About this privacy policy
This privacy policy explains how NHS England and other organisations may use your data when you use the NHS App.
You can download the NHS App on an iOS or Android device. You can also access the same services by logging in through the NHS website in a web browser. This policy applies to using either of those channels.
As well as this policy, you should also read the NHS App terms of use and cookies policy.
Terms we use in this policy
You may find it helps to understand these terms when reading this policy.
- Data is “processed” when any action is taken with it. For example, when it is collected or reviewed.
- A “controller” is an organisation or person that decides what data is processed. They also decide how and why this needs to be done. They are legally responsible for that data.
- A controller may appoint a “processor”. This is another organisation or person that processes data under the instruction of the controller.
- “Special category data” is personal information that has more legal protection, including data about your health.
You can find out more about these terms on the Information Commissioner’s Office website.
Why we use your personal data
We mainly use your data so that the NHS App works correctly. It means we can give you access to services and information about your health and care.
We may also use your personal data to:
- improve the NHS App
- resolve technical faults
- maintain and improve security
- comply with the law
- protect users against potential fraud
- act if you provide information suggesting you or others may be at risk of harm
The points above are a short summary of our reasons for capturing and using personal data. You can find more details in the sections below.
Data we process about your use of the NHS App
This section tells you more about data we process to make sure the NHS App works correctly. This includes personal information such as your name and your age. NHS England and The Department of Health and Social Care are controllers for the data described in this section.
How you use the NHS App
This is technical data about your activities when you are logged in. It's also called audit data. It may include the time when you use the NHS App, what actions you take and related technical details. This information is captured against your NHS number. We may keep this data for up to 8 years.
How well things are working
This is also called performance data. We’ve appointed an approved analytics service provider to help us process this data. We may keep this data for up to 1 year.
Your contact with our service desk team
This means information captured when you contact the NHS App service desk for support, or when you provide feedback or complete a survey. If you raise a technical issue with the service desk team, we may link this to an Organisation Data Service (ODS) code. ODS codes are unique codes that are associated with particular health and care services, such as GP surgeries. When we capture an ODS code, it is stored in an issue management system alongside other details about the issue. We may keep data about your contact with our service desk for up to 1 year.
Being part of email lists
When you register to use the NHS App, you will be added to an email mailing list for necessary service updates. You may also voluntarily choose to join other mailing lists, for example for user research. We’ve appointed an approved emailing and list management service provider as a processor for this data. How long we keep this data varies depending on which mailing lists you join.
Messages you send and receive
We process data about messages that you send or receive through the NHS App Messaging Service. For more information you can read the NHS App privacy policy for messaging services. Messages and replies are stored in your account for as long as your NHS login exists.
Data we collect about you
In the tables below, you can find out more about data we may collect about you when you use the NHS App.
Data category | Why do we need it? |
---|---|
Name |
This is patient contact information that is part of your health record. It is used to:
|
Registered GP Organisation Data Service (ODS) code |
ODS codes are used by the NHS App to produce management and statistical information. This happens at a level which does not disclose personal information or directly identify you. |
Organisation Data Service (ODS) codes of sending services |
The ODS code of the sending service is used by the NHS App Messaging Service to uniquely identify the sending service. It is also used to look up information related to that service such as the service’s name. |
Email address |
This is patient contact information that part of your health record. It is used to:
|
Date of birth |
This is patient contact information that part of your health record. It is used to enable consultations and file downloads. |
Age |
This is patient contact information that part of your health record. It is used to:
|
Sex |
This is patient contact information that part of your health record. It is used to enable consultations and file downloads. |
Gender |
This is patient contact information that part of your health record. It is used to enable consultations and file downloads. |
Physical description |
This is patient contact information that part of your health record. It is used to enable consultations and file downloads. |
NHS number |
Your NHS number is part of your health record. It is used as part of audit tracking and within analytics. It is also needed to enable consultations and file downloads. |
Home phone number |
This is patient contact information that is part of your health record. It is used to:
|
Online identifier (for example your IP address, event logs, or NHS login identifier) |
This is used to log events, trace faults and provide security protective monitoring log data. |
Website cookies |
This is used for session and performance management. |
Mobile phone number |
This is patient contact information that part of your health record. It is used to:
|
Data category | Why do we need it? |
---|---|
Medical record information |
The transmission of medical information (including GP letters, test results and record extracts) between GPs and patients is needed to enable consultations and file downloads. This is extended to file uploads, where you may wish to upload an image to support a consultation. It is also used for hospital appointment, booking and referral letters and other documents. |
Messages from health and care providers |
Messages processed as part of NHS App Messaging and NHS App Notification services will remain stored within the NHS App. |
Connecting services provided by NHS England
The NHS App acts as a platform that allows you to access a range of connecting services. These services are separate from the NHS App. The organisations that control and process your data will depend on which services you access.
NHS England has a role in providing some services that connect with the NHS App. You can open the panel below to find privacy policies for these services.
Other connecting services
Some of the services you can connect with using the NHS App are not provided by NHS England. You can open the panel below to find privacy policies for these services.
Privacy guidance about using the NHS App
Logging in
You gain access to the NHS App using your NHS login. This is a set of login details you can use to access a range of health and care websites and apps. You can find out more in the NHS login privacy policy.
Some phones and tablets give you the option to log in to your NHS App using fingerprint, face and iris recognition. This is also called biometric login. On iPhones and iPads this is called Face ID or Touch ID.
Biometric login is voluntary. It does not stop you using another method to access the NHS App. It is based on technology in your device. We do not have access to or control over the biometric data stored on your device. The NHS App performs biometric authentication against NHS login in accordance with the Fast Identity Online (FIDO) standard.
Camera and location information
The NHS App may ask for access to the camera on your device if you choose to use face or iris recognition. You may also be asked for access to your device’s camera as part of the NHS login identity verification process.
Some connecting NHS services may also ask for access to your device location. If you allow access to your device’s location, then location data may be used to help you find services in your area.
Accessing services for someone else
You are responsible for any personal data that you access on behalf of someone else. You may be able to do this by using a linked profile.
You must keep this data safe and secure. To the extent possible bearing in mind their age, condition and capacity, you must:
- make the person aware of your access and any steps you take on their behalf
- seek their consent
- make the person aware of this privacy policy and other applicable terms and conditions
Viewing your health record documents
Once you have downloaded a file from your health record, or from the record of someone else, it is your own responsibility to keep the file secure. If you use a shared computer or mobile device, make sure you delete any downloaded files when you are finished.
Turning on notifications
You can choose to turn on push notifications from the NHS App to alert you to new messages in the NHS App Messaging Service. This feature is not available when you use the NHS website to log in.
You can opt out of push notifications at any time. Opting out may limit the types of messages you can receive. Messages about your health and care may continue to be sent by other means, such as by post.
If you use the NHS App across more than one device, push notifications must be enabled on each one. If you share the device you use to log in to the NHS App with other people, they may see your notifications. Notifications can only be sent to one user on the same device.
User research and giving feedback
When you register to use the NHS App, we’ll ask if you would like to join our user research panel. User research helps us to make sure that the NHS App and connecting services are meeting people’s needs.
If you choose to take part, we will email you a short survey to fill in about you and your health. Your answers will help make sure we invite you to user research that is relevant to you. We will also ask you if you want to receive our user research newsletter.
When you have signed up, we may ask you to:
- try new features
- answer more questions by email
- talk to our researchers about your experience of using the NHS App or connecting services
You can always say no to an invite, and you can leave the user research panel at any time.
User research panel activities
Your personal data will only be captured if you choose to provide it as part of participating in user research relating to the NHS App or connecting services. The Department of Health and Social Care and NHS England are controllers for this data.
We’ll collect your name and email address to maintain a mailing list for the user research newsletter, where you have consented to receive it. We will ask general questions about your health and background to ensure we are inclusive in our research, which counts as special category data. The amount of time we keep this data varies depending on the research you are taking part in. We will tell you before asking your consent.
Giving feedback outside our user research panel
You can provide feedback through the NHS App without being part of our user research panel. This feedback goes to the NHS App service desk team. You may also choose to take part in user research activities even if you are not part of our panel, for example in response to a social media post.
The Department of Health and Social Care and NHS England are controllers for this data. A contracted research tools provider is appointed as a processor.
Your rights
You have a right to:
- know how and why your data will be collected, processed and stored
- request a copy of your personal data
- correct errors or omissions in your personal data
- to ask us to restrict our use of your personal data (for example, if you think it's inaccurate and needs to be corrected)
For user research activities and your membership of voluntary mailing lists, you also have the right to:
- withdraw your consent
- ask us to delete your personal data
- get a copy of your data in a structured, commonly used and machine-readable format
You can exercise your rights by contacting the relevant controller. For contact details, see the next section of this policy below.
You can also manage NHS App performance data ("analytic cookies"). See the NHS App cookies policy for details on how to do this.
Asking a question or finding out more
If you have a general question about using the NHS App, you can check our help pages or contact our service desk.
By opening the panel below, you can find out who to contact or where to find more information if you have a question about particular data.
Making a complaint
If you have any objections or complaints relating to your data, we will investigate and attempt to resolve them. We will make every reasonable effort to allow you to exercise your rights as quickly as possible and within the timescales set out in data protection laws.
You can contact our Data Protection Office at NHS England to make a complaint. You can do this by emailing enquiries@nhsdigital.nhs.uk or by sending a letter to:
Privacy Transparency and Ethics team
7 and 8 Wellington Place
Leeds
West Yorkshire
LS1 4AP
We ask that you try to resolve any issues with us first. However, you have a right to lodge a complaint with the Information Commissioner's Office (ICO) at any time about our processing of your personal information. The ICO is the UK regulator for data protection and upholds information rights. Contact the ICO.
Our legal basis
By opening the panels below, you can learn more about the legal directions that apply to us, and other important legal information.
Changes to this policy
The terms of our privacy policy may change from time to time. We will inform you via the NHS App and request your continued agreement if we make any significant changes to our privacy policy, cookies policy or terms of use.