Name: NHS account privacy policy
Creator: NHS website
License: https://developer.api.nhs.uk/terms

Version 5.6, 14 December 2022

This is a minor update to cover that NHS account uses Qualtrics to get NHS account performance information.

1. How we use your personal information

This privacy policy relates to the service provided by NHS Digital, giving you access to certain NHS services through our national digital channels. We now call this service your NHS account. You can continue to log in to your NHS account using the NHS App (formerly known as the native version) or the NHS website (formerly known as the browser version) in the same way as you did previously. This privacy policy covers the use of your NHS account in both channels.

Your use of the NHS website other than for the services available in your NHS account will continue to be covered by the NHS website terms and conditions, privacy policy, cookies policy and other policies.

1.2 Our commitment to protecting your personal information

Whenever you provide personal information to a third party, that party is legally obliged to use your information in line with data protection law.

We take the security of your personal information seriously. We have set up security measures, policies and procedures such as:

training all staff annually in data and security protection
monitoring our platform to keep your personal information secure
following good practice guidance provided by the National Technical Authority
always using legally binding agreements with all organisations we use
having security and confidentiality policies in place across the organisation, to which staff must agree before they are given access to personal information
restricting access to personal information to only those staff who need access to perform their role

However, no software or application can be completely secure. If you have any concerns that your account could have been compromised (for example, someone could have discovered your password), follow the instructions on NHS account help and support.

This privacy policy explains the following:

the services available via your NHS account and who is involved
who the controller is for the personal data processed when you use your NHS account
what information is collected about you
what information is held about you and where that information is obtained
how your personal data is used and why
where your data is stored
your rights
points of contact for queries, objections and complaints

In this privacy policy the following terms have the following meanings:

Controller: "The person or entity which alone or with others determines the purposes or means or processing of personal data"
Processor: "Any person or legal entity who processes personal data on behalf of the controller"
Special Category Data: "Sensitive personal data given special consideration in data protection law including personal data about your health"

2. Your NHS account services and who we are

Your NHS account allows you to use the following services, depending on the level of NHS login identity verification.

With NHS login mid-level identity verification, you can:

check your symptoms
find out what to do when you need help urgently
receive messages including general health messages, communications, public health announcements, and updates relating to your NHS account and services available within it

With NHS login high-level identity verification, you can:

use all the services available with NHS login mid-level identity verification
book and manage appointments at your GP practice
book and manage appointments for coronavirus (COVID-19) vaccinations
order repeat prescriptions, and select or change your nominated pharmacy from which you get them
view your GP medical record securely
send messages to your GP practice (if provided by your GP practice)
register to be an organ donor
choose how the NHS uses your data for research and planning purposes
use online consultation services if provided by your GP practice
use personal health record services (if provided by your GP practice or hospital)
manage your hospital referrals and appointments, including viewing your referrals and appointments, booking, changing and cancelling appointments and accessing information while you wait
check your COVID-19 vaccine record
view and download your NHS COVID Pass for travel abroad
get messages specific to you or your healthcare from your connected healthcare providers that use the NHS App Messaging Service, like your GP surgery

The level of identity verification you have depends on your NHS login account. Find out more about NHS login.

The key organisations involved in your NHS account and their respective roles are as follows:

2.1 NHS England

NHS England leads the National Health Service (NHS) in England. It sets the priorities and direction of the NHS.

A lot of the work NHS England does involves the commissioning of healthcare services in England.

It commissions the contracts for GPs, pharmacists and dentists, and supports local health services led by groups of GPs called integrated care boards (ICBs).

NHS England wants everyone to have greater control of their health and wellbeing, and to be supported to live longer, healthier lives.

Find out more on the NHS England website

NHS England has directed NHS Digital to collect certain personal data in relation to users of the NHS account. The legal directions are titled NHS Digital (Establishment of Information Systems for NHS Services: NHS App) Directions 2018 dated 27 September 2018.

NHS England has directed NHS Digital to display certain personal data it has collected in relation to hospital and secondary care appointments. The legal directions are Enhanced Appointment Viewing (NHS App) Directions 2022.

2.2 Department of Health and Social Care

The Department of Health and Social Care is the central government department responsible for setting out policy on health and adult social care matters in England. It carries out some of its work through arms-length bodies, such as NHS Digital and NHS England. Find out more on the Department of Health and Social Care website.

Department of Health and Social Care has directed NHS Digital to process certain personal data in relation to users of the NHS COVID Pass service in the NHS account. The legal directions are titled the COVID-19 Public Health Directions 2020 dated 17 March 2020.

2.3 Isle of Man government and Manx Care

This section only applies to users in the Isle of Man. The NHS account is available for use by users registered with a GP in Isle of Man. Access may need to be activated by your GP surgery. The services available to Isle of Man users will be different to those registered with a GP in England.

The service to Isle of Man users is provided under a request from the Isle of Man Government using their legal powers, as set out in the National Health Service Act 2001 (an Act of Tynwald)(NHSA 2001). Isle of Man health care provision is provided through Manx Care, a statutory board of the Isle of Man Government established by order pursuant to section 12 of the Manx Care Act 2021 (an Act of Tynwald).

It is the duty of Manx Care to exercise its powers to discharge the functions of the Isle of Man Department of Health and Social Care (the Department), including the duty to promote in the Isle of Man a comprehensive health and social care service. In accordance with a mandate between the Department and Manx Care, the Department may mandate that Manx Care discharge the Department functions regarding this information system. NHS Digital can undertake to provide the NHS account service under S255 of the Health and Social Care Act 2012.

2.4 NHS Digital

NHS Digital was set up by the Department of Health and Social Care in April 2013 and is an executive non-departmental public body that provides national information, data and IT systems for health and care services.

We exist to help patients, clinicians, commissioners, analysts and researchers.

Our goal is to improve health and social care in England by making better use of technology, data and information.

Find out more about NHS Digital

NHS Digital has been directed by NHS England to provide the NHS account and to include the services that can be accessed via your NHS account.

NHS Digital is also responsible for managing (as well as many other services):

the national data opt-out, which allows patients to state their data sharing preferences
the NHS.UK website, which provides health information
NHS 111 online, which allows patients to get triage advice based on their symptoms online

All of these services are available through your NHS account.

NHS Digital also provides a public-facing service desk for user queries relating to the functionality of your NHS account and the NHS login service (formerly called 'Citizen Identity').

Find out more about NHS login

2.5 GP practices

GP practices provide primary care services to the public.

As part of your NHS account, GP practices can enable their patients to see their medical information, book appointments, order repeat prescriptions, send and receive messages, and select or change their nominated pharmacy.

GP practices may also provide additional services such as online consultation, personal health record, or communications services, and will normally engage a specialist organisation to provide these additional services on their behalf. Your GP practice remains in charge of your personal information and decides what health information from your health record, appointments and prescriptions is displayed to you.

3. Personal data - who controls its use

The organisation that is the controller or processor of your personal data will depend on the service to which it relates. For example:

3.1 Providing and managing your NHS account

NHS England describe, in a legal direction to NHS Digital, what personal data is required to provide and manage your NHS account. For example, user registration details and audit data. NHS England and NHS Digital are joint controllers for this personal data.

3.2 Using the services available through your NHS account

If you wish to use your NHS account to access a service, then the organisation that controls your personal data is responsible for managing access. For example, to view your GP practice records, then your GP controls this.

If you wish to log in to an online service linked to through your NHS account then NHS Digital will, with your consent, provide your login details to the online service you wish to use i.e. you can use the details stored by NHS Digital to save you time completing their online form (or you can enter the details yourself if you so wish).

The table below lists different situations and which organisation(s) control the personal data in each situation. In some situations, there is more than one controller. To find out more about the information falling within each of the below categories, see section 5, "What information we collect about you and how it is used".

Who the data controllers and processors are for different categories of information
Category of information	Controller(s)	Processor(s)
NHS account audit data	NHS England; NHS Digital	N/A
NHS account mailing list membership(s)	NHS England; NHS Digital	Contracted bulk emailing and list management service provider
NHS App Messaging Service	NHS England; NHS Digital; GP practice	Contracted communications service providers
NHS account performance data	NHS England; NHS Digital	Contracted analytics service providers
NHS account service desk information	NHS England; NHS Digital	N/A
NHS account service desk feedback & surveys	NHS England; NHS Digital	N/A
NHS Login account information	NHS England; NHS Digital (a separate service from your NHS account)	N/A
Your data sharing preferences	Department of Health & Social Care; NHS Digital (a separate service from your NHS account)	N/A
Information inputted into 111 Online symptom checker service	Department of Health & Social Care; NHS Digital (a separate service from your NHS account)	N/A
Information within your GP medical record	Your GP (as custodian of your records)	N/A
Information relating to GP appointments	Your GP	N/A
Information relating to the repeat prescription service and your nominated pharmacy	Your GP; Your pharmacist	N/A
Information relating to messaging through GP surgery systems	Your GP	N/A
Organ donation preferences	NHS Blood and Transplant	N/A
Information inputted into NHS.UK	Department of Health and Social Care; NHS Digital (a separate service from your NHS account)	N/A
Online consultation responses	Your GP; NHS England	A contracted Online Consultation Provider and in some cases NHS Digital (for more details see the online consultations privacy policy
Information in personal health records not supplied by you	Your GP or hospital(s)	A contracted personal health records provider
Information in personal health records supplied by you	A contracted personal health records provider; Your GP or hospital(s) if you direct such data to be shared with them	Refer to the privacy policy applicable to the personal health records service available to you for more information
User research panel membership, survey responses and user research newsletter mailing list	NHS England; NHS Digital; and DHSC as a partner of NHSx where explicit consent has been given	Contracted survey service provider
Hospital referral information	NHS England; NHS Digital	N/A
Enhanced appointment viewing (hospital appointment) information	NHS England; NHS Digital	NHS England contracted service providers
Check your COVID-19 vaccine record	NHS England; NHS Digital	N/A
NHS COVID Pass	Department of Health and Social Care	Third party processor as detailed in the service's privacy policy
Book or manage a coronavirus (COVID-19) vaccination	NHS Digital	NHS Digital
Data you choose to provide when taking part in surveys or other user research to help improve our service	NHS England; NHS Digital	Contracted research tools provider

3.3 Processors

When organisations are engaged to process your personal information on behalf of a different controller organisation, there will always be a contract in place. These processor organisations must have agreed to keep your information secure and only use it for the purpose they have been instructed to.

For example, your GP practice or the integrated care board (ICB) which it belongs to may have contracted with one or more commercial online consultations providers, personal health records providers or communications service providers for the provision of services on the GP's behalf. See the NHS account privacy policy for online consultation services and NHS account privacy policy for personal health record services for more details. Other processors are described in the table above.

4. Features

4.1 Passwordless authentication

Registered users of the NHS account may be able to use the passwordless authentication feature if their device supports this.

Passwordless authentication is voluntary and does not stop you using your existing method to access the NHS account. Passwordless authentication is based on technology in your device. Your device may support passwordless authentication using different types of biometric data, including fingerprint and facial recognition. We do not have access to or control over the biometric data stored on your device.

The NHS account performs passwordless authentication against NHS login in accordance with the Fast Identity Online (FIDO) standard.

4.2 Nominated pharmacy

Registered users of the NHS account are able to select, view and change their nominated pharmacy to which their electronic prescriptions are sent. This feature is only available if your GP practice has enabled it.

As a result of changing your nominated pharmacy, your personal information needed to verify and dispense your electronic prescription will be shared with the selected pharmacy. Find out more about electronic prescriptions.

4.3 Proxy access (linked profiles)

As described in the NHS account terms of use, "Proxy access" enables you to view parts of the GP medical record, book or cancel appointments, order repeat prescriptions online, or send patient to practice messages in relation to someone else (for example, their child or someone you care for) as authorised by your GP from time to time.

Note: you cannot create new proxy access relationships through your NHS account. To create new relationships or change existing ones, please contact your GP practice.

You are responsible for any personal data that you access on behalf of the person you are using proxy access in respect of, and must keep it safe and secure.

You must, to the extent possible bearing in mind their age, condition and capacity:

make the person you are using proxy access on behalf of aware of, and seek their consent to, your proxy access and any steps you take on their behalf
make the person you are using proxy access on behalf of aware of this privacy policy and other applicable terms and conditions

4.4 View medical record documents

Where available, if a GP practice has permitted access to files (sometimes called letters) attached to your medical record or that of a person you are using proxy access on behalf of, you will be able to view and download these files through your NHS account.

Once downloaded it is your own responsibility to keep the files secure. If you use a shared computer or mobile device to access your NHS account, make sure you delete any downloaded files when you are finished.

4.5 NHS App Messaging Service

This service enables you to receive updates relating to your NHS account and services available within it, and public health announcements. Connected healthcare providers that use this service, like your GP surgery, may use it to send you messages specific to you or your healthcare.

You cannot use this feature to send a new message to NHS Digital or to your healthcare providers. When needed, your healthcare provider may give you the option to reply to certain messages through your NHS account.

See more information in the NHS account privacy policy for messaging services.

4.6 NHS App notifications

You can choose to activate push notifications from the NHS App to alert you to receipt of messages sent using your NHS account. This functionality may differ from device to device.

This feature is not available when you use the NHS website to log in to your NHS account.

You can opt out of push notifications at any time. Messages can continue to be sent and available via your NHS account whether or not push notifications are activated, but opting out may limit the types of messages you can receive. For example, messages related to your healthcare may continue to be sent by other means.

If you use the NHS App across more than one device, push notifications must be enabled on each one.

If you share the device you use to log into the NHS App with other people, they may see your notifications. Notifications may be sent to more than one user on the same device.

The push notifications sent to you depend on what messaging services your GP surgery or healthcare providers have chosen.

4.7 User research panel, surveys and user research newsletter

We would like to contact you about taking part in user research to improve your NHS account and connected services. We will ask you if you would like to join our user research panel when you register for your NHS account or on a subsequent login. If you choose to do so, we will email you a short survey to fill in about you and your health. Your answers will help make sure we invite you to user research that is relevant to you. We will also ask you if you want to receive our user research newsletter.

When you have signed up, we may ask you to:

try new features
answer more questions by email
talk to our researchers about your experience of using your NHS account or connected services

You can always say no to an invite, and you can leave the user research panel at any time.

We will only use your information to contact you about the NHS account user research panel. It will only be used by NHS England, NHS Digital and DHSC as a partner in NHSx, depending on what you have consented to, and will not be shared with anyone else. You can unsubscribe at any time by selecting the unsubscribe link in any surveys or newsletters we send you, or by contacting the NHS App team.

4.8 Other user research

We may ask you to take part in user research, for example, surveys, interviews or other research activities, to help improve the service we provide. You can always say no to a request, and you can change your mind at any time.

Personal information you provide will only be used by NHS England, NHS Digital and DHSC as a partner in NHSx, depending on what you have consented to, and will not be shared with anyone else. Whether you choose to take part will not affect the care you receive from your health services.

5. What information we collect about you and how it is used

The information processed for the purposes of your NHS account can be split into a number of different categories.

Details of the information and personal data falling within each of the categories where NHS Digital is the controller are set out below.

Categories of information and personal data
Category of information	Personal data	Special categories of personal data
NHS account audit data	Information captured against your NHS Number about your use of your NHS account, such as the time of use, actions you took using your NHS account, and associated technical log events.	None
NHS account document download	You may be asked for access to your device’s file storage to download your NHS COVID Pass or medical record documents. Files that you choose to download will be stored on your device.	Any health or special category data included in the downloadable file
NHS account performance data	IP addresses are transmitted to Adobe Analytics, Hotjar and Qualtrics as part of performance data but are not stored so users cannot be identified.	None
NHS App Messaging Service	We send messages, and support connected healthcare providers to send messages, and receive replies (if they enable this function). We use your NHS account to do this. Messages from connected healthcare providers may contain information related to your personal health and care.	Health
NHS App mailing list membership(s)	We contract a specialist organisation to send out bulk emails and manage our lists of email subscribers. We use only your email address and mailing preferences needed to operate this service.	None
NHS account service desk information	The personal data you provide if you contact the service desk; could include information about your use of your NHS account and services. In order to diagnose and resolve problems we may sometimes securely share this information with other organisations who operate the ‘Platform Services’ described in clause 1.2. of the Terms of Use.	None
NHS account service desk feedback & surveys	The personal data you provide if you provide feedback such as responding to one of our surveys.	None
NHS login account information	Logins to your NHS account are managed by NHS login, a separate NHS Digital service. If you're a new user of the NHS account, you may be asked to provide additional information, such as your NHS number or a picture of your passport, to set up a new NHS login account with high-level identity verification. In the case of low-level, mid-level and high-level identity verification accounts we will use your personal information to create an account and enable you to log in to this. In the case of high-level identity verification accounts NHS login will verify your ID online using an automated verification process. Where an automated decision cannot be made successfully, a manual verification process is then used. We use approved ID verification suppliers to complete our automated online ID verification process. As part of the automated ID verification process for high-level identity verification, facial recognition technology is used so that a likeness and liveness check can be conducted. You may be asked for access to your device’s camera which will be used to capture data to support proof of identity. This data is not stored. You may also be asked for access to your device’s file storage to upload documents, photos or videos to support proof of identity. Further details on the automated process, manual process and how your data is stored can be found within the NHS login privacy policy. As a registered user, login information consisting of your email address and password will be processed to enable you to use your NHS account. Find out more about NHS login	Yes
Your data sharing preferences	Personal data provided in order to identify you and retrieve or set your data sharing preferences.	None
111 Online symptom checker service	Personal data such as contact details and health data will only be captured if you elect to have 111 Online contact you, otherwise the symptoms you enter will be anonymous. If you allow access to your device’s location then location data will be used to find services in your area.	Health data (symptoms information entered in response to questions, but only if contact information is provided, otherwise anonymous)
Information inputted into other services on NHS.UK	Personal data will only be captured if you elect to provide it, otherwise your use of NHS.UK other than for the services available in your NHS account will be anonymous.	None
User research panel membership, survey responses and user research newsletter	Personal data will only be captured if you elect to provide it as part of participating in user research relating to your NHS account or connected services. We will collect your name and email address to maintain a mailing list for the user research newsletter, where you have consented to receive it.	We will ask general questions about your health and background in order to ensure we are inclusive in our research.
Hospital referral information	Personal data will only be captured if you elect to provide it as part of using the Manage Your Referral service.	Details of your hospital referrals and first appointments, including department.
Enhanced Appointment Viewing (hospital appointment) information	Details of your hospital referrals, appointments and bookings, including department.	Details of your hospital referrals, appointments and bookings, including department.
Check your COVID-19 vaccine record	Personal data provided in order to identify you and retrieve your COVID-19 vaccine history.	Details of your COVID-19 vaccine history
Book or manage a coronavirus (COVID-19) vaccination	Personal data provided in order to send you a confirmation of your COVID-19 vaccine booking.	Details of your appointments and vaccinations
Other user research	Personal data you choose to provide when taking part in voluntary research activities.	None
Organisational Data Service (ODS) codes	An ODS code is a unique number used to identify health and social care organisations, including GP surgeries. We may collect an ODS code if you raise a technical issue with the NHS App team, which is then stored outside of the NHS account in an issue management system.	None

6. How NHS Digital uses your personal data and why

The processing of your personal data is necessary to provide you with NHS account services and ensure the functionality of your NHS account works.

You will not be able to use your NHS account unless you have agreed to its terms of use and this privacy policy.

The organisation that is the controller and/or processor of your personal data will depend on the information in question.

We may need to share your personal information if we are required to do so by law.

We may also analyse or share data that is aggregated or anonymous with organisations within, or whose work helps, the NHS. This is to help the NHS understand how your NHS account is being used so we can make improvements to it and other NHS services.

If you provide any information to us, and we are able to identify you, for example in feedback forms or contact with us, that suggests a serious risk of harm to yourself or someone else we may contact you, or pass details to your health or social care provider or emergency services.

6.1 Personal data for which NHS Digital is the controller within the scope of your NHS account

Legal basis for using each category of information and how long NHS Digital hold the data for
Category of information	Legal basis for using this data	Retention period
NHS account audit data	Legal obligation – processing is necessary for compliance with the legal obligation to which NHS Digital is subject	8 years after the audit event occurred
NHS account mailing list membership(s)	Your consent specifically provided when you opted to join a mailing list	Varies depending upon which mailing list you are joining
NHS App Messaging Service	Legal obligation - processing is necessary for compliance with the legal obligation to which NHS Digital is subject	Messages and replies to messages are stored in the 'Messages' area of your NHS account for as long as your NHS login exists. This is to provide the same service you would get if you received messages from another channel, such as a text message. If you delete your NHS login, you will lose access to these messages and it may affect your access to other NHS services
Enhanced Appointment Viewing (hospital appointment) information	Legal obligation – processing is necessary for compliance with the legal obligation to which NHS Digital is subject	Transient
NHS account service desk information	Legal obligation – processing is necessary for compliance with the legal obligation to which NHS Digital is subject	12 months
NHS account service desk feedback and surveys	Your consent via acceptance of our privacy policy and giving your agreement to take part in a survey	12 months
NHS account performance data	Your consent via acceptance of our cookies policy	12 months
User research panel membership, survey responses and user research newsletter	Your explicit consent via acceptance of our privacy policy and giving your agreement to take part in a survey, and/or join the NHS account user research panel, and/or receive the user research newsletter	Varies depending upon which survey you are responding to, we shall tell you specifically before we ask you for your consent
Other user research	Your explicit consent via acceptance of our privacy policy and giving your agreement to take part in research	Varies depending upon which research activity you are taking part in. We shall tell you specifically before we ask you for your consent

Find out more about the directions issued to NHS Digital

Where this data is stored and processed

We only store and process your personal data within the UK and European Economic Area (EEA).

6.2 Personal data for which NHS Digital is the controller outside the scope of the NHS account

In respect of certain connected services NHS Digital has a role outside the scope of the NHS account as NHS Digital also provides these services. They are separate from the NHS account and subject to their own privacy policies which you should read before use.

Categories of personal data information, how the data is used, and how the data is handled
Category of information	How the data is used and handled
NHS login account information	See the NHS login privacy policy
Your data sharing preferences	See the National Data Opt-out Service privacy notice
111 Online symptom checker service	See the 111 Online privacy policy
Information inputted into NHS.UK	See the NHS.UK privacy policy
Hospital referral Information	See the Manage Your Referral privacy policy
Check your COVID-19 vaccine record	Find out more about the Check your COVID-19 vaccine record service
Book or manage a coronavirus (COVID-19) vaccination	See the National Booking Service privacy policy

6.3 Personal data for which NHS Digital is neither the controller or processor

In respect of certain connected services, NHS Digital's role is simply enabling you to access the services in the same format as the NHS account. NHS Digital is neither the controller nor processor for personal data that you submit or view in such connected services. Such services are separate from the NHS account and subject to their own privacy policies which you should read before use.

Categories of information and respective privacy policies
Category of information	Privacy policy
Information in personal health records (whether supplied by you or not)	This service is contracted by your GP practice or hospital with a personal health records provider. Find out more about personal health record services.
NHS COVID Pass	This service is managed by the Department of Health and Social Care. Find out more about the NHS COVID Pass service.
Information within your GP medical record	Contact your GP practice for a copy of their privacy policy.
Information relating to GP appointments	Contact your GP practice for a copy of their privacy policy.
Information relating to the repeat prescription service and your nominated pharmacy	Contact your GP practice and pharmacist for copies of their privacy policies.
Information relating to messaging through GP surgery systems	Contact your GP practice for a copy of their privacy policy. See the NHS account privacy policy for messaging services.
Organ donation preferences	This service is managed by NHS Blood and Transplant (NHSBT), which is separate from NHS Digital. Find out more about NHSBT.
Online consultation responses	This service is contracted by your GP practice with an online consultations provider. Find out more about online consultation services.

7. Your rights

Data protection laws provide a number of rights to you. These rights are listed below.

You can exercise your rights by contacting the appropriate controller.

If you wish to contact NHS Digital, please use the contact details at the bottom of this page.

The personal data NHS Digital holds as a controller within the scope of the NHS account is limited to:

NHS account audit data
NHS account mailing list membership(s)
NHS App Messaging Service data
NHS account service desk information
NHS account service desk feedback and surveys
NHS account performance data
User research panel membership and survey responses
Other user research activity responses (for example, survey responses or interviews)

Your rights applicable to audit data, mailing list membership(s), NHS App Messaging Service data, service desk information, service desk feedback and surveys, and user research panel membership and survey and other user research activity responses are:

to know how your data will be collected, processed and stored, and for what purposes
to withdraw your consent, which applies to your participation in user research panel membership, survey responses and unsubscribe to mailing list membership
to request a copy of your personal data
to correct your personal data errors or omissions
to data portability - this means you can obtain a copy of your data in a structured, commonly used and machine-readable format (applies only to your participation in user research panel membership, survey responses and to mailing list membership)
to request we delete your personal data (only applies for mailing list membership(s), NHS account service desk feedback and surveys, user research panel membership, survey responses and other user research activity responses)
to request we restrict our use of your personal data (for example, if you think it's inaccurate and needs to be corrected before it's used)

You can also manage the NHS account performance data ("analytic cookies"). See the NHS account cookies policy for details on how to do this.

8. Points of contact for queries

If you have any queries in relation to the use of your personal data within your NHS account, or about your NHS account generally, refer to the table below to find out where to direct your query.

Who to contact for queries about use of your personal data in the NHS App
Query	Who do I contact?
Queries about the content of your medical records and/or the medical records you can view via your NHS account	Your GP surgery
Queries about your healthcare, such as GP appointments or repeat prescriptions	Your GP surgery
Queries about your ordered prescriptions or nominated pharmacy	Your GP surgery or pharmacist
Queries about your NHS account functionality and how to use the NHS App or NHS website to log in to your NHS account	See our help and support page
Queries about messaging in your NHS account	See the NHS account privacy policy for messaging services
Queries about login information or issues	See our help and support page
Queries about the 111 symptom checker service	See our help and support page
Queries about the NHS.UK website	Contact us
Queries about your data sharing preferences	See the National Data Opt-out Service privacy notice
Queries about your organ donation preferences	See NHS Blood and Transplant's organ donation FAQ
Queries about your online consultation responses	Your GP surgery. NHS England (if applicable). See online consultation services for details.
Queries about personal health record services	Your GP surgery or hospital(s); a contracted personal health records provider. See personal health record services for details.
Queries about user research panel memberships, survey responses and user research newsletters	See our help and support page
Queries about hospital referral and appointments information	See our help and support page
Queries about Check your COVID-19 vaccine record	Find out more about the Check your COVID-19 vaccine record service
Queries about NHS COVID Pass	This service is managed by the Department of Health and Social Care. Find out more about the NHS COVID Pass service.
Queries about Book or manage a coronavirus (COVID-19) vaccination	See the National Booking Service privacy policy.

9. Objections and complaints about your NHS account

We will investigate and attempt to resolve any data privacy objections and complaints relating to your NHS account.

We will make every reasonable effort to allow you to exercise your rights as quickly as possible and within the timescales provided by data protection laws.

You can contact our Data Protection Officer to make a complaint:

By email

enquiries@nhsdigital.nhs.uk

By post

Privacy Transparency and Ethics team
7 and 8 Wellington Place
Leeds
West Yorkshire
LS1 4AP

We ask that you try to resolve any issues with us first, although you have a right to lodge a complaint with the Information Commissioner's Office (ICO) at any time about our processing of your personal information.

The ICO is the UK regulator for data protection and upholds information rights.

Contact the ICO

10. Changes to the privacy policy

The terms of our privacy policy may change from time to time. We will inform you via your NHS account and request your continued agreement if we make any significant changes to our privacy policy, cookies policy or terms of use.

10.1 Previous versions

Version 5.5, 30 November 2022, This minor update covers the addition of Book or manage a coronavirus (COVID-19) vaccination in the NHS account.
Version 5.4, 28 November 2022 - This minor update covers a change in how we refer to messages in your NHS account from 'Health service messages' to 'NHS App Messaging Service.'
Version 5.3, 16 November 2022 - This minor update covers the new functionality that enables some users to send replies to some messages in the NHS account.
Version 5.2, 20 September 2022 - This minor update covers the addition of Enhanced Appointment Viewing in the NHS account.
Version 5.1, 7 July 2022 - This minor update clarifies distinctions between the types of messaging available in the NHS account.
Version 5.0, 25 May 2022 - This update covered changes to NHS Digital's status as a data processor (in section 3.2), personal data for which NHS Digital is neither the controller or processor (in section 6.3), how we may use your personal data if you provide any information to us, and we are able to identify you, that suggests a serious risk of harm to yourself or someone else (in section 6)
Version 4.9, 12 May 2022 - This minor update reflects the fact that, in line with government policy, the domestic NHS COVID Pass is no longer available.
Version 4.8, 13 April 2022 - This minor update provides information on how Organisational Data Service (ODS) codes are used in the NHS account.
Version 4.7, 5 April 2022 - This minor update covers a change to the way we talk about access to certain NHS services through our national digital channels. We now call this service your NHS account, which you can log in to using the NHS App or the NHS website. The data we collect and the services we offer are not altered by this change.
Version 4.6, 29 March 2022 - This minor update includes information on how the NHS App uses data from your device’s camera, location and file storage.
Version 4.5, 18 March 2021 - This minor update covers some changes to the way notifications work for multiple users on the same device.
Version 4.4, 21 February 2022 - This minor update provides more information on how we use your data when you take part in user research to improve our service.
Version 4.3, 2 February 2022 - This minor update adds clarification on how, and why, we may use your data.
Version 4.2, 9 December 2021 - This minor update covers a change to the NHS COVID Pass service, which is now also accepted at places in Wales using this service.
Version 4.1, 17 November 2021 - This minor update covers:
- a change of use of NHS App messaging to cover connected healthcare providers who may send messages about your care using the NHS App
- when we may use notifications to tell you about messages sent using the NHS App
- legal basis for users in the Isle of Man
- more information on ID verification for NHS login
Version 4.0, 19 July 2021 - This minor update covers a change of use of the NHS COVID Pass service to include places in England that have chosen to use this service.
Version 3.9, 21 June 2021 - This minor update covers the updated service name for the NHS COVID Pass service, previously known as Share your COVID-19 status. It also covers the addition of the NHS COVID Pass service for use at event trials in England, for those who do not have high level identity verification access to the NHS App.
Version 3.8, 17 May 2021 - minor update covers the addition of the Share your COVID-19 status service provided by the Department of Health and Social Care.
Version 3.7, 14 May 2021 - minor update covers the addition of the Check your COVID-19 vaccine record service, provided by NHS Digital.
Version 3.6, 11 May 2021 - minor update covers the user research panel, surveys and newsletters.
Version 3.5, 4 November 2020 - This minor update covers NHS App messaging, which enables us to send public health announcements.
Version 3.4, 26 October 2020 - This minor update covers the integration of the ‘Manage Your Referral’ Connected Service for managing hospital referrals.
Version 3.3, 6 October 2020 - This minor update covers registering for the user research panel to help us improve the NHS App and connected services.
Version 3.2, 28 May 2020 - This minor update reflects notification services being made available in the NHS App.
Version 3.1, 12 May 2020 - This minor update reflects messaging services being made available in the NHS App.
Version 3.0, 30 March 2020 - This minor update reflects personal health record services being made available in the NHS App.
Version 2.9, 3 March 2020 - This minor update covers nominating a pharmacy and patient to practice messaging.
Version 2.8, 17 February 2020 - This minor update covers proxy access and viewing documents in GP medical records.
Version 2.7, 10 January 2020 - This minor update reflects the release of proxy access and viewing documents in GP medical records.
Version 2.6, 28 November 2019 - This minor update covers the use of a service to manage user research panel membership and surveys.
Version 2.5, 14 November 2019 - This minor update reflects the release of new features for online consultations, changing your nominated pharmacy and accessing the NHS App through a web browser.
Version 2.4, 29 May 2019 - This minor update clarifies that "NHS App audit data" also includes associated technical log events.
Version 2.3, 30 April 2019 - This minor update clarifies that we may securely share NHS App service desk information, which can include personal data, with other NHS organisations who provide "Connected Services" to diagnose and resolve technical problems.
Version 2.2, 20 February 2019 - This minor update covers the introduction of a new passwordless authentication feature in the section entitled "Personal data". It also covers bringing data retention periods in line with NHS Digital policies in the section entitled "Personal data for which NHS Digital is the controller within the scope of the NHS App".
Version 2.1, 19 December 2018 - This minor update adds a clarification regarding data processing locations.
Version 2, 18 December 2018 - Significant update for the app's public release in the Apple and Google Play stores.
Version 1, 26 September 2018 - Original version for the app's private beta release.

If you would like to view any of the previous versions of the NHS App privacy policy, contact the NHS App team.