Skip to main content

NHS App full privacy notice

This privacy notice explains how NHS England, as a data controller, may use your data when you use the NHS App.

Information:

We've updated our privacy policy to cover future services we have been asked to provide in the NHS App. This is to support the NHS App Amendment Directions 2026, and to meet the government's 10 Year Health Plan for England.

Under the UK General Data Protection Regulation (UK GDPR) data controllers must make certain information available to people whose personal data they hold and use. A privacy notice is one way we provide this information.

This privacy notice explains:

  • who the data controller is
  • how we use information about you
  • what information we process
  • why we are allowed to process your information
  • how long we keep your information
  • who we share your information with
  • whether we do any automated decision making or profiling
  • what your rights are
  • how you can contact us and the Information Commissioner's Office (ICO)

This privacy notice applies when you access:

  • the NHS App as a mobile application on an iOS or Android device
  • NHS App services by logging in through the NHS website in a web browser

Data controllers

Data controllers are responsible for deciding how personal data is processed. They are usually organisations, companies, charities or volunteer groups.

NHS England is the primary data controller for personal data processed to provide the NHS App under the NHS App Directions 2023. The Department of Health and Social Care (DHSC) is a joint data controller by virtue of issuing these Directions to NHS England only for data processed by the NHS App. However, you may exercise your rights against either data controller using the contact details provided at the end of this privacy notice.

Your care providers (such as your GP or hospital) remain data controllers for information, such as your medical record, held in their own systems that you view and manage through the NHS App and services available in it.

About the NHS App

The NHS App is a digital platform run by NHS England which you can use to view information about your health and access services that enable you to manage your healthcare online. The aim is to deliver more NHS services to the public using this method making it easier to manage care and treatment both in GP surgeries and when engaging with secondary care such as hospitals. It is a way of achieving one of the three main aims of the UK government’s 10 Year Health Plan for England published in July 2025, namely to move from an analogue (i.e. paper) to digital way of delivering services.

The NHS App allows you to do many things. You can find out more about the NHS App.

Accessing the NHS App

You can download the NHS App onto any mobile device, or you can log on through the NHS website on a computer to access the same services.

You need to use NHS login to use the NHS App. You need to prove who you are to access most services available through the NHS App, and you must do this through NHS login. You can then securely view your health information and manage your healthcare online.

You can read about your privacy on NHS login.

How we use your information

We use your information to help deliver the NHS App, which includes the following services:

  • managing, booking, cancelling or amending your own appointments and referrals
  • accessing relevant resources whilst waiting for care
  • viewing waiting times
  • viewing your past appointments
  • accessing letters and documents
  • answering questionnaires
  • choosing and registering with a health provider
  • managing, requesting and checking the status of your prescriptions and medicines
  • managing your nominated pharmacy
  • accessing and contributing to your health record
  • sharing and updating information about your health
  • viewing test results
  • viewing screening results
  • accessing health services that have been assured by NHS England
  • checking your symptoms
  • managing your organ donation preferences
  • managing your National Data Opt-Outs
  • signing up to take part in health research
  • providing feedback about the NHS App and enrolling in user research
  • providing feedback about the NHS App
  • managing your NHS App settings, including but not limited to:
    • notifications
    • contact details
    • biometric login settings
    • login and security settings
    • cookies
  • accessing, viewing and responding to messages received
  • communicating with professionals involved in your care, including via online and video consultations
  • receiving alerts or notifications when something needs your attention
  • finding providers of NHS services and seeing information about these providers
  • accessing NHS health advice and guidance
  • managing who has access to your health services
  • managing your access to other people’s health services
  • managing health services on behalf of someone else

Other uses of your data

As well as helping you manage your health care, the NHS App also processes data for other purposes such as:

  • analytical and performance data – to understand NHS App usage such as when it is being used, how often, by who and which services and features are being used. The purpose of this is to understand if there are any performance issues, inequities being inadvertently generated which need to be addressed and to inform product and service design
  • analytical data is processed and summarised within the NHS Federated Data Platform. For more information see the NHS Federated Data Platform privacy notice
  • audit data – to monitor when, how and who is using the NHS App
  • contact data – to support you if you contact the NHS App service desk with queries about the NHS App
  • research – if you choose, you can be involved in user research
  • feedback – collecting your feedback about the NHS App
  • management information – to inform and develop services in the NHS App and linked to the NHS App, such as NHS login, NHS Notify and to determine impact on outcomes and measure associated benefits
  • security data – we use data to identify and manage system security concerns

Cookies and similar technologies

We use cookies and similar technologies. We will ask for your consent before setting non‑essential cookies (for example, analytics). You can change your choices at any time in app settings or your browser. For details, see our NHS App cookies policy.

Personal data we process

To be able to provide the NHS App, NHS England must process personal data and special category data. UK GDPR defines these as follows.

Personal data

Any information relating to an identified or identifiable natural person ("data subject"); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

Special category data

Refers to sensitive personal data that requires additional protection due to its nature; this includes data related to health.

Viewing a full list of data

The NHS App master data specification is a full list of data NHS England processes to support the delivery of the NHS App. It also includes details on how long data will be kept, why the data is needed. The NHS England NHS App master data specification is supported by the NHS App Directions 2023.

NHS England’s legal basis for processing your data

NHS England is a public body established by the NHS Act 2006 as amended by the Health and Social Care Act 2012.

NHS England is legally required, by the Department of Health and Social Care, to set up and run the NHS App, as set out in the NHS App Directions 2023.

NHS England complies with the UK General Data Protection Regulations (GDPR) and the UK Data Protection Act 2018 by ensuring that information is:

  • used fairly, lawfully and transparently
  • used for specified, explicit purposes
  • used in a way that is adequate, relevant and limited to only what is necessary
  • accurate and, where necessary, kept up to date
  • kept for no longer than is necessary
  • handled securely, including protection against unlawful or unauthorised processing, access, loss, destruction or damage
Article 6 – General lawfulness of processing data

For the processing of personal data in relation to the NHS App, the legal basis for the majority of processing by NHS England is:

  • Article 6(1)(c) – processing is necessary for compliance with a legal obligation to which the controller is subject.

This refers to the legal obligation placed on NHS England under the NHS App Directions 2023 for the running of the NHS App.

In addition to the above, in some circumstances, the legal basis for processing is:

  • Article 6(1)(a) – ‘consent of the individual’

This refers to the following instances:

Health data is considered special category data has extra legal protection. We need to comply with Article 6 and Article 9 of the UK GDPR when we process this data.

Article 9 – Processing of special category personal data

To process your health data, we rely on:

  • UK GDPR Article 9(2)(g) – processing is necessary for reasons of substantial public interest, on the basis of Union or Member State law which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject

The Department of Health and Social Care has decided that it is in the public interest for NHS England to provide the NHS App to the public.

  • UK GDPR Article 9(2)(h) – processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services on the basis of Union or Member State law or pursuant to contract with a health professional and subject to the conditions and safeguards referred to in paragraph 3

This applies as the NHS App helps us provide health care to you.

  • UK GDPR Article 9(2)(i) – processing is necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health or ensuring high standards of quality and safety of health care and of medicinal products or medical devices, on the basis of Union or Member State law which provides for suitable and specific measures to safeguard the rights and freedoms of the data subject, in particular professional secrecy

This applies as there is public interest in the area of public health. Processing this data allows us to provide services such as vaccination booking.

Where we process data under Article 9(2)(i), we also rely on:

  • Data Protection Act 2018, Schedule 1, Part 1, Paragraph 2(2)(f) – ‘the management of health care systems or services or social care systems or services’

Other services related to the NHS App

You must use NHS login to create an account and prove who you are to access the NHS App and other health services. You can find out more about NHS login and your privacy on NHS login.

The NHS App acts as a platform, which you can use to access a range of connected services. These connected services are separate from the NHS App. The organisations that control and process your data will depend on which services you access, and each service will have their own separate privacy notices.

Connected services within the NHS refer to the integration and collaboration of various health and care services to provide seamless care and improve patient outcomes.

Where we get data from

NHS England gets data from several sources, including from:

  • you (the data subject)
  • health organisations, such as (GP surgeries, NHS trusts and NHS commissioned services)
  • NHS England systems (such as NHS login and NHS Notify)

Where we store your data

NHS England stores data within the UK.

To deliver the NHS App, NHS England may use third party suppliers known as data processors to help. They process data under the instruction of NHS England and are bound by legal agreements.

The NHS App allows you to connect to other suppliers (see section about Connected Services) to support your care. We currently work with over 40 third-party suppliers, all of which are based in the UK or EEA and meet data privacy standards for NHS App integration.

Where we use a supplier outside the UK (or a UK supplier that sub‑processes outside the UK), we only make transfers in compliance with UK GDPR and, where required, with appropriate safeguards (for example, UK IDTA or Addendum) and complete transfer risk assessments, in line with ICO guidance.

Who we share data with

NHS England may share your data in certain circumstances. These are:

  • Sharing and displaying information to someone you have nominated on your behalf (your proxy).
  • Sharing anonymous data to support commissioners and policy teams as well as providing anonymous statistical information to the Department of Health and Social Care and its associated bodies, including but not limited to the UK Health Security Agency. UK GDPR Recital 26 defines anonymous data as “information which does not relate to an identified natural person or to personal data rendered anonymous in such a manner that the data subject is not or no longer identifiable”.
  • NHS England may disseminate data to data sources, in identifiable or pseudonymised form, at the request of the data source where it may assist in resolving any technical or quality assurance issues. Such data may be an exact copy of that provided by the data source or data that is associated with such data. UK GDPR Article 4 (5) pseudonymisation is defined as “processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person”.
  • Sharing identifiable data with direct care providers to facilitate services available in the NHS App. Direct care providers are people or organisations that provide a clinical, social or public health activity concerned with the prevention, investigation and treatment of illness and the alleviation of suffering of individuals. Hospitals and GP practices are examples of direct care providers.
  • We may also share your data if we are required to do so by law - for example to respond to safeguarding concerns, or to support fraud investigations and police enquiries.

How long we process and store your personal data for

We keep your information only as long as necessary for each purpose, following the Records Management Code of Practice, NHS England Records Retention Policy and the NHS App master data specification. A full list of retention periods can be found in the master data specification and we will update it as services evolve.

Automated decision making and profiling

NHS England does not carry out any automated decision making or profiling in the NHS App.

Children’s information and proxies

The NHS App is available to people aged 13 and over. We provide privacy information in clear, age‑appropriate language and design services in line with the Information Commissioner's Office Age-appropriate design: a code of practice for online services (for example, high privacy by default, limited profiling, and clear parental‑control transparency). Where you hold proxy access to manage someone else’s care, you must use the service responsibly and only for that person’s best interests.

Your general personal data rights

Under the Data Protections Act 2018 and UK GDPR you may have a right to:

  • know how and why your data will be collected, processed and stored
  • request a copy of your personal data
  • ask to correct errors or omissions in your personal data
  • to ask us to restrict our use of your personal data (for example, if you think it’s inaccurate and needs to be corrected)
  • ask to have data deleted

If you have agreed to take part in user research, you may have the right to:

  • withdraw your consent
  • ask us to delete your personal data
  • be supplied with a copy of your data in a structured, commonly used and machine-readable format – what this means is that the data controller must ensure that your data is kept in a format which can be easily integrated into other types of IT systems, for example a spreadsheet file

Useful links

How to contact us

You can contact our Data Protection Office at NHS England to exercise any of the above rights by emailing england.dpo@nhs.net or writing to:

Jon Moore
Data Protection Officer
NHS England
7 and 8 Wellington Place
Leeds
West Yorkshire
LS1 4AP

You can also contact the Data Protection Officer if you wish to submit a complaint about any aspect of NHS England’s processing of your personal data.

You can also contact the Department of Health and Social Care Data Protection Officer by emailing data_protection@dhsc.gov.uk or in writing to:

Lee Cramp
Department of Health and Social Care
39 Victoria Street
London
SW1H 0EU

You also have a right to submit a complaint to the Information Commissioner's Office (ICO) at any time about our processing of your personal information. The ICO is the UK regulator for data protection and upholds information rights. Contact the ICO.

Page last reviewed: 16 June 2026
Next review due: 16 December 2027