You are here:

Our terms, conditions and policies

Your privacy on NHS Choices

Personal data collected

Navigation data
IP address and the website you came from

Personal information
Includes your first name, last name, email address, postcode and other personal information you provide.

Use of personal data

Analytics
Uses navigation data in services provided by the NHS website and third parties. For more information see our cookies policy.  

Advertising
Some health campaigns we host on behalf of Public Health England are supplied with advertising data.

Personalisation
Uses navigation data and personal information to enable us, and third parties, to tailor the services provided to you.

Data sharing

Site navigation and usage data is shared with trusted third-party services where we are utilising their technology to provide essential analysis data. We will not intentionally share personal information with any third parties without your consent.

Our privacy policy 

Your privacy is important to us. This privacy policy covers what we collect and how we use, disclose, transfer and store your information.

The NHS website Data Controller

  • the Health and Social Care Information Centre (known as NHS Digital) is the Data Controller for the NHS website
  • the Data Protection Officer is Catherine Nicholson
  • find out how NHS Digital looks after your health and care information
  • if there are any queries regarding this privacy policy, you may contact us using the information below:
    Information Governance Compliance Team
    NHS Digital
    1 Trevelyan Square
    Boar Lane
    Leeds LS1 6AE
  • enquiries@nhsdigital.nhs.uk
  • in some cases, the NHS website is acting as a Data Processor on behalf of another Data Controller e.g. Health Campaigns by Public Health England
  • we will process your data in accordance with the Data Protection regulations in force in the UK at the time
  • you are entitled to know whether we hold information about you and, if we do, to have access to that information and require it to be corrected if it is inaccurate
  • you also have the right to lodge a complaint with the Information Commissioner's Office. You can contact the ICO here.

How do we use your information?

We analyse information to see what is most effective about our website and associated services to help us identify ways to improve it and to make it more effective. We may also use information for other purposes, which we would describe to you at the point when we collect the information.

What information do we collect when you use the NHS website?

When you use the NHS website www.nhs.uk, we use various technologies to collect information indirectly – such as your IP address. This is commonplace across all internet services to enable the investigation of issues such as service availability and the identification of malicious use. This information is then kept in our internet access logs. We also collect some personal information directly – e.g. when you actively submit details.

Cookies

Our website uses cookies. We use cookies to personalise content and ads, to provide social media features and to analyse our traffic to improve and analyse performance and aid troubleshooting. We may also share information about your use of our site with our social media, advertising and analytics partners who may combine it with other information that you’ve provided to them or that they've collected from your use of their services.

The law states that we can store cookies on your device if they are strictly necessary for the operation of this site. For all other types of cookies we need your permission.

This site uses different types of cookies. Some cookies are placed by third-party services that appear on our pages. Details of the cookies in use can be found here.

Video content

The NHS website video content – whether viewed on the website, in emails or embedded in third-party sites – are streamed to users by a third-party company, Brightcove. A product called TubeMogul is used by Brightcove to compile usage statistics on our behalf, such as what videos have been watched and when; it uses an anonymous tracking cookie and stores no personal data. For more information, see the Brightcove privacy policy and the TubeMogul privacy policy.

Email subscriptions

We will hold the information for as long as we are providing you services. If you do not access the services provided by us, for instance you don't open or click through one of the emails for more than a year, we will send you an email asking you to confirm that you wish to continue receiving our emails. If you do not respond to this email within 1 month we will unsubscribe you.

We will remove all personal information we hold relating to you, which you registered with us, within 6 months of you unsubscribing from the site. We hold this information for a further 6 months following unsubscription, as we may need to use it for statistical analysis or if you choose to resubscribe. Be assured that if you unsubscribe you will not receive further information from us.

Contact form, information quality feedback and email

You may be contacted to provide feedback on how we managed your enquiry. You will be asked to consent to this at the point you submit your data. We will hold the information you provide us for as long as necessary to support the service we are providing you, for example so we can continue to provide assistance or resolve an ongoing issue. If no communication has been made in over 12 months and the information is not required to resolve an ongoing issue, then all communication and any personal information will be deleted. Generic information, such as the duration your enquiry was opened for or the part of the website you were using, will remain. This is to allow for reporting over a period greater than 12 months.

Information is kept for 12 months to allow for trend analysis, identifying reoccurring issues and understanding common issues.

Exceptions include those currently following the complaints process, or when consent to keep information for longer has been obtained. Additionally, if we have determined that the information supplied contains personal information that we do not need to hold to provide assistance, we will endeavour to remove this information sooner.

Our website tools

Use of our tools on third-party sites will be tracked. No personal data is collected by these tools. Information gathered by us includes the user's IP address, the webpage a tool is accessed from, and how many times it is accessed. In some cases, tracking is used to show user journeys through a tool. This information is the sole property of the NHS website and will not be shared with third parties. All our tools store the number of times a user has visited the tool. Some tools also store "state" information so that when a user returns to a tool it is in the "state" they left it in.

Tools such as "Heart Age" allow input of date of birth or postcode, which are converted to age and deprivation score.

Third-party tools

  • the NHS website uses Bing Maps APIs to provide some location-based information. You should read the Bing privacy policy to understand how this affects you
  • we use Optimizely cookies to help us understand how the site is being used. We use this information to show you different content that best fits your needs, as well as allowing us to test what type of content is most popular, thus improving the user experience. All information is anonymous. These cookies do not identify you as an individual
  • New Relic provides data on site performance
  • Webtrends, Google Analytics and Hotjar – these analysis tools are utilised to provide anonymised site usage data
  • we use survey tools to carry out user engagement surveys. These surveys may contain both personal and anonymised data. You will be reminded of specific details at the point of data capture and your rights under this policy and legislation are not affected

Syndication

We offer a free syndication service that enables partner organisations to pull content from the NHS website via an Application Programming Interface (API) and display it on their website, app or service. In line with the syndication standard licence agreement, we require personal information of those using this service for contractual purposes. We use the data to inform subscribers of changes to functionality, structure or features within the syndicated content, or if there is a breach of the agreement. We also use subscriber's personal data to feed into internal reports, which identify active callers of the API alongside their usage.

While an active subscriber is receiving syndicated content we will continue to store their personal data. A partner can remove their own account without admin assistance via the API Developer Portal. Once an account has been closed by either the user or an admin, we will no longer store their data.

Service finders

The website provides a number of service finders to assist you in finding health services near you. While we do not capture any specific information about you as part of this service, the searches, including postcode, are saved in our logs and analytics tools. Ideally we would only use part postcodes but this renders the searches ineffectual in rural areas.

Comments and ratings

User comments and ratings are moderated by a trusted third party. They will receive details of your comment and the name and email address you submit.

We also syndicate published comments and ratings to partner websites, apps or services that adhere to the syndication standard licence terms. We do not pass you email address to our syndication partners.

General data services

We process and publish data in directories on NHS.UK from data aggregators and professional bodies – for example, the British Association for Counselling and Psychotherapy (BACP). This is to provide information to the public about health-related services.

Profile Information Management System (PIMS)

PIMS is used by staff working within dental practices, general practices, pharmacies, opticians, NHS Trusts and social care providers to enter service information on the NHS website so that it can be displayed on the website and syndicated to third parties.

If you are a PIMS profile editor, we collect personal data from you on registration. The personal data that we collect includes your name, email address, organisation name and job title. We use your personal data to provide the PIMS service and to communicate with you by email for PIMS service related purposes. Occasionally we may contact you for research purposes with the objective of improving the PIMS service or the service information that we provide on the NHS website.

PIMS enables you to add staff information onto your service profile(s). Before doing so, you need to ensure that you acquire and record their consent unless the information is already in the public domain e.g. published on your corporate website or included in a professional body medical register.

Social media

We utilise the following social media platforms to interact with our users:

  • Facebook (incorporating Instagram)
  • Twitter
  • YouTube

How the NHS website collects and stores your data

If you choose to interact with us on social media, we may receive some personally identifiable data about you, which is supplied by the channel you are using. This may include:

  • name
  • social media handles (e.g. Twitter account name)
  • location history (where you are contacting us from)
  • images (e.g. your profile picture)

We will process and store your data in accordance with the terms and conditions and privacy policy of the platform in question. You should be aware that your use of these platforms is governed by the terms and conditions agreed between you and the platform, rather than the NHS website.

We may use social media management tools (e.g. Hootsuite) to help deliver elements of our service to you. Any personally identifiable data processed using these tools is supplied by the platforms we use, in accordance with their terms and conditions.

We will not remove, duplicate or transfer your personal data from or between any of the social platforms that we use, except for:

  • when you give us explicit permission to do so
  • when we believe that we need to in order to respond to an urgent risk to health. For example, if you interact with us in a way that raises serious concerns about your mental health, we may share your personal details with local NHS services to ensure that you are offered appropriate support

You should be aware that social networks may control some of the data associated with interactions between you (the user) and us (the NHS website) on their platforms. For example, we will be able to delete our own records of a private message conversation if you request us to do so, but social networks may store a copy of this conversation that we are unable to access. We would recommend using the privacy tools built in to the social networks in question to ensure you are able to exercise your rights appropriately.

Understanding how social networks use your data

Social networks use information about your online activity to build a profile of you. This data is then used (anonymously) to send you targeted adverts across various digital platforms. You should be aware that interacting with health-related accounts such as ours may help build the profile of you that social networks maintain, and could potentially result in you receiving adverts related to health issues.

This process of collecting data for advertising purposes is not controlled by the NHS website, and we do not have access to the profiling data stored by social networks about you.

How long do we hold this information?

Unless otherwise stated, business information that falls under NHS Digital is held for a minimum of 3 years and will be subject to review. We will hold the information for as long as we are providing you services.

Do we share information?

  • we strive to capture the minimal amount of personal data, and only share with other organisations where the law permits us to do so or where we require and have gained your consent
  • we only share information with our authorised Data Processors for the sole purpose of processing the data in connection with the service we have procured from them. These processors must act at all times on our instructions as the Data Controller under the Data Protection legislation
  • we do not sell individuals' information
  • we host health information campaigns on behalf of Public Health England, where we are Data Processors. These campaigns may have separate privacy terms and consent requirements
  • before you submit any information, you will be informed why we are asking for specific information and it is up to you whether you provide it

How can you access, amend or withdraw the personal data you have given us?

To get in touch about these rights, please contact us via the Data Controller details above. We will seek to deal with your request without undue delay, and in any event within 1 month (subject to any extensions to which we are lawfully entitled).

*Please note that we may keep a record of your communications to help us resolve any issues that you raise.

Right to object:

  • if we are using your data because we have a legal basis to do so under the Health and Social Care Act, and you do not agree, you have the right to object. We will respond to your request within the required time frame (although we may be allowed to extend this period in certain cases). Generally, we will only disagree with you if certain limited conditions apply
  • this right enables you to object to us processing your personal data where we do so for one of the following reasons: (i) to enable us to perform a public task or exercise official authority; (ii) to send you direct marketing communications; and (iii) for research or analytical purposes

Right to withdraw consent:

Where we have obtained your consent to process your personal data, or consent to send you information, you may withdraw your consent at any time and we will cease to carry out the particular activity that you previously consented to, unless we consider that there is an alternative reason to justify our continued processing of your data for this purpose, in which case we will inform you of this condition.

Data access requests:

You may ask us to confirm what information we hold about you at any time, and request us to modify, update or delete such information. We may ask you to verify your identity and for more information about your request. If we provide you with access to the information we hold about you, we will not charge you for this. If we refuse your request for any legitimate reason, we will always tell you the reasons for doing so.

Right to remove:

In certain situations, you have the right to request us to "remove" your personal data. We will respond to your request within the agreed timeframe (although we may be allowed to extend this period in certain cases) and will only disagree with you if certain limited conditions apply. If we do agree to your request, we will delete your data but will generally assume that you would prefer us to keep a note of your name on a register of individuals who would prefer not to be contacted. That way, we will minimise the chances of you being contacted in the future where your data are collected in unconnected circumstances. If you would prefer us not to do this, you are free to say so.

Normally, the information must meet one of the following criteria:

  • the data is no longer necessary for the purpose for which we originally collected and/or processed it
  • where previously given, you have withdrawn your consent to us processing your data, and there is no other valid reason for us to continue processing
  • the data has been processed unlawfully (i.e. in a manner that does not comply with existing Data Protection regulations)
  • it is necessary for the data to be deleted for us to comply with our legal obligations as a data controller

We would only be entitled to refuse to comply with your request for one of the following reasons:

  • to exercise the right of freedom of expression and information
  • to comply with legal obligations or for the performance of a public interest task or exercise of official authority
  • for public health reasons in the public interest
  • for archival, research or statistical purposes
  • to exercise or defend a legal claim

When complying with a valid request for the removal of data, we will take all reasonably practicable steps to delete the relevant data.

Right to restrict processing:

You have the right to request that we restrict our processing of your personal data in certain circumstances. This means that we can only continue to store your data and will not be able to carry out any further processing activities with it until either: (i) one of the circumstances listed below is resolved; (ii) you consent; or (iii) further processing is necessary for either the establishment, exercise or defence of legal claims, the protection of the rights of another individual, or reasons of important public interest.

The circumstances in which you are entitled to request that we restrict the processing of your personal data are:

  • where you dispute the accuracy of the personal data that we are processing about you. In this case, our processing of your personal data will be restricted for the period during which the accuracy of the data is verified
  • where you object to our processing of your personal data for our legitimate interests. Here, you can request that the data be restricted while we verify our grounds for processing your personal data
  • where our processing of your data is unlawful, but you would prefer us to restrict our processing of it rather than erasing it
  • where we have no further need to process your personal data but you require the data to establish, exercise or defend legal claims

If we have shared your personal data with third parties, we will notify them about the restricted processing unless this is impossible or involves disproportionate effort. We will, of course, notify you before lifting any restriction on processing your personal data.

Right to rectification:

You also have the right to request that we rectify any inaccurate or incomplete personal data that we hold about you. If we have shared this personal data with third parties, we will notify them about the rectification unless this is impossible or involves disproportionate effort. Where appropriate, we will also tell you which third parties we have disclosed the inaccurate or incomplete personal data to. Where we think that it is reasonable for us not to comply with your request, we will explain our reasons for this decision.

Purpose and legal basis for processing

NHS Digital operates the NHS website as directed by the Electronic Prescription Service, Health and Social Care Network, NHS Choices, N3, NHS e-Referral Service, Secondary Use Service (SUS), Spine 2 (Named Programmes) Directions 2016 under the powers of sections 254(1) and (6), 274(2), 304(9) and (10) of the Health and Social Care Act 2012.

This direction supplements the Health and Social Care Information Centre (Systems Delivery Functions for NHS Choices and Additional Systems Delivery Functions for NHS Choices) Directions 2013.

Keeping information secure

We invest significant resources to protect your personal information, from loss, misuse, unauthorised access, modification or disclosure. However, no internet-based site can be 100% secure and so we cannot be held responsible for unauthorised or unintended access that is beyond our control.

Page last reviewed: 24/05/2018

Next review due: 24/05/2021