Privacy and cookies

This Privacy Notice tells you what to expect when NHS Digital collects personal information.

Personal information

By providing us with your details, you are giving your consent that your personal information may be processed for the purposes necessary to conduct and improve our services. When collecting your personal information we will explain what we intend to do with it.

Cookies

Cookies are small text files that are placed on your computer by websites that you visit. They are widely used in order to make websites work, or work more efficiently, as well as to provide information to the owners of the site.

Most web browsers allow some control of cookies through the browser settings. To find out more about cookies, including how to control them, visit https://ico.org.uk/for-the-public/online/cookies/.

Our use of cookies

We use session cookies to authenticate a user login, to allow access to authorised functions within the site and to enhance navigation of the site during the user’s session.

Please note that we do not use cookies for advertising purposes.

Specific details are provided below

Cookie: Session Control
Name: DSPT_Session
Purpose: A random unique set of characters that identifies the user's individual session on the site (holds no personal information). This cookie expires when you close your browser session.

Cookie: Application cookie
Name: DSPT_Identity
Purpose: An ENCRYPTED cookie used for authentication. This temporarily holds information relating to the user, such as their name, role, organisation, when they last accessed the site and the organisation codes to which they have access. The cookie expires when logging out of the site or after 30 minutes of inactivity.

Cookie: Security token
Name: DSPT_Antiforgery
Purpose: Security cookie used in the prevention of cross-site request forgery attacks (holds no personal information). This cookie expires when you close your browser session.

Cookie: Application cookie
Name: DSPT_Organisation
Purpose: Cookie used to store the code of the organisation when selected. This is used to keep multiple browser tabs in sync. This cookie expires when you close your browser session.

Cookie: Notification cookie
Name: DSPT_CookieBanner
Purpose: Prevents the cookie banner from showing if it has already been displayed (holds no personal information). This cookie expires after 30 days.

Cookie: Session Management
Name: DSPT_TimeOutFlag
Purpose: Used to ensure users are not incorrectly logged off the system when using multiple browser tabs.

Our privacy policy

Your privacy is important to us. This privacy policy covers what we collect and how we use, disclose, transfer and store your information.

What information do we collect when you use the Data Security and Protection Toolkit website?

When you use the NHS website, we use various technologies to collect information automatically—such as your IP address. This is commonplace across all internet services to enable the investigation of issues such as service availability and the identification of malicious use. This information is then kept in our internet access logs.

We also collect some personal information of registered users: names, email addresses and telephone numbers.

How do we use the information we collect about you?

We use the information to see what is most effective about our website and associated services to help us identify ways to improve it and to make it more effective. We also use information to support queries raised and tailor service management messages appropriately or where you record the name of someone in one of your responses in the Data Security and Protection Toolkit assessment or an incident report.

How long do we hold this information?

Unless otherwise stated, business information that falls under NHS Digital is held for a minimum of 12 years and will be subject to review. We will hold the information for as long as we are providing you services.

Do we share information?

We strive to capture a minimal amount of personal data and only share it with other organisations where the law permits us to do so.

We only share information with our authorised Data Processors for the sole purpose of processing the data in connection with the service we have procured from them. These processors must, at all times, act on our instructions as the Data Controller under the Data Protection legislation.

Data flows from the Data Security and Protection Toolkit

So, for example, if you report a data breach incident on the Data Security and Protection Toolkit, details from the incident and the details of the person who reported it may be shared with: the Information Commissioners Office, NHS England & Improvement, DHSC and NHSX.

Right of access

You have the right to obtain a copy of personal data that we hold about you and other information specified in the GDPR, although there are exceptions to what we are obliged to disclose.

A situation in which we may not provide all the information is where, in the opinion of an appropriate health professional, disclosure would be likely to cause serious harm to your, or somebody else's physical or mental health.

This is available through the Data Security and Protection Toolkit or by request from NHS Digital.

Information Governance Compliance Team
NHS Digital
1 Trevelyan Square
Boar Lane
Leeds LS1 6AE

Or email enquiries@nhsdigital.nhs.uk

Right to rectification

You also have the right to request that we rectify any inaccurate or incomplete personal data that we hold about you. If we have shared this personal data with third parties, we will notify them about the rectification unless this is impossible or involves disproportionate effort.

Where appropriate, we will also tell you which third parties we have disclosed the inaccurate or incomplete personal data to. Where we think that it is reasonable for us not to comply with your request, we will explain our reasons for this decision.

You can either do this by correcting the information held directly through the Data Security and Protection Toolkit or by contacting NHS Digital.

Information Governance Compliance Team
NHS Digital
1 Trevelyan Square
Boar Lane
Leeds LS1 6AE

Or email enquiries@nhsdigital.nhs.uk

Right to restrict processing

You have the right to request that we restrict our processing of your personal data in certain circumstances.

This means that we can only continue to store your data and will not be able to carry out any further processing activities with it until either: (i) one of the circumstances listed below is resolved; (ii) you consent; or (iii) further processing is necessary for either the establishment, exercise or defence of legal claims, the protection of the rights of another individual or reasons of important public interest.

The circumstances in which you are entitled to request that we restrict the processing of your personal data are:

• Where you dispute the accuracy of the personal data that we are processing about you. In this case, our processing of your personal data will be restricted for the period during which the accuracy of the data is verified.
• Where you object to our processing of your personal data for our legitimate interests. Here, you can request that the data be restricted while we verify our grounds for processing your personal data.
• Where our processing of your data is unlawful, but you would prefer us to restrict our processing of it rather than erasing it.
• Where we have no further need to process your personal data but you require the data to establish, exercise or defend legal claims.

If we have shared your personal data with third parties, we will notify them about the restricted processing unless this is impossible or involves disproportionate effort. We will, of course, notify you before lifting any restriction on processing your personal data.

Purpose and legal basis for processing

For Data and Security Protection Toolkit

A Direction given by the Secretary of State for Health requiring NHS Digital to establish and operate a system to be known as the data security and protection toolkit data collections service.

Direction (s.254 (1), (2)(a), (5) and (6), and 260(2)(d) of Health & Social Care Act 2012).

Mandatory Request (s. 255 of Health & Social Care Act 2012).

For the small amount of personal data the legal basis is Article 6 of the GDPR for the processing of personal data (Article 6 (1c) – Legal obligation). This will be shared with NHS Digital, the Department of Health and Social Care / NHSX, NHS England & Improvement.

Legal basis for analysis:

Direction - sections 254(1), (2)(a), (5) and (6), and 260(2)(d) of the Health and Social Care Act 2012.

Legal basis for disclosure:

In accordance with section 260(2)(d) of the Act, NHS Digital is directed not to publish the data obtained by complying with the section 254 Direction except for a summary level of each organisation’s completed data security and protection toolkit which will be made available online to the public.

https://digital.nhs.uk/about-nhs-digital/corporate-information-and-documents/directions-and-data-provision-notices/secretary-of-state-directions/data-security-and-protection-toolkit-data-collections-service

For Incident Reporting

Legal basis for collection:

Under sections 254(1) (6), 260 (1) and 2(d) of the Health and Social Care Act 2012 and 304 (9) (10) and (12) of the Health and Social Care Act 2012.

For the small amount of personal data the legal basis is Article 6 of the GDPR for the processing of personal data (Article 6 (1c) – Legal obligation). This will be shared with the ICO, NHS Digital, NHS England & Improvement, NHSX and the Department of Health and Social Care.

Legal basis for analysis:

Under sections 254(1) (6), 260 (1) and 2(d) of the Health and Social Care Act 2012 and 304 (9) (10) and (12) of the Health and Social Care Act 2012.

Legal basis for disclosure:

In accordance with section 260(2)(d) of the Act, NHS Digital is directed not to publish the data obtained by complying with the section 254 Direction except for a summary level of each organisation’s completed data security and protection toolkit which will be made available online to the public.

https://digital.nhs.uk/about-nhs-digital/corporate-information-and-documents/directions-and-data-provision-notices/secretary-of-state-directions/data-security-and-protection-incident-reporting-tool-direction-2018

Keeping information secure

We invest significant resources to protect your personal information from loss, misuse, unauthorised access, modification or disclosure. However, no internet-based site can be 100% secure and so we cannot be held responsible for unauthorised or unintended access that is beyond our control. You can read more about our Data Impact assessment.

The Data Controller

The Health and Social Care Information Centre (known as NHS Digital) is the Data Controller for the Data Security and Protection Toolkit website. The Data Protection Officer is Catherine Nicholson.

If there are any queries regarding this privacy policy, you may contact us using the information below:

Information Governance Compliance Team
NHS Digital
1 Trevelyan Square
Boar Lane
Leeds LS1 6AE

Or email enquiries@nhsdigital.nhs.uk

• We will process your data in accordance with the Data Protection regulations in force in the UK at the time.
• You also have the right to lodge a complaint with the Information Commissioner's Office.