Skip to main content

NHS App privacy policy

Version 6.3, 17 July 2023

Information:

This minor update includes some new legal information about the NHS Wayfinder service. This service allows you to view and manage hospital referrals and appointments.

About this privacy policy

This privacy policy explains how NHS England and other organisations may use your data when you use the NHS App.

You can download the NHS App on an iOS or Android device. You can also access the same services by logging in through the NHS website in a web browser. This policy applies to using either of those channels.

As well as this policy, you should also read the NHS App terms of use and cookies policy.

Terms we use in this policy

You may find it helps to understand these terms when reading this policy.

  • Data is “processed” when any action is taken with it. For example, when it is collected or reviewed.
  • A “controller” is an organisation or person that decides what data is processed. They also decide how and why this needs to be done. They are legally responsible for that data.
  • A controller may appoint a “processor”. This is another organisation or person that processes data under the instruction of the controller.
  • “Special category data” is personal information that has more legal protection, including data about your health.

You can find out more about these terms on the Information Commissioner’s Office website.

Why we use your personal data

We mainly use your data so that the NHS App works correctly. It means we can give you access to services and information about your health and care.

We may also use your personal data to:

  • improve the NHS App
  • resolve technical faults
  • maintain and improve security
  • comply with the law
  • protect users against potential fraud
  • act if you provide information suggesting you or others may be at risk of harm

The points above are a short summary of our reasons for capturing and using personal data. You can find more details in the sections below.

Data we process about your use of the NHS App

This section tells you more about data we process to make sure the NHS App works correctly. This includes personal information such as your name and your age. NHS England and The Department of Health and Social Care are controllers for the data described in this section.

How you use the NHS App

This is technical data about your activities when you are logged in. It's also called audit data. It may include the time when you use the NHS App, what actions you take and related technical details. This information is captured against your NHS number. We may keep this data for up to 8 years.

How well things are working

This is also called performance data. We’ve appointed an approved analytics service provider to help us process this data. We may keep this data for up to 1 year.

Your contact with our service desk team

This means information captured when you contact the NHS App service desk for support, or when you provide feedback or complete a survey. If you raise a technical issue with the service desk team, we may link this to an Organisation Data Service (ODS) code. ODS codes are unique codes that are associated with particular health and care services, such as GP surgeries. When we capture an ODS code, it is stored in an issue management system alongside other details about the issue. We may keep data about your contact with our service desk for up to 1 year.

Being part of email lists

When you register to use the NHS App, you will be added to an email mailing list for necessary service updates. You may also voluntarily choose to join other mailing lists, for example for user research. We’ve appointed an approved emailing and list management service provider as a processor for this data. How long we keep this data varies depending on which mailing lists you join.

Messages you send and receive

We process data about messages that you send or receive through the NHS App Messaging Service. For more information you can read the NHS App privacy policy for messaging services. Messages and replies are stored in your account for as long as your NHS login exists.

Data we collect about you

In the tables below, you can find out more about data we may collect about you when you use the NHS App.

Personal data we collect about you
Data category Why do we need it?
Data category

Name

 Why do we need it?

This is patient contact information that is part of your health record. It is used to:

  • help our service desk resolve any user issues
  • enable consultations and file downloads
Data category

Registered GP Organisation Data Service (ODS) code

 Why do we need it?

ODS codes are used by the NHS App to produce management and statistical information. This happens at a level which does not disclose personal information or directly identify you.
Data category

Organisation Data Service (ODS) codes of sending services

 Why do we need it?

The ODS code of the sending service is used by the NHS App Messaging Service to uniquely identify the sending service. It is also used to look up information related to that service such as the service’s name.
Data category

Email address

 Why do we need it?

This is patient contact information that part of your health record. It is used to:

  • help the service desk resolve any user issues
  • enable consultations and file downloads
Data category

Date of birth

 Why do we need it?

This is patient contact information that part of your health record. It is used to enable consultations and file downloads.
Data category

Age

 Why do we need it?

This is patient contact information that part of your health record. It is used to:

  • help our service desk resolve any user issues
  • enable consultations and file downloads
Data category

Sex

 Why do we need it?

This is patient contact information that part of your health record. It is used to enable consultations and file downloads.
Data category

Gender

 Why do we need it?

This is patient contact information that part of your health record. It is used to enable consultations and file downloads.
Data category

Physical description

 Why do we need it?

This is patient contact information that part of your health record. It is used to enable consultations and file downloads.
Data category

NHS number

 Why do we need it?

Your NHS number is part of your health record. It is used as part of audit tracking and within analytics. It is also needed to enable consultations and file downloads.
Data category

Home phone number

 Why do we need it?

This is patient contact information that is part of your health record. It is used to:

  • help our service desk resolve any user issues
  • enable consultations and file downloads
Data category

Online identifier (for example your IP address, event logs, or NHS login identifier)

 Why do we need it?

This is used to log events, trace faults and provide security protective monitoring log data.
Data category

Website cookies

 Why do we need it?

This is used for session and performance management.
Data category

Mobile phone number

 Why do we need it?

This is patient contact information that part of your health record. It is used to:

  • help our service desk resolve any user issues
  • enable notification and messaging campaigns
Special category data we collect about you
Data category Why do we need it?
Data category

Medical record information

 Why do we need it?

The transmission of medical information (including GP letters, test results and record extracts) between GPs and patients is needed to enable consultations and file downloads. This is extended to file uploads, where you may wish to upload an image to support a consultation.

It is also used for hospital appointment, booking and referral letters and other documents.
Data category

Messages from health and care providers

 Why do we need it?

Messages processed as part of NHS App Messaging and NHS App Notification services will remain stored within the NHS App.
How NHS England may process the data above for analysis

NHS England will process identifiable data from NHS App services:

  • to ensure the NHS App works correctly
  • to resolve technical faults
  • so that the service can be improved
  • for user research where you have agreed to
  • to maintain and improve security
  • processing data for the purpose of linkage and dissemination to produce anonymised data.

NHS England will also process anonymised data from the NHS App services:

  • to provide high level statistical information
  • to assess service usage and equality impact

Connecting services provided by NHS England

The NHS App acts as a platform that allows you to access a range of connecting services. These services are separate from the NHS App. The organisations that control and process your data will depend on which services you access.

NHS England has a role in providing some services that connect with the NHS App. You can open the panel below to find privacy policies for these services.

Find out more about connecting services provided by NHS England

Your data sharing preferences

You can choose your data sharing preferences using the NHS App. To find out more about your data sharing preferences you can read the National Data Opt-Out Service privacy notice.

NHS website

You may visit the NHS website while using the NHS App. To find out more about the NHS website and data you can read the NHS website privacy policy.

NHS 111

You may input information into NHS 111 Online. Read the NHS 111 Online privacy policy.

COVID-19 vaccination details

You may access your COVID-19 vaccination record. Read the Check your COVID-19 Vaccination Record Service privacy policy.

You may also book a COVID-19 vaccination. Read the National Booking Service privacy policy.

Hospital referrals and appointments

You choose to provide hospital referral information as part of the Manage Your Referral service. Read the Manage Your Referral privacy policy.

You may be able to view and manage details of your hospital referrals, appointments and bookings, including department. You can find out more in the NHS Wayfinder services privacy policy and the NHS Wayfinder Services Directions 2023.

GP registration

You may register with a GP surgery using the NHS App or website. Read the NHS GP Registration privacy policy.

Other connecting services

Some of the services you can connect with using the NHS App are not provided by NHS England. You can open the panel below to find privacy policies for these services.

Find out more about other connecting services

Your GP health record

Your can access your GP health record using the NHS App. Contact your GP surgery for copies of their privacy policies.

Your organ donation preferences

You can choose your organ donation preferences. Read the NHS Blood and Transplant privacy policy.

GP appointments and prescriptions

You may be able to book and manage appointments. Contact your GP surgery for copies of their privacy policies.

You can also order repeat prescriptions and choose a nominated pharmacy. Contact your GP surgery and pharmacy for copies of their privacy policies.

Personal health record services

For personal health record services that may be provided by your GP, hospital or other care provided, read the NHS App privacy policy for personal health record services.

Online consultations

For online consultation services that may be provided by your GP, hospital or other care provider, read the NHS App privacy policy for online consultations.

GP surgeries and NHS England

Some of your personal data which the NHS App processes is made available to you by GP surgeries. When the data is at the GP surgery, the GP is the controller. Your data may be sent from the GP to the NHS App. To the extent that NHS England facilitates the transmission of this data, it acts as a controller independent of the GP surgeries, as part its joint controller arrangements with the Secretary of State arising from the NHS App Directions (2023) dated 2 March 2023 ("the 2023 Directions"). This is to enable the services requiring transmission of personal data from GP surgeries on the NHS App. NHS England and the Secretary of State as joint controllers are determining the means by which such transmission of personal data is transmitted in NHS App but in all other respects the GP surgery is the controller of such personal data.

Privacy guidance about using the NHS App

Logging in

You gain access to the NHS App using your NHS login. This is a set of login details you can use to access a range of health and care websites and apps. You can find out more in the NHS login privacy policy.

Some phones and tablets give you the option to log in to your NHS App using fingerprint, face and iris recognition. This is also called biometric login. On iPhones and iPads this is called Face ID or Touch ID.

Biometric login is voluntary. It does not stop you using another method to access the NHS App. It is based on technology in your device. We do not have access to or control over the biometric data stored on your device. The NHS App performs biometric authentication against NHS login in accordance with the Fast Identity Online (FIDO) standard.

Camera and location information

The NHS App may ask for access to the camera on your device if you choose to use face or iris recognition. You may also be asked for access to your device’s camera as part of the NHS login identity verification process.

Some connecting NHS services may also ask for access to your device location. If you allow access to your device’s location, then location data may be used to help you find services in your area.

Accessing services for someone else

You are responsible for any personal data that you access on behalf of someone else. You may be able to do this by using a linked profile.

You must keep this data safe and secure. To the extent possible bearing in mind their age, condition and capacity, you must:

  • make the person aware of your access and any steps you take on their behalf
  • seek their consent
  • make the person aware of this privacy policy and other applicable terms and conditions

Viewing your health record documents

Once you have downloaded a file from your health record, or from the record of someone else, it is your own responsibility to keep the file secure. If you use a shared computer or mobile device, make sure you delete any downloaded files when you are finished.

Turning on notifications

You can choose to turn on push notifications from the NHS App to alert you to new messages in the NHS App Messaging Service. This feature is not available when you use the NHS website to log in.

You can opt out of push notifications at any time. Opting out may limit the types of messages you can receive. Messages about your health and care may continue to be sent by other means, such as by post.

If you use the NHS App across more than one device, push notifications must be enabled on each one. If you share the device you use to log in to the NHS App with other people, they may see your notifications. Notifications can only be sent to one user on the same device.

User research and giving feedback

When you register to use the NHS App, we’ll ask if you would like to join our user research panel. User research helps us to make sure that the NHS App and connecting services are meeting people’s needs.

If you choose to take part, we will email you a short survey to fill in about you and your health. Your answers will help make sure we invite you to user research that is relevant to you. We will also ask you if you want to receive our user research newsletter.

When you have signed up, we may ask you to:

  • try new features
  • answer more questions by email
  • talk to our researchers about your experience of using the NHS App or connecting services

You can always say no to an invite, and you can leave the user research panel at any time.

User research panel activities

Your personal data will only be captured if you choose to provide it as part of participating in user research relating to the NHS App or connecting services. The Department of Health and Social Care and NHS England are controllers for this data.

We’ll collect your name and email address to maintain a mailing list for the user research newsletter, where you have consented to receive it. We will ask general questions about your health and background to ensure we are inclusive in our research, which counts as special category data. The amount of time we keep this data varies depending on the research you are taking part in. We will tell you before asking your consent.

Giving feedback outside our user research panel

You can provide feedback through the NHS App without being part of our user research panel. This feedback goes to the NHS App service desk team. You may also choose to take part in user research activities even if you are not part of our panel, for example in response to a social media post.

The Department of Health and Social Care and NHS England are controllers for this data. A contracted research tools provider is appointed as a processor.

Your rights

You have a right to:

  • know how and why your data will be collected, processed and stored
  • request a copy of your personal data
  • correct errors or omissions in your personal data
  • to ask us to restrict our use of your personal data (for example, if you think it's inaccurate and needs to be corrected)

For user research activities and your membership of voluntary mailing lists, you also have the right to:

  • withdraw your consent
  • ask us to delete your personal data
  • get a copy of your data in a structured, commonly used and machine-readable format

You can exercise your rights by contacting the relevant controller. For contact details, see the next section of this policy below.

You can also manage NHS App performance data ("analytic cookies"). See the NHS App cookies policy for details on how to do this.

Asking a question or finding out more

If you have a general question about using the NHS App, you can check our help pages or contact our service desk.

By opening the panel below, you can find out who to contact or where to find more information if you have a question about particular data.

Find out who to contact or where to look if you have a question

Your GP health record and healthcare

You can contact your GP surgery for more information about your GP health record data, and data about your care.

Online consultations

You can contact your GP surgery or NHS England if applicable (see the NHS App online consultations privacy policy).

Hospital referrals and appointments

See our hospital referrals and appointments help page.

NHS 111

You can find out how NHS 111 works and read the NHS 111 online privacy policy.

Personal health record services

See the NHS App personal health records privacy policy.

Your data sharing preferences

See the National Data Opt-Out Service page.

Your COVID-19 vaccinations

For more information about your COVID-19 vaccination record, see the COVID-19 Vaccine Record Service page.

For more information about booking or managing a COVID-19 vaccination, see the National Booking Service privacy policy.

NHS COVID Pass

See the NHS COVID Pass Service page.

Making a complaint

If you have any objections or complaints relating to your data, we will investigate and attempt to resolve them. We will make every reasonable effort to allow you to exercise your rights as quickly as possible and within the timescales set out in data protection laws.

You can contact our Data Protection Office at NHS England to make a complaint. You can do this by emailing enquiries@nhsdigital.nhs.uk or by sending a letter to:

Privacy Transparency and Ethics team
7 and 8 Wellington Place
Leeds
West Yorkshire
LS1 4AP

We ask that you try to resolve any issues with us first. However, you have a right to lodge a complaint with the Information Commissioner's Office (ICO) at any time about our processing of your personal information. The ICO is the UK regulator for data protection and upholds information rights. Contact the ICO.

Our legal basis

By opening the panels below, you can learn more about the legal directions that apply to us, and other important legal information.

Legal directions

The Secretary of State has issued directions to NHS England to deliver the NHS App including some additional features and services to users. The legal direction is titled the NHS App Directions (2023), dated 2 March 2023. NHS England and the Secretary of State are joint controllers for the data we need to provide and manage your NHS App. We only store and process your personal data within the UK and European Economic Area (EEA).

Following the abolition of NHS Digital and the transfer of its functions to NHS England, the directions to NHS Digital by the Secretary of State which provided the legal basis for NHS Digital to process personal data in relation to users of the NHS COVID Pass service in the NHS App, are now treated as directions from the Secretary of State to NHS England. The legal directions are titled the COVID-19 Public Health Directions 2020 dated 17 March 2020 and now provide the legal basis for NHS England to carry out this processing for the NHS COVID Pass service in the NHS App.

The service to Isle of Man users is provided under a request from the Isle of Man Government using their legal powers, as set out in the National Health Service Act 2001 (an Act of Tynwald) (NHSA 2001). Isle of Man health care provision is provided through Manx Care, a statutory board of the Isle of Man Government established by order pursuant to section 12 of the Manx Care Act 2021 (an Act of Tynwald). NHS England can undertake to provide the NHS App service under S255 of the Health and Social Care Act 2012.

The UK General Data Protection Regulation (GDPR)

The UK General Data Protection Regulation (UK GDPR) sets out the requirements on organisations who collect and process personal data from people in the UK. Where NHS England processes personal data, we need to comply with UK GDPR.

Having a legal direction or request in place puts NHS England under a legal obligation to comply with this requirement and so meets Article 6(1)(c) of UK GDPR. To deliver certain parts of the NHS App, such as when we are using your cookies, we also need your consent so meeting Article 6(1)(a) of UK GDPR.

Your health data has extra legal protection and NHS England must also comply with UK GDPR Article 9. To process your health data, we rely on:

  • UK GDPR Article 9(2)(g) which applies where there are “reasons of substantial public interest”. The Department of Health and Social Care has decided that it is in public interest for NHS England to provide the NHS App to the public.
  • UK GDPR Article 9(2)(h) which applies as your NHS App supports the provision of health and social care to you.
  • UK GDPR Article 9(2)(i) which applies as there is public interest in the area of public health. Processing this data allows us to provide services such as NHS COVID Pass and vaccination booking.
Our legal basis for processing data

This section gives more information about NHS England’s legal basis for processing data that we are the controller for. Our legal basis for processing:

  • audit data is to comply with our legal directions.
  • performance data is the consent you give by accepting our cookies policy
  • email list membership details is the consent you give when you choose to join a mailing list.
  • your contact with our service desk team is the consent you give by accepting this privacy policy, and your agreement if you complete a survey
  • NHS App Messaging Service data is to comply with our legal directions
  • user research activities is the consent you give by accepting this privacy policy and agreeing to take part in research, join the user research panel, or receive the user research newsletter

Changes to this policy

The terms of our privacy policy may change from time to time. We will inform you via the NHS App and request your continued agreement if we make any significant changes to our privacy policy, cookies policy or terms of use.

Previous versions
  • Version 6.2, 17 April 2023. This minor update gives more information about times when the NHS App may ask for access to your camera and location information.
  • Version 6.1, 13 April 2023. This minor update covers new information about GP registration.
  • Version 6, 30 December 2022. This privacy policy has been updated to reflect an organisational change in the NHS. We have also rewritten the policy to make it easier to understand, including changes to how we refer to NHS App and your account.
  • Version 5.6, 14 December 2022, This is a minor update to cover that NHS account uses Qualtrics to get NHS account performance information.
  • Version 5.5, 30 November 2022, This minor update covers the addition of Book or manage a coronavirus (COVID-19) vaccination in the NHS account.
  • Version 5.4, 28 November 2022 - This minor update covers a change in how we refer to messages in your NHS account from 'Health service messages' to 'NHS App Messaging Service.'
  • Version 5.3, 16 November 2022 - This minor update covers the new functionality that enables some users to send replies to some messages in the NHS account.
  • Version 5.2, 20 September 2022 - This minor update covers the addition of Enhanced Appointment Viewing in the NHS account.
  • Version 5.1, 7 July 2022 - This minor update clarifies distinctions between the types of messaging available in the NHS account.
  • Version 5.0, 25 May 2022 - This update covered changes to NHS Digital's status as a data processor (in section 3.2), personal data for which NHS Digital is neither the controller or processor (in section 6.3), how we may use your personal data if you provide any information to us, and we are able to identify you, that suggests a serious risk of harm to yourself or someone else (in section 6)
  • Version 4.9, 12 May 2022 - This minor update reflects the fact that, in line with government policy, the domestic NHS COVID Pass is no longer available.
  • Version 4.8, 13 April 2022 - This minor update provides information on how Organisational Data Service (ODS) codes are used in the NHS account.
  • Version 4.7, 5 April 2022 - This minor update covers a change to the way we talk about access to certain NHS services through our national digital channels. We now call this service your NHS account, which you can log in to using the NHS App or the NHS website. The data we collect and the services we offer are not altered by this change.
  • Version 4.6, 29 March 2022 - This minor update includes information on how the NHS App uses data from your device’s camera, location and file storage.
  • Version 4.5, 18 March 2021 - This minor update covers some changes to the way notifications work for multiple users on the same device.
  • Version 4.4, 21 February 2022 - This minor update provides more information on how we use your data when you take part in user research to improve our service.
  • Version 4.3, 2 February 2022 - This minor update adds clarification on how, and why, we may use your data.
  • Version 4.2, 9 December 2021 - This minor update covers a change to the NHS COVID Pass service, which is now also accepted at places in Wales using this service.
  • Version 4.1, 17 November 2021 - This minor update covers:
    • a change of use of NHS App messaging to cover connected healthcare providers who may send messages about your care using the NHS App
    • when we may use notifications to tell you about messages sent using the NHS App
    • legal basis for users in the Isle of Man
    • more information on ID verification for NHS login
  • Version 4.0, 19 July 2021 - This minor update covers a change of use of the NHS COVID Pass service to include places in England that have chosen to use this service.
  • Version 3.9, 21 June 2021 - This minor update covers the updated service name for the NHS COVID Pass service, previously known as Share your COVID-19 status. It also covers the addition of the NHS COVID Pass service for use at event trials in England, for those who do not have high level identity verification access to the NHS App.
  • Version 3.8, 17 May 2021 - minor update covers the addition of the Share your COVID-19 status service provided by the Department of Health and Social Care.
  • Version 3.7, 14 May 2021 - minor update covers the addition of the Check your COVID-19 vaccine record service, provided by NHS Digital.
  • Version 3.6, 11 May 2021 - minor update covers the user research panel, surveys and newsletters.
  • Version 3.5, 4 November 2020 - This minor update covers NHS App messaging, which enables us to send public health announcements.
  • Version 3.4, 26 October 2020 - This minor update covers the integration of the ‘Manage Your Referral’ Connected Service for managing hospital referrals.
  • Version 3.3, 6 October 2020 - This minor update covers registering for the user research panel to help us improve the NHS App and connected services.
  • Version 3.2, 28 May 2020 - This minor update reflects notification services being made available in the NHS App.
  • Version 3.1, 12 May 2020 - This minor update reflects messaging services being made available in the NHS App.
  • Version 3.0, 30 March 2020 - This minor update reflects personal health record services being made available in the NHS App.
  • Version 2.9, 3 March 2020 - This minor update covers nominating a pharmacy and patient to practice messaging.
  • Version 2.8, 17 February 2020 - This minor update covers proxy access and viewing documents in GP medical records.
  • Version 2.7, 10 January 2020 - This minor update reflects the release of proxy access and viewing documents in GP medical records.
  • Version 2.6, 28 November 2019 - This minor update covers the use of a service to manage user research panel membership and surveys.
  • Version 2.5, 14 November 2019 - This minor update reflects the release of new features for online consultations, changing your nominated pharmacy and accessing the NHS App through a web browser.
  • Version 2.4, 29 May 2019 - This minor update clarifies that "NHS App audit data" also includes associated technical log events.
  • Version 2.3, 30 April 2019 - This minor update clarifies that we may securely share NHS App service desk information, which can include personal data, with other NHS organisations who provide "Connected Services" to diagnose and resolve technical problems.
  • Version 2.2, 20 February 2019 - This minor update covers the introduction of a new passwordless authentication feature in the section entitled "Personal data". It also covers bringing data retention periods in line with NHS Digital policies in the section entitled "Personal data for which NHS Digital is the controller within the scope of the NHS App".
  • Version 2.1, 19 December 2018 - This minor update adds a clarification regarding data processing locations.
  • Version 2, 18 December 2018 - Significant update for the app's public release in the Apple and Google Play stores.
  • Version 1, 26 September 2018 - Original version for the app's private beta release.

If you would like to view any of the previous versions of the NHS App privacy policy, contact the NHS App team.

Page last reviewed: 17 July 2023
Next review due: 17 January 2025