Privacy policy for the NHS Active 10 app

The NHS Active 10 app is designed to help you improve your health by encouraging you to incorporate more moderate-intensity activity into your daily routine.

The app tracks your physical activity, specifically focusing on achieving 10-minute bursts of brisk walking, which are proven to benefit your health.

With easy-to-use features, the app provides personalised feedback, motivational tips, and progress tracking to help you reach your fitness goals.

You can use the NHS Active 10 app either with an account or without one. If you choose to create an account, you can do so securely through NHS login, which allows for a more personalised experience, including the ability to save and access your activity history across multiple devices.

Alternatively, you can use the app without creating an account, in which case your activity data will only be stored locally on your device.

The Department of Health and Social Care is the data controller.

Technical information:

• Type of mobile device you use, and your mobile operating system (device information)
• Internet Protocol (IP) address used to connect to your device to the internet
• Analytics data used to understand how the app is used and monitor overall progress of our user base
• Motion and fitness data (read only with user permission, from device pedometer and/or Google Health Connect) to calculate and report back on brisk and non-brisk activity

Profile information:

The App can be used with or without creation of a user account.

When using the App without an account, collection of the following data is optional:

• Sex
• Age

Account creation is enabled by NHS login as a method of single-sign-on. When you authenticate and verify your NHS login details, the following information is shared with the App:

• Given name
• Date of birth
• Email address

Subsequently, NHS Personal Demographics Service provides the following data:

• Sex
• Postcode

When using the App with or without an account, you are given the option to share the following information to personalise your experience:

• Your health motivation, for example, "I want to feel fitter" or "I've been advised to get more active"
• Your current activity level, for example, less than 30 minutes per week, 30 to 149 minutes per week, over 150 minutes per week

• Given name: to personalise app content
• Date of birth (stored as age): to show age-group-specific content
• Email address: to send account information and personalised analytics newsletters
• Postcode: to show location-specific walking routes
• Sex: to show sex-specific content
• Motion and fitness data: step count used to estimate how active you are

Under the General Data Protection Regulation (GDPR), the lawful bases we rely on for processing this information are:

• Your consent (for any information that is voluntarily provided by you)
• For the performance of a task in the public interest or for our official functions (for all other data)

As we are also processing special category data (such as information related to your health), we are also required to identify at least one additional condition under which to process this information. These are:

• Your consent (for any information that is voluntarily provided by you)
• For reasons of public interest in the area of public health (for all other data)

Data processors and other recipients of personal data

Data collected by the app is not passed on to any third parties.

International data transfers and storage location(s)

Collected data is stored and processed in the United Kingdom.

Retention of data collected through NHS login and the NHS Personal Demographics Service is based on ‘time since last user engagement’ in the application.

We retain your account data for 1 year beyond the date of last login. After this, your account will be considered inactive, and the system will hard delete the information associated with the account.

You will subsequently need to create a new account with the application if you wish to return to the app.

All personal data associated with your account will be encrypted at rest and in transit and stored on secure servers.

Your first name and email will never be used in analytics. Age, sex and postcode data will be used alongside activity data to produce insights on the usage of the product at a population level, but this will not be attributable to individual users.

You will continue to have the option not to create an account.

By law, data subjects have a number of rights and this processing does not take away or reduce these rights under the EU General Data Protection Regulation (2016/679) and the UK Data Protection Act 2018 applies.

These rights are:

1. The right to get copies of information – you have the right to ask for a copy of any information about you that is used.
2. The right to get information corrected – you have the right to ask for any information held about you that you think is inaccurate, to be corrected.
3. The right to limit how the information is used – you have the right to ask for any of the information held about you to be restricted, for example, if you think inaccurate information is being used.
4. The right to object to the information being used – you can ask for any information held about you to not be used. However, this is not an absolute right, and continued use of the information may be necessary, with you being advised if this is the case.
5. The right to get information deleted – this is not an absolute right, and continued use of the information may be necessary, with you being advised if this is the case.

You can access NHS Active 10 using your NHS login details.

If you sign in using NHS login, we will ask your permission to share your NHS login information with our service. This allows us to fill in some personal details for you, such as your name, date of birth and email address.

We will not use your NHS login information for any other purposes. You can only share your NHS login information if you have proved your identity to NHS login.

You can choose not to share your NHS login information with NHS Active 10 but you will need to enter your information yourself whilst using our service.

For more information, see the NHS login privacy notice and NHS login terms and conditions.

If you are unhappy or wish to complain about how personal data is used as part of this programme, you should email data_protection@dhsc.gov.uk in the first instance or write to:

Data Protection Officer
1st Floor North
39 Victoria Street
London
SW1H 0EU

If you are not satisfied with the response, you can complain to the Information Commissioner's Office. Their website address is www.ico.org.uk and their postal address is:

Information Commissioner's Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF

No decision will be made about you solely based on automated decision making (where a decision is taken about you using an electronic system without human involvement) which has a significant impact on you.

This privacy notice is kept under regular review, and new versions will be available on our privacy notice page on our website. This privacy notice was last updated on 12/11/2024.

© Crown copyright 2022

Information Risk Management & Assurance/Office of the Data Protection Officer www.gov.uk/dhsc

This publication is licensed under the terms of the Open Government Licence v3.0 except where otherwise stated. To view this licence, visit nationalarchives.gov.uk/doc/open-government-licence/version/3

Where we have identified any third-party copyright information you will need to obtain permission from the copyright holders concerned.