Privacy and cookies
Website privacy
Information on this page explains our website privacy policy and how we’ll use and protect any information about you that you give us when you visit this website.
This privacy statement only covers the Data Security and Protection Toolkit (DSPT) website. It does not cover all sites that can be linked to from this site, so you should always be aware when you are moving to another site and read the privacy statement on that site.
Personal information
We’ll ask you to consent to our use of cookies when you first visit our website, if those cookies are not strictly necessary for the provision of our website and services.
By providing us with your details, you’re giving your consent that your personal information may be processed for the purposes necessary to conduct and improve our services. When collecting your personal information, we’ll explain what we intend to do with it.
Cookies
Cookies are small text files that are placed on your computer by websites that you visit. They’re widely used to make websites work, or work more efficiently, as well as to provide information to the owners of the site.
Most web browsers allow some control of cookies through the browser settings. Find out more about cookies (opens in a new tab), including how to control them.
Our use of cookies
We use session cookies to authenticate a user login, to allow access to authorised functions within the site and to enhance navigation of the site during the user’s session.
We do not use cookies for advertising purposes.
Specific details are provided below:
Our privacy policy
Your privacy is important to us. This privacy policy covers what we collect and how we use, disclose, transfer and store your information.
Information we collect when you use the DSPT website
When you use the NHS DSPT website, we use various technologies to collect information automatically, such as your IP address. This is commonplace across all internet services to enable the investigation of issues such as service availability and the identification of malicious use. This information is then kept in our internet access logs.
We also collect some personal information of registered users: names, email addresses and telephone numbers.
How we use the information we collect about you
We use the information to see what’s most effective about our website and associated services to help us identify ways to improve it and to make it more effective. We also use information to support queries raised and to tailor service management messages appropriately, or where you record the name of someone in one of your responses in the DSPT assessment, or a data breach incident report.
How long we hold this information
Unless otherwise stated, business information that falls under NHS England is held for a minimum of 12 years and will be subject to review. We’ll hold the information for as long as we’re providing you services.
You can obtain a copy of our Corporate Records Retention and Disposal Schedule and Primary Care Services Retention Schedule (opens in a new tab) from our Privacy Notice website, or by contacting our Customer Contact Centre (opens in a new tab). We also comply with the Records Management Code of Practice for Health and Social Care published by the Information Governance Alliance.
Sharing information
We strive to capture a minimal amount of personal data and only share it with other organisations where the law permits us to do so.
We only share information with our authorised Data Processors for the sole purpose of processing the data in connection with the service we have procured from them. These processors must, at all times, act on our instructions as the Data Controller under the Data Protection legislation.
Other websites
Our privacy notice only relates to information that we obtain from you.
If you visit a website operated by a third party through a link included on this website, your information may be used differently by the operator of the linked website.
When you’re moving to another site, you’re advised to read the privacy notice relating to that website.
Data flows from the DSPT
If you report a data breach incident on the DSPT, details from the incident and the details of the person who reported it may be shared with the Information Commissioners Office, NHS England, National Cyber Security Centre (NCSC) and the Department of Health and Social Care (DHSC).
If you complete the DSPT assessment, details from the assessment of the persons referenced may be shared with NHS England, NCSC and DHSC and their support partners.
Summary details of the status of NHS England, NCSC and DHSC (standards exceeded, standards met, approaching standards or standards not met) will be shared with the public and the Care Quality Commission.
Your rights
The General Data Protection Regulation (GDPR) includes a number of rights and we must generally respond to requests in relation to your rights within one month, although there are some exceptions to this.
Right of access
You have the right to obtain a copy of personal data that we hold about you and other information specified in the GDPR, although there are exceptions to what we are obliged to disclose.
A situation in which we may not provide all the information is where, in the opinion of an appropriate health professional, disclosure would be likely to cause serious harm to you, or somebody else's physical or mental health.
Right to rectification
You have the right to request that we rectify any inaccurate or incomplete personal data that we hold about you. If we’ve shared this personal data with third parties, we’ll notify them about the rectification unless this is impossible or involves disproportionate effort.
Where appropriate, we’ll also tell you which third parties we have disclosed the inaccurate or incomplete personal data to. Where we think that it is reasonable for us not to comply with your request, we’ll explain our reasons for this decision.
You can either do this by correcting the information held directly through the DSPT or by contacting NHS England.
Right to restrict processing
You have the right to request that we restrict our processing of your personal data in certain circumstances.
This means that we can only continue to store your data and will not be able to carry out any further processing activities with it until either: (i) one of the circumstances listed below is resolved; (ii) you consent; or (iii) further processing is necessary for either the establishment, exercise or defence of legal claims, the protection of the rights of another individual or reasons of important public interest.
The circumstances in which you are entitled to request that we restrict the processing of your personal data are:
- Where you dispute the accuracy of the personal data that we are processing about you. In this case, our processing of your personal data will be restricted for the period during which the accuracy of the data is verified.
- Where you object to our processing of your personal data for our legitimate interests. Here, you can request that the data be restricted while we verify our grounds for processing your personal data.
- Where our processing of your data is unlawful, but you would prefer us to restrict our processing of it rather than erasing it.
- Where we have no further need to process your personal data, but you require the data to establish, exercise or defend legal claims.
If we’ve shared your personal data with third parties, we’ll notify them about the restricted processing unless this is impossible or involves disproportionate effort. We’ll notify you before lifting any restriction on processing your personal data.
Requests regarding your rights may be made via the DSPT or by making contact in writing, by email, or by speaking to us – see NHS England as a Data Controller (opens in a new tab).
Purpose and legal basis for processing
For Data Security and Protection Toolkit self-assessment
Legal basis for collection and analysis:
A Data Security and Protection Toolkit Collections Service Direction (opens in a new tab) given by the Secretary of State for Health requiring NHS England to establish and operate a system to be known as the data security and protection toolkit data collections service.
Direction (s.254 (1), (2)(a), (5) and (6), and 260(2)(d) of Health & Social Care Act 2012).
Mandatory Request (s. 255 of Health & Social Care Act 2012). For the small amount of personal data processed, the legal basis is Article 6 of the GDPR for the processing of personal data (Article 6 (1c) – Legal obligation). This will be shared with DHSC and NHS England.
Legal basis for disclosure:
In accordance with section 260(2)(d) of the Act, NHS England is directed not to publish the data obtained by complying with the section 254 Direction except for a summary level of each organisation’s completed data security and protection toolkit which will be made available online to the public.
For incident reporting
Legal basis for collection and analysis:
A Data security and protection incident reporting tool Direction (opens in a new tab) given by the Secretary of State to NHS England under sections 254(1) (6), 260 (1) and 2(d) of the Health and Social Care Act 2012 and 304 (9) (10) and (12) of the Health and Social Care Act 2012.
For the small amount of personal data processed, the legal basis is Article 6 of the GDPR for the processing of personal data (Article 6 (1c) – Legal obligation). This will be shared with the ICO, NHS England and the DHSC.
Legal basis for disclosure:
In accordance with section 260(2)(d) of the Act, NHS England is directed not to publish the data obtained by complying with the section 254 Direction except for a summary level of each organisation’s completed data security and protection toolkit which will be made available online to the public.
Keeping information secure
We invest significant resources to protect your personal information from loss, misuse, unauthorised access, modification or disclosure. However, no internet-based site can be 100% secure and so we cannot be held responsible for unauthorised or unintended access that is beyond our control. You can read more about our Data Impact Assessment.
The Data Controller
NHS England is the Data Controller for the Data Security and Protection Toolkit website you can find more information about NHS England as a data controller (opens in a new tab) here. You can find out more about how NHS England processes personal data via its central privacy notice (opens in a new tab) and Data Security and Protection Toolkit: GDPR information (opens in a new tab).
Contact us
Please contact us if you have any questions about our privacy notice or information we hold about you:
Customer Contact Centre
NHS England
PO Box 16738
Redditch
B97 9PT
Contact details of our Data Protection Officer
NHS England have appointed a Data Protection Officer (DPO). If you have any queries about this privacy notice or about how NHS England process personal data you may contact our DPO at the address below.
Right to complain to the Information Commissioner
You have the right to complain to the Information Commissioner if you are not happy with any aspect of NHS England’s processing of personal data or believe that we are not meeting our responsibilities as a data controller. The contact details for the Information Commissioner are:
