1. How we use your personal information
This privacy policy explains how we use your personal data when you use the NHS Health Check online. The NHS Health Check online pilot is provided as an alternative to the face-to-face health check. Find out more about the NHS Health Check.
1.1 Terms we use in this policy
You may find it helps to understand these terms when reading this policy.
- Personal data: information that relates to an identified or identifiable individual.
- Special category data: sensitive personal data given special protection in data protection law including personal data about your health.
- Data is “processed” when any action is taken with it. For example, when it is collected or reviewed.
- Controller: the person or organisation (alone or with others) who decides what personal data to process and how it will be used.
- Processor: an organisation which processes personal data on behalf of, and under the instruction, of the controller.
- Joint data controller: if two or more controllers jointly determine the purposes and means of processing the same personal data.
You can find out more about these terms on the Information Commissioner’s Office website.
In this privacy policy, 'we' or 'us' means NHS England and Department of Health. 'You' or 'your' means you, a member of the public who is using the NHS Health Check online.
2. The NHS Health Check online
The NHS Health Check invites adults aged 40 to 74 years who do not have an existing diagnosis of cardiovascular disease (CVD) for a free check every 5 years.
The check – mainly done in a general practice, measures a person’s risk of having a heart attack or stroke in the next 10 years and of developing type 2 diabetes.
- The NHS Health Check online is provided by NHS England and Department of Health and Social Care as a pilot. It allows you to complete an NHS Health Check online instead of a face-to-face check.
The NHS Health Check online involves:
- filling in an online questionnaire about your health and lifestyle
- taking your blood pressure and entering the results
- ordering and getting a blood test to do at home
- reviewing results and healthcare advice
3. Data controllers for NHS Health Check online
The NHS Health Check online has been designed in line with the NHS Health Check programme standards. You can read more about these in the Local Authorities regulations.
Under data protection law, NHS England and Department of Health and Social Care (“DHSC”) are joint controllers for the personal data put into the NHS Health Check online. The DHSC have commissioned NHS England to deliver the NHS Health Check.
NHS England is controller of NHS login and NHS App. You can choose to access the NHS Health Check online this way or via a web browser.
4. What information we collect about you
| Category of information | Description |
|---|---|
|
NHS login account information |
The personal data provided by NHS login should you choose to use NHS login to access the NHS Health Check online, such as name and NHS number. |
|
Audit data |
Information filled in the NHS Health Check online about your use of the system such as time of use, actions you took and related technical log events. Your NHS number is also stored against these records. The logs enable analysis for:
|
|
Performance data |
How long the system takes to complete tasks, number of errors, success or failure at task completion. |
|
NHS Health Check online demographic data |
The personal information you provide to use the NHS Health Check online such as your:
|
|
NHS Health Check online health and lifestyle questionnaire data |
The personal data you provide to calculate the results of the health check such as:
We generate BMI for QRisk and Leicester diabetes risk scores |
|
Application metadata |
The personal data created from the NHS Health Check online based on the demographic information you provide. Metadata includes date and time of submission, patient ID, NHS login identity proofing level, the organisation code for your current GP practice. |
5. How we use your data
5.1 To pre-populate your personal data
You can access NHS Health Check online via the NHS App. You can do this either through the native app (iOS or Android) or browser channel. Authentication is via NHS login for both.
When you use your NHS login account to register with the NHS Health Check online, the information we hold for your NHS login account will be used to set up your NHS Health Check online. This will save you having to provide the same information again. We will ask your permission to do this.
This allows us to fill in some personal details for you, such as your name, date of birth and contact details.
We will not use your NHS login information for any other purposes. You can only share your NHS login information if you have proved your identity to NHS login.
For more information, see the NHS login privacy notice and terms and conditions.
5.2 To order a blood test
We use a third party company, Thriva, to supply and process the blood test kit that you will complete as part of your NHS Health Check online. Thriva are a data processor. Your address is shared with Thriva so they can send you a home blood test kit to test your cholesterol level. You also have the option to provide an email address and/or mobile number to track delivery and receipt of the test. You can find out more at Thriva's privacy policy.
5.3 To assess your risk
The NHS Health Check online uses the information you have provided, plus the results of your blood test, to assess the risk of cardiovascular disease and diabetes.
We use a tool from Endeavour Predict to do this. Endeavour Predict is a community interest company whose objectives are to provide decision support for citizens and health care professionals in order to improve health. Anonymous data about you is shared with the QRisk tool, which provides a risk score of contracting cardiovascular disease in the next ten years.
Anonymous data about you is shared with the QDiabetes tool, which provides a risk score of contracting Type 2 diabetes. You can find more information at Endeavour Predict.
5.4 To tell you and your GP your results
The NHS Health Check online will contact you using the details you provided us to tell you that your NHS Health Check is complete or to remind you that you have an uncompleted NHS Health Check online.
Your GP will also receive the information you give us when completing the questionnaire, plus the results of your blood test, and the risk scores. These will then become part of your medical record.
You may also get advice and guidance on how you can make changes to improve your lifestyle and risk score. Sometimes, we ask your GP to get in touch to discuss your results.
5.5 For NHS Health Check online improvement, audit and troubleshooting
We look at how the service is being used to help us make it better. To do this we put small files called “analytic cookies” on to your device using a software called Adobe. These cookies are optional. The information collected includes: the type of device you used, your browser type, your operating system, the date/time you used the NHS Health Check online and how you interacted with the NHS Health Check online. For more information, please see our cookie policy.
We also store technical log data for audit and troubleshooting (bug fix) purposes and to make improvements to the NHS Health Check online.
We ask for anonymous user feedback at relevant parts of your journey to help improve the NHS Health Check online. This data is stored within Qualtrics and may have some basic contact information as well as relevant survey answers. It will not be directly linked to you and your health check data.
We analyse data to check the uptake of the NHS Health Check online, for example how many checks are completed and also analyse demographic data to understand the reach of the NHS Health Check online. We take out all personal details, such as your name and address when we do this.
5.6 For NHS Health Check online evaluation
The DECIDE (Digitally Enabled Care in Diverse Environments) Centre is a partnership between the University of Oxford and RAND Europe (a not-for-profit research institute), and is a data processor. They have been asked to evaluate and measure NHS Health Check online outcomes. We take out all personal details, such as your name and address before we share data with them.
You may be asked if you would like to participate in some surveys or interviews run by DECIDE to aid them with their evaluation. This is entirely optional. If you agree, we will provide your email address to DECIDE so they can contact you directly.
5.7 For your contact with our service desk team
Information is captured when you contact the NHS Health Check online for support. If you raise a technical issue with the service desk team, we may link this to an Organisation Data Service (ODS) code. ODS codes are unique codes that are associated with particular health and care services, such as GP surgeries. When we capture an ODS code, it is stored in an issue management system alongside other details about the issue.
6. Our legal basis
Statutory basis for NHS England to deliver the NHSHealth Chenck online pilot
NHSE relies on its powers under the National Health Service Act 2006 to undertake its role which is primarily:
- system delivery
- collection of audit data
- service management
- storage of static data to present to users (such as their results)
UK General Data Protection Regulation and the Data Protection Act 2018
UK GDPR Article 6(1)(e) ‘…processing is necessary for the performance of a task carried out in the exercise of official authority vested in the controller'.
Underpinned by statutory powers set out above.
Processing of special categories of personal data:
UK GDPR Article 9(2)(h)
‘processing is necessary …for the provision of health or social care or treatment or the management of health or social care systems and services on the basis of domestic law or pursuant to contract with a health professional and subject to the conditions and safeguards referred to in paragraph 3.’
Underpinned by DPA2018 Sch1:
Health or social care purposes
2(1) This condition is met if the processing is necessary for health or social care purposes.
(2) In this paragraph “health or social care purposes” means the purposes of—
….
(f) the management of health care systems or services or social care systems or services.
NHS login and NHS App services:
Directions issued pursuant to the Health and Social Care Act 2012, Section 254(1):
- NHS Login Directions 2021, which enabled NHS Digital (now NHS England) to provide the NHS Digital Citizen Identity Platform and related services, collectively the NHS login Services.
- NHS App Directions 2023, which requires NHS England to develop and operate the NHS App and related services (collectively the NHS App Services).
Setting aside the duty of confidence:
Implied consent is given by participants choosing to use the NHS Health Check online, which is to support direct care. NHS England’s processing of personal data is not in itself directly for direct care but for the operation and maintenance of the system to support direct care.
Service management and user research:
Any personal data collected and processed for these activities will be done pursuant to UK GDPR Article 6(1)(a) ‘….the data subject has given consent to the processing of his or her personal data for one or more specific purposes’ and UK GDPR Article 9(2)(a) ‘…the data subject has given explicit consent to the processing of those personal data for one or more specified purposes’.
Statutory basis for the Department of Health and Social Care to deliver the NHS Health Check online pilot
Article 6(1)(e) of the UKGDPR which permits processing that is necessary for the performance of a task in the public interest or in the exercise of the Controller’s official authority.
The processing is in line with the Secretary of State for Health and Social Care’s duties in relation to the promotion and provision of the health service (including public health functions), as outlined in Part 1 of the NHS Act 2006 (as amended by the Health and Social Care Act 2012).
The Department of Health and Social Care rely on the same conditions under Article 9 of the UKGDPR as NHS England, outlined above.
7. How long we keep your data for
| Category of information | Description |
|---|---|
|
Audit data |
Audit events – 8 years |
|
Performance data |
|
|
NHS Health Check online demographic data |
8 years |
|
NHS Health Check online health and lifestyle questionnaire data |
8 years (28 days if the questionnaire is incomplete, three months if blood tests are not completed) |
8. Where your data is stored
| Sub-processor | Data | Purpose |
|---|---|---|
|
Sub-processor
Twilio SendGrid (US) |
Data
Name Address |
Purpose
To provide emails relating to blood tests |
|
Sub-processor
Sentry (US) Datadog (EU) Atlassian Opsgenie (EU) |
Data
User ID Order ID Fulfilment order ID Lab test request ID Test ID |
Purpose
Monitoring and alerting |
|
Sub-processor
Stitch (EU) Snowflake (US) Looker (EU) |
Data
User ID Order ID Fulfilment order ID Last test request ID Test kit ID Partial address Date of birth Sex at birth Test results |
Purpose
Business intelligence and analytics Troubleshooting and support |
9. Your rights
Data protection law gives you a number of rights. You can exercise your rights by contacting NHS England's Data Protection Officer at england.dpo@nhs.net
The right to be informed – this privacy policy explains how we use your personal data to provide the NHS Health Check online.
The right of access – to get a copy of your data submitted to the NHS Health Check online, you can request this by completing a Subject Access Request (SAR). If you would like a copy of your GP record, please contact your GP surgery.
The right of rectification – Individuals can ask for corrections to be made to their records.
The right to erasure – This right does not apply to data collected under 6(1e) Public Task. Where information is provided by the recipient for service management and user research under GDPR consent, the requests for erasure can be exercised through the email address above.
The right to the restriction of processing – You have the right to ask us to limit the way we use your data.
The right to data portability – This right does not apply.
The right to object – Individuals can object to the use of their data.
The right not to be subject to automated decision making – You have the right to not be subject to automated decision-making. At any point during the health check, you can end your check and ask a health care provider for a face-to-face check.
Asking a question or finding out more
If you have a general question about using the NHS Health Check online, you can check our help pages or contact us.
Your GP health record and healthcare
You can contact your GP surgery for more information about your GP health record data, and data about your care.
Contact the Information Commissioner
If we are unable to resolve any queries or concerns about the use of your personal information in connection with the NHS Health Check online, you can raise your concern with the Information Commissioner.
You can contact the Information Commissioner’s Office:
- using the ICO's online contact service
- by calling 0303 123 1113
- by writing to the Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF
We ask that you try to resolve any issues with us first. However, you have a right to lodge a complaint with the Information Commissioner's Office (ICO) at any time about our processing of your personal information. The ICO is the UK regulator for data protection and upholds information rights.
Changes to this policy
The terms of our privacy policy may change from time to time. Any updates to the privacy policy will be published on the NHS website.