Skip to main content

NHS App privacy policy

About this privacy policy

This privacy policy explains how NHS England and other organisations may use your data when you use the NHS App.

You can download the NHS App on an iOS or Android device. You can also access the same services by logging in through the NHS website in a web browser. This policy applies to using either of those channels.

As well as this policy, you should also read the NHS App terms of use and cookies policy.

Terms we use in this policy

You may find it helps to understand these terms when reading this policy.

  • Data is “processed” when any action is taken with it. For example, when it is collected or reviewed.
  • A “controller” is an organisation or person that decides what data is processed. They also decide how and why this needs to be done. They are legally responsible for that data.
  • A controller may appoint a “processor”. This is another organisation or person that processes data under the instruction of the controller.
  • “Special category data” is personal information that has more legal protection, including data about your health.

You can find out more about these terms on the Information Commissioner’s Office website.

Why we use your personal data

We mainly use your data so that the NHS App works correctly. It means we can give you access to services and information about your health and care.

We may also use your personal data to:

  • improve the NHS App
  • resolve technical faults
  • maintain and improve security
  • comply with the law
  • protect users against potential fraud
  • act if you provide information suggesting you or others may be at risk of harm

We cannot respond to comments added to feedback surveys. If you think you need medical help right now, use 111 online or call 999. You can also find out where to get urgent help for mental health.

If you provide information suggesting you or someone else may be at risk of serious harm, we may share your details with local NHS services. We will only do this to ensure you are offered appropriate support.

Data we process about your use of the NHS App

This section tells you more about data we process to make sure the NHS App works correctly. This includes personal information such as your name and your age. NHS England and The Department of Health and Social Care are controllers for the data described in this section.

How you use the NHS App

This is technical data about your activities when you are logged in. It's also called audit data. It may include the time when you use the NHS App, what actions you take and related technical details. This information is captured against your NHS number. We may keep this data for up to 8 years.

How well things are working

This is also called performance data. We’ve appointed an approved analytics service provider to help us process this data. We may keep this data for up to 1 year.

Your contact with our service desk team

This means information captured when you contact the NHS App service desk for support, or when you provide feedback or complete a survey. If you raise a technical issue with the service desk team, we may link this to an Organisation Data Service (ODS) code. ODS codes are unique codes that are associated with particular health and care services, such as GP surgeries. When we capture an ODS code, it is stored in an issue management system alongside other details about the issue. We may keep data about your contact with our service desk for up to 1 year.

Being part of email lists

When you register to use the NHS App, you will be added to an email mailing list for necessary service updates. You may also voluntarily choose to join other mailing lists, for example for user research. We’ve appointed an approved emailing and list management service provider as a processor for this data. How long we keep this data varies depending on which mailing lists you join.

Messages you send and receive

We process data about messages that you send or receive through the NHS App Messaging Service. For more information you can read the NHS App privacy policy for messaging services. Messages and replies are stored in your account for as long as your NHS login exists.

Data we collect about you

In the tables below, you can find out more about data we may collect about you when you use the NHS App.

Personal data we collect about you
Data category Why do we need it?

Name

This is patient contact information that is part of your health record. It is used to:

  • help our service desk resolve any user issues
  • enable consultations and file downloads

Registered GP Organisation Data Service (ODS) code

ODS codes are used by the NHS App to produce management and statistical information. This happens at a level which does not disclose personal information or directly identify you.

Organisation Data Service (ODS) codes of sending services

The ODS code of the sending service is used by the NHS App Messaging Service to uniquely identify the sending service. It is also used to look up information related to that service such as the service’s name.

Email address

This is patient contact information that part of your health record. It is used to:

  • help the service desk resolve any user issues
  • enable consultations and file downloads

Date of birth

This is patient contact information that part of your health record. It is used to enable consultations and file downloads.

Age

This is patient contact information that part of your health record. It is used to:

  • help our service desk resolve any user issues
  • enable consultations and file downloads

Sex

This is patient contact information that part of your health record. It is used to enable consultations and file downloads.

Gender

This is patient contact information that part of your health record. It is used to enable consultations and file downloads.

Physical description

This is patient contact information that part of your health record. It is used to enable consultations and file downloads.

NHS number

Your NHS number is part of your health record. It is used as part of audit tracking and within analytics. It is also needed to enable consultations and file downloads.

Home phone number

This is patient contact information that is part of your health record. It is used to:

  • help our service desk resolve any user issues
  • enable consultations and file downloads

Online identifier (for example your IP address, event logs, or NHS login identifier)

This is used to log events, trace faults and provide security protective monitoring log data.

Website cookies

This is used for session and performance management.

Mobile phone number

This is patient contact information that part of your health record. It is used to:

  • help our service desk resolve any user issues
  • enable notification and messaging campaigns
Special category data we collect about you
Data category Why do we need it?

Medical record information

The transmission of medical information (including GP letters, test results and record extracts) between GPs and patients is needed to enable consultations and file downloads. This is extended to file uploads, where you may wish to upload an image to support a consultation.

It is also used for hospital appointment, booking and referral letters and other documents.

Personal information linked to you may also be used to present your hospital appointment waiting lists.

Messages from health and care providers

Messages processed as part of NHS App Messaging and NHS App Notification services will remain stored within the NHS App.
How NHS England may process the data above for analysis

NHS England will process identifiable data from NHS App services:

  • to ensure the NHS App works correctly
  • to resolve technical faults
  • so that the service can be improved
  • for user research where you have agreed to
  • to maintain and improve security
  • processing data for the purpose of linkage and dissemination to produce anonymised data.

NHS England will also process anonymised data from the NHS App services:

  • to provide high level statistical information
  • to assess service usage and equality impact

Connecting services provided by NHS England

The NHS App acts as a platform that allows you to access a range of connecting services. These services are separate from the NHS App. The organisations that control and process your data will depend on which services you access.

NHS England has a role in providing some services that connect with the NHS App. You can open the panel below to find privacy policies for these services.

Find out more about connecting services provided by NHS England

Your data sharing preferences

You can choose your data sharing preferences using the NHS App. To find out more about your data sharing preferences you can read the National Data Opt-Out Service privacy notice.

NHS website

You may visit the NHS website while using the NHS App. To find out more about the NHS website and data you can read the NHS website privacy policy.

NHS 111

You may input information into NHS 111 Online. Read the NHS 111 Online privacy policy.

COVID-19 vaccination details

You may access your COVID-19 vaccination record. Read the Check your COVID-19 Vaccination Record Service privacy policy.

You may also book a COVID-19 vaccination. Read the National Booking Service privacy policy.

Hospital referrals and appointments

You choose to provide hospital referral information as part of the Manage Your Referral service. Read the Manage Your Referral privacy policy.

You may be able to view and manage details of your hospital referrals, appointments and bookings, including department. You can find out more in the NHS Wayfinder services privacy policy and the NHS Wayfinder Services Directions 2023.

GP registration

You may register with a GP surgery using the NHS App or website. Read the NHS GP Registration privacy policy.

Your prescriptions

You may be able to view information about your current prescriptions, including a digital barcode you can show to a pharmacist to help them find your prescription. To find out more, read the Electronic Prescription Service privacy policy.

Manage health services for others

You may be able to apply to your GP surgery to:

  • access services for someone else
  • give someone you trust access to your services

For more information, read the Proxy application service privacy policy.

Other connecting services

Some of the services you can connect with using the NHS App are not provided by NHS England. You can open the panel below to find privacy policies for these services.

Find out more about other connecting services

Your GP health record

Your can access your GP health record using the NHS App. Contact your GP surgery for copies of their privacy policies.

Your organ donation preferences

You can choose your organ donation preferences. Read the NHS Blood and Transplant privacy policy.

GP appointments and prescriptions

You may be able to book and manage appointments. Contact your GP surgery for copies of their privacy policies.

You can also order repeat prescriptions and choose a nominated pharmacy. Contact your GP surgery and pharmacy for copies of their privacy policies.

Personal health record services

For personal health record services that may be provided by your GP, hospital or other care provided, read the NHS App privacy policy for personal health record services.

Online consultations

For online consultation services that may be provided by your GP, hospital or other care provider, read the NHS App privacy policy for online consultations.

GP surgeries and NHS England

Some of your personal data which the NHS App processes is made available to you by GP surgeries. When the data is at the GP surgery, the GP is the controller. Your data may be sent from the GP to the NHS App. To the extent that NHS England facilitates the transmission of this data, it acts as a controller independent of the GP surgeries, as part its joint controller arrangements with the Secretary of State arising from the NHS App Directions (2023) dated 2 March 2023 ("the 2023 Directions"). This is to enable the services requiring transmission of personal data from GP surgeries on the NHS App. NHS England and the Secretary of State as joint controllers are determining the means by which such transmission of personal data is transmitted in NHS App but in all other respects the GP surgery is the controller of such personal data.

Privacy guidance about using the NHS App

Logging in

You gain access to the NHS App using your NHS login. This is a set of login details you can use to access a range of health and care websites and apps. You can find out more in the NHS login privacy policy.

Some phones and tablets give you the option to log in to your NHS App using fingerprint, face and iris recognition. This is also called biometric login. On iPhones and iPads this is called Face ID or Touch ID.

Biometric login is voluntary. It does not stop you using another method to access the NHS App. It is based on technology in your device. We do not have access to or control over the biometric data stored on your device. The NHS App performs biometric authentication against NHS login in accordance with the Fast Identity Online (FIDO) standard.

Camera and location information

The NHS App may ask for access to the camera on your device if you choose to use face or iris recognition. You may also be asked for access to your device’s camera as part of the NHS login identity verification process.

Some connecting NHS services may also ask for access to your device location. If you allow access to your device’s location, then location data may be used to help you find services in your area.

Accessing services for someone else

You are responsible for any personal data that you access on behalf of someone else. You may be able to do this by using a linked profile.

You must keep this data safe and secure. To the extent possible bearing in mind their age, condition and capacity, you must:

  • make the person aware of your access and any steps you take on their behalf
  • seek their consent
  • make the person aware of this privacy policy and other applicable terms and conditions

Viewing your health record documents

Once you have downloaded a file from your health record, or from the record of someone else, it is your own responsibility to keep the file secure. If you use a shared computer or mobile device, make sure you delete any downloaded files when you are finished.

Turning on notifications

You can choose to turn on push notifications from the NHS App to alert you to new messages in the NHS App Messaging Service. This feature is not available when you use the NHS website to log in.

You can opt out of push notifications at any time. Opting out may limit the types of messages you can receive. Messages about your health and care may continue to be sent by other means, such as by post.

If you use the NHS App across more than one device, push notifications must be enabled on each one. If you share the device you use to log in to the NHS App with other people, they may see your notifications. Notifications can only be sent to one user on the same device.

User research and giving feedback

When you register to use the NHS App, we’ll ask if you would like to join our user research panel. User research helps us to make sure that the NHS App and connecting services are meeting people’s needs.

If you choose to take part, we will email you a short survey to fill in about you and your health. Your answers will help make sure we invite you to user research that is relevant to you. We will also ask you if you want to receive our user research newsletter.

When you have signed up, we may ask you to:

  • try new features
  • answer more questions by email
  • talk to our researchers about your experience of using the NHS App or connecting services

You can always say no to an invite, and you can leave the user research panel at any time.

User research panel activities

Your personal data will only be captured if you choose to provide it as part of participating in user research relating to the NHS App or connecting services. The Department of Health and Social Care and NHS England are controllers for this data.

We’ll collect your name and email address to maintain a mailing list for the user research newsletter, where you have consented to receive it. We will ask general questions about your health and background to ensure we are inclusive in our research, which counts as special category data. The amount of time we keep this data varies depending on the research you are taking part in. We will tell you before asking your consent.

Giving feedback outside our user research panel

You can provide feedback through the NHS App without being part of our user research panel. This feedback goes to the NHS App service desk team. You may also choose to take part in user research activities even if you are not part of our panel, for example in response to a social media post.

The Department of Health and Social Care and NHS England are controllers for this data. A contracted research tools provider is appointed as a processor.

Your rights

You have a right to:

  • know how and why your data will be collected, processed and stored
  • request a copy of your personal data
  • correct errors or omissions in your personal data
  • to ask us to restrict our use of your personal data (for example, if you think it's inaccurate and needs to be corrected)

For user research activities and your membership of voluntary mailing lists, you also have the right to:

  • withdraw your consent
  • ask us to delete your personal data
  • get a copy of your data in a structured, commonly used and machine-readable format

You can exercise your rights by contacting the relevant controller. For contact details, see the next section of this policy below.

You can also manage NHS App performance data ("analytic cookies"). See the NHS App cookies policy for details on how to do this.

Asking a question or finding out more

If you have a general question about using the NHS App, you can check our help pages or contact our service desk.

By opening the panel below, you can find out who to contact or where to find more information if you have a question about particular data.

Find out who to contact or where to look if you have a question

Your GP health record and healthcare

You can contact your GP surgery for more information about your GP health record data, and data about your care.

Online consultations

You can contact your GP surgery or NHS England if applicable (see the NHS App online consultations privacy policy).

Hospital referrals and appointments

See our hospital referrals and appointments help page.

NHS 111

You can find out how NHS 111 works and read the NHS 111 online privacy policy.

Personal health record services

See the NHS App personal health records privacy policy.

Your data sharing preferences

See the National Data Opt-Out Service page.

Your COVID-19 vaccinations

For more information about your COVID-19 vaccination record, see the COVID-19 Vaccine Record Service page.

For more information about booking or managing a COVID-19 vaccination, see the National Booking Service privacy policy.

Making a complaint

If you have any objections or complaints relating to your data, we will investigate and attempt to resolve them. We will make every reasonable effort to allow you to exercise your rights as quickly as possible and within the timescales set out in data protection laws.

You can contact our Data Protection Office at NHS England to make a complaint. You can do this by emailing enquiries@nhsdigital.nhs.uk or by sending a letter to:

Privacy Transparency and Ethics team
7 and 8 Wellington Place
Leeds
West Yorkshire
LS1 4AP

We ask that you try to resolve any issues with us first. However, you have a right to lodge a complaint with the Information Commissioner's Office (ICO) at any time about our processing of your personal information. The ICO is the UK regulator for data protection and upholds information rights. Contact the ICO.

Our legal basis

By opening the panels below, you can learn more about the legal directions that apply to us, and other important legal information.

Legal directions

The Secretary of State has issued directions to NHS England to deliver the NHS App including some additional features and services to users. The legal direction is titled the NHS App Directions (2023), dated 2 March 2023. NHS England and the Secretary of State are joint controllers for the data we need to provide and manage your NHS App. We only store and process your personal data within the UK and European Economic Area (EEA).

The service to Isle of Man users is provided under a request from the Isle of Man Government using their legal powers, as set out in the National Health Service Act 2001 (an Act of Tynwald) (NHSA 2001). Isle of Man health care provision is provided through Manx Care, a statutory board of the Isle of Man Government established by order pursuant to section 12 of the Manx Care Act 2021 (an Act of Tynwald). NHS England can undertake to provide the NHS App service under S255 of the Health and Social Care Act 2012.

The UK General Data Protection Regulation (GDPR)

The UK General Data Protection Regulation (UK GDPR) sets out the requirements on organisations who collect and process personal data from people in the UK. Where NHS England processes personal data, we need to comply with UK GDPR.

Having a legal direction or request in place puts NHS England under a legal obligation to comply with this requirement and so meets Article 6(1)(c) of UK GDPR. To deliver certain parts of the NHS App, such as when we are using your cookies, we also need your consent so meeting Article 6(1)(a) of UK GDPR.

Your health data has extra legal protection and NHS England must also comply with UK GDPR Article 9. To process your health data, we rely on:

  • UK GDPR Article 9(2)(g) which applies where there are “reasons of substantial public interest”. The Department of Health and Social Care has decided that it is in public interest for NHS England to provide the NHS App to the public.
  • UK GDPR Article 9(2)(h) which applies as your NHS App supports the provision of health and social care to you.
  • UK GDPR Article 9(2)(i) which applies as there is public interest in the area of public health. Processing this data allows us to provide services such as vaccination booking.
Our legal basis for processing data

This section gives more information about NHS England’s legal basis for processing data that we are the controller for. Our legal basis for processing:

  • audit data is to comply with our legal directions.
  • performance data is the consent you give by accepting our cookies policy
  • email list membership details is the consent you give when you choose to join a mailing list.
  • your contact with our service desk team is the consent you give by accepting this privacy policy, and your agreement if you complete a survey
  • NHS App Messaging Service data is to comply with our legal directions
  • user research activities is the consent you give by accepting this privacy policy and agreeing to take part in research, join the user research panel, or receive the user research newsletter

Changes to this policy

The terms of our privacy policy may change from time to time. We will inform you via the NHS App and request your continued agreement if we make any significant changes to our privacy policy, cookies policy or terms of use.

Page last reviewed: 15 October 2024
Next review due: 15 March 2027