted to hospital with heart disease from NHS Digital but only in a form that does not identify them.
But there will be times where we do need to collect your personal information. Where this is necessary, we will only ask for the minimum we need.
The purposes we use your information for
To protect public health
We use personal information to protect the nation’s health. Examples of how we may use your personal information for this purpose include to:
- undertake laboratory tests to identify if you have a serious communicable disease or disease-causing virus or bacteria such as COVID-19, tuberculosis or norovirus
- control cases of communicable disease by providing you with advice on self-isolation, testing and treatment to prevent infections from spreading to others
- control clusters and outbreaks of communicable disease by taking action such as tracing your close contacts to provide them with public health advice to prevent infections from spreading
- provide you with public health advice if you have been exposed to chemical, radiological and environmental risks to public health such as water-borne diseases and sources of radiation
- identify trends and monitor the sources and epidemiology of a wide range of communicable diseases and other risks to public health – for example, we may link your laboratory test results to information about the care you receive to understand how effective your treatment has been and to help improve the way these public health threats are controlled and prevented in future
- monitor whether you have any adverse reactions to vaccines and medicines to help ensure these treatments are safe and effective in controlling and preventing communicable diseases
- monitor whether you develop a hospital-acquired or drug resistant infection to help provide guidance and advice to the NHS on how to manage these serious threats to the safety and effectiveness of the care provided to patients
To improve public health and reduce health inequalities
We use personal information to improve the nation’s health and reduce health inequalities. Examples of how we may use your personal information for this purpose include:
- to identify trends and monitor the epidemiology of cancer and rare diseases – for example, we link information about your diagnosis, treatment and outcomes in our national diseases registries to reveal trends in the numbers of people affected, help determine the causes and monitor the long-term health effects to help improve the way the NHS prevents and treats these diseases and conditions
- to identify trends and monitor the epidemiology of other major causes of ill-health and early death such as heart disease, respiratory diseases, diabetes and accidents – for example, we may analyse your hospital treatment information to help identify whether different groups in the population are at increased risk of certain diseases and conditions and whether there are differences in the care provided to help improve NHS services
- to identify and monitor trends in the incidence and prevalence of poor mental health, suicide and self-harm to help improve the way they are prevented and treated
- to identify and monitor trends in the social and environmental determinants of health – for example, we may analyse your information if you are admitted to hospital with asthma to help understand whether air pollution is a factor so that we can advise the government on the response to this risk to public health
- to identify and monitor trends in health risk factors – for example, we may analyse information about your body mass index, smoking habits and physical activity levels to help better understand the numbers of people at risk of diseases and conditions such as heart disease, lung cancer and diabetes to help advise the NHS and the government on the way these risks to public health can be prevented and treated
- to identify and monitor trends in alcohol and drug misuse to provide advice to the NHS and government on prevention and treatment services
To support sustainable health and care services
We use personal information to help support the provision of financially sustainable health and care services. Examples of how we may use your personal information for this purpose include to:
- help manage, with the NHS, the national screening programmes – for example, we use your information to ensure you are invited at the right time for screening for cancer, abdominal aortic aneurysm and other diseases and conditions
- help ensure the safety and effectiveness of screening services – for example, we may use your information when undertaking a service quality assurance review or as part of a national audit of service effectiveness
- identify and monitor trends in access to health and care services between groups in the population to help tackle barriers to access to prevention and treatment services
- monitor the uptake and effectiveness of vaccination and immunisation programmes such as influenza, pneumonia and childhood diseases such as meningitis and human papillomavirus (HPV) to help control and prevent these diseases and conditions
To maintain the public health system’s capability and capacity
We use personal information to ensure that the public health system in England has the capability and capacity to tackle current and emerging public health challenges. An example of how we use personal information for this purpose is to ensure that registered public health professionals have the right qualifications and experience to practise safely and effectively
Who we share your information with
We may share your personal information with other organisations to provide you with individual care or for other purposes not directly related to your health and care.
If we do share your personal information, we will only so where the law allows and we will only share the minimum amount of information that is necessary.
With your doctor and hospital
We provide specialist laboratory services and give to your doctor the results of the tests we are asked to carry out. We may also share your personal information with your GP and hospital to help them provide you and other patients with better care by auditing and evaluating the safety and effectiveness of the service they provide.
With local authorities
Local authorities have responsibilities for protecting the health of their residents, so we may share your personal information with your local authority and mayoral and combined authority, if you live in an area with one, to help us jointly manage clusters and outbreaks of communicable disease and other incidents that present a threat to public health.
With NHS Digital
NHS Digital provides information and technology services to the health and care system. It is a public body reporting to the Department of Health and Social Care (DHSC) and collects and analyses data and information about health and care services across England.
We share personal information from the national cancer registry with NHS Digital for it to link to other data it holds and provide information to support research studies and identify potential participants for clinical trials.
NHS Digital has been directed by the Secretary of State for Health and Social Care and NHS England to collect and analyse data relating to COVID-19 and develop and operate IT systems to deliver services to respond to COVID-19. We share personal information on coronavirus test results and hospital admissions for COVID-19 with NHS Digital for it to use for these purposes.
With NHS England
NHS England is responsible for managing the health service in England. We share personal information about coronavirus test results and hospital admissions for COVID-19 to help it support the NHS in responding to coronavirus.
With researchers
We may share your personal information with university and other researchers.
We only share your personal information with researchers who have approval from a medical ethics committee and special permission from the Health Research Authority’s Confidentiality Advisory Group. This group provides independent advice to the Secretary of State for Health and Social Care on whether the use of confidential information is in the interests of patients and the public. This is known as ‘section 251’ approval. We never share personal information with researchers without these approvals.
You can opt out of us sharing your information with researchers if you choose. Further information and details on how to register your opt-out choice is available. On this webpage you will:
- see what is meant by confidential patient information
- find examples of when confidential information is used for individual care and examples of when it is used for purposes beyond individual care
- find out more about the benefits of sharing data
- be able to access the system to view, set or change your opt-out setting
- see the situations where the opt-out will not apply
We will not share your personal information with researchers if you register a choice to opt out.
Details about the personal information we have shared with researchers and the purposes they have used this for is published in our data release register.
With our data processors
We may share your personal information with organisations we have contracted to help us fulfil our remit.
These organisations are known as data processors and are acting on our instructions. They are not allowed to use your personal information for any purposes other than those specified by us, they are not allowed to keep your information once their work for us has ended, and they must comply with strict data security and protection requirements when processing your information on our behalf.
With other organisations
We may also share your personal information with other organisations for public health purposes. For example, we share information with the Joint Biosecurity Centre (JBC), which is part of the DHSC, for it to use to identify outbreaks of coronavirus. The information we share with the JBC is in a form that does not directly identify you.
Wherever possible, the information we share with all other organisations does not directly identify you, but there may be times when it is necessary for your personal information to be used. Any information we share that identifies you will be lawful and the minimum necessary for the purpose.
How we protect your information
Your personal information is protected by us in a range of ways.
It is stored on computer systems that are kept up-to-date and regularly tested to make sure they are secure and protected from viruses and hacking.
Your personal information can only be seen by our staff who have been specially trained to protect your confidentiality. Strict controls are in place to make sure they can only see your information if they need it to do their job, and they are only provided with access to the minimum necessary information.
Whenever possible, we only use your information in a form that does not directly identify you. For example, if you have cancer, we need to use your name, date of birth and NHS number to link together your diagnosis, treatment and outcomes information. But for most of the analyses we then do to monitor trends in cancer and the effectiveness of cancer treatments, we use information that does not directly identify you. For example, we replace your name and NHS number with pseudonyms and substitute your date of birth with age in years to help protect your confidentiality.
No information that could identify you will ever be published by us.
Where we store your information
We store your personal information in the UK only.
We may store anonymous information that cannot be used to identify you outside of the UK. Some of our data processors may store your personal data outside of the UK. If they do, we always ensure that this processing fully complies with data protection law to ensure your rights over your data are protected.
How long we keep your information
We will only keep your personal data for as long as we need it for the purpose for which it was collected.
Most of the time, we will keep your information in accordance with the time periods specified in the Records Management Code of Practice for Health and Social Care 2016. For example, the Code sets out an 8-year retention period for general medical records.
As one of our purposes for collecting personal information is to recognise trends and monitor the impact of diseases and conditions that have a long natural history, we may need to keep your information for longer. For example, we keep the personal information of people with tuberculosis for 20 years so that we can monitor the epidemiology of the disease and the effectiveness of the treatments patients receive.
Your rights over your information
Under data protection law, you have a number of rights over your personal information. You have the right to:
- ask for a copy of any information we hold about you
- ask for any information we hold about you that you think is inaccurate to be changed
- ask us to restrict our use of your information, for example, where you think the information we are using is inaccurate
- object to us using any information we hold about you, although this is not an absolute right and we may need to continue to use your information – we will tell you why if this is the case
- delete any information we hold about you, although this is not an absolute right and we may need to continue to use your information – we will tell you why if this is the case
- ask us not to use your information to make automated decisions about you without the involvement of one of our staff
You can exercise any of your rights by contacting us at:
Public Information Access Office
Public Health England
Wellington House
133-155 Waterloo Road
London SE1 8UG
Email: FOI@phe.gov.uk
You will be asked to provide proof of your identity so that we can be sure we only provide you with your personal information.
You will not be asked to pay a charge for exercising your rights. If you make a request, we will respond to you within one month.
Our legal basis to use your information
Our legal basis to collect your personal information may vary according to the purpose we use it for.
We process both personal data and special categories of personal data, including data about your health and ethnic group. In most cases, the sections of the General Data Protection Regulation and the Data Protection Act 2018 that apply will be:
- GDPR Article 6(1)(e) ‘processing is necessary for the performance of a task carried out in the public interest’
- GDPR Article 6(1)(c) ‘processing is necessary for compliance with a legal obligation’
- GDPR Article 6(1)(a) ‘consent’
- GDPR Article 9(2)(i) ‘processing is necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health’
- GDPR Article 9(2)(h) ‘processing is necessary for the provision of health or social care or treatment or the management of health or social care systems and services’
- GDPR Article 9(2)(a) ‘explicit consent’
- Data Protection Act Schedule 1 Part 1 (3) ‘public health’
Our duty of confidentiality
To fulfil our remit, we may need to use your confidential patient information without asking for your consent.
We have ‘section 251’ approval from the Secretary of State for Health and Social Care to do this for the following purposes:
- diagnosing, recognising trends, controlling and preventing, and monitoring and managing communicable diseases and other risks to public health
- medical purposes related to the diagnosis or treatment of cancer
- other medical purposes, including cancer screening, rare diseases registration and drug and alcohol treatment service monitoring
The part of the law that applies here is section 251 of the National Health Service Act 2006 and the associated Health Service (Control of Patient Information) Regulations 2002.
How to find out more or raise a concern
If you have any concerns about how we use and protect your personal information, you can contact our Data Protection Officer dataprotectionofficer@phe.gov.uk or by writing to:
Data Protection Officer
c/o Public Information Access Office
Public Health England
4th Floor, Wellington House
133-155 Waterloo Road
London SE1 8UG
You also have the right to contact the Information Commissioner’s Office if you have any concerns about how we use and protect your personal information. You can do so by calling the ICO’s helpline on 0303 123 1113, visiting www.ico.org.uk or writing to the ICO at:
Customer Contact
Information Commissioner's Office
Wycliffe House
Water Lane
Wilmslow
SK9 5AF
About this privacy information
The personal information we collect and use may change so we may need to revise this notice.