Privacy and cookies

This Privacy Notice tells you what to expect when NHS Digital collects personal information.

Personal information

By providing us with your details, you are giving your consent that your personal information may be processed for the purposes necessary to conduct and improve our services. When collecting your personal information we will explain what we intend to do with it.


Cookies are small text files that are placed on your computer by websites that you visit. They are widely used in order to make websites work, or work more efficiently, as well as to provide information to the owners of the site.

Most web browsers allow some control of cookies through the browser settings. To find out more about cookies, including how to control them, visit

Our use of cookies

We use session cookies to authenticate a user login, to allow access to authorised functions within the site and to enhance navigation of the site during the user’s session.

Please note that we do not use cookies for advertising purposes.

Specific details are provided below

Cookie Name Purpose
Session Control ASP.NET_SessionId A random unique set of characters that identifies the user's individual session on the site (holds no personal information). This cookie expires when you close your browser session.
Application cookie AspNet.ApplicationCookie An ENCRYPTED cookie used for authentication. This temporarily holds information relating to the user, such as their name, role, organisation, when they last accessed the site and the organisation codes to which they have access. The cookie expires when logging out of the site or after 40 minutes of inactivity.
Security token _RequestVerificationToken Security cookie used in the prevention of cross-site request forgery attacks (holds no personal information). This cookie expires when you close your browser session.
Notification cookie cookie_banner Prevents the cookie banner from showing if it has already been displayed (holds no personal information). This cookie expires after 30 days.

Data Protection

In order to meet our public task as the national source of health and social care information, NHS Digital collects and processes a range of information relating to individuals in their capacity as service users or patients. This includes information on:

In addition to the above, NHS Digital collects and processes information relating to its customers and stakeholders for business purposes. All personal information is handled with the utmost care and attention - whether on paper, electronically, or other means - and safeguards are in place to ensure the Data Protection Act 1998 is adhered to. You can read more about our Data Impact assessment.

NHS Digital regards the fair and lawful processing of personal information as essential in order to successfully achieve its objectives and ensure the support and confidence of the general public and stakeholders.

Notification is a statutory requirement and every organisation that processes personal information must notify the Information Commissioner's Office (ICO), unless they are exempt. Failure to notify is a criminal offence.

As a data controller NHS Digital provides the ICO with details about their processing of personal information. The ICO publishes certain details in the register of data controllers, including the name and address of data controllers and a description of the kind of processing they do. You can read this register on the ICO website (external).

The Principles of The Data Protection Act 1998, as set out below are fully endorsed by NHS Digital. The eight principles require that personal information:

  1. Shall be processed fairly and lawfully and, in particular, shall not be processed unless specific conditions are met.
  2. Shall be obtained only for one or more specified and lawful purposes, and shall not be further processed in any manner incompatible with that purpose of those purposes.
  3. Shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed
  4. Shall be accurate and, where necessary, kept up to date
  5. Shall not be kept for longer that is necessary for the specified purpose(s)
  6. Shall be processed in accordance with the rights of data subjects under the Act
  7. Should be subject to appropriate technical and organisational measures to prevent the unauthorised or unlawful processing of personal data, or the accidental loss, destruction, or damage to personal data
  8. Shall not be transferred to a country or territory outside the European economic area unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.

Access to your personal information

You are entitled to obtain a copy of the personal information held about you by NHS Digital. Any request to access or obtain a copy of this information will be considered under Section 7 of the Data Protection Act.

To make a request for personal information, email

or write to:

Information Governance Compliance Team
NHS Digital
1 Trevelyan Square
Boar Lane

Information security

There are robust security measures in place for all personal information held by NHS Digital to protect against the loss or alteration of information under the organisation's control. If you have any questions about our privacy notice or the information we hold please contact us at the above address.

Other websites

Our privacy notice only relates to information that we obtain from you. If you visit a website operated by a third party through a link included on this website your information may be used differently by the operator of the linked website. When you are moving to another site you are advised to read the privacy notice relating to that website.