Privacy policy

This privacy policy explains:

  • Why we collect information about you (we call this “personal data”)
  • What we do with it, including who we share it with
  • How long we keep it for and where we store it
  • Our legal basis for using it
  • What your data protection rights are

To read more about how NHS England uses personal data to improve health and care, read the NHS privacy notice.

About the Change your home address feature

NHS England are responsible for the Personal Demographics Service (PDS) which is the national electronic database of NHS patient details, containing information such as your name, address, date of birth, NHS number, contact information and the name of your GP practice. NHS health and care providers, such as your GP practice or hospital, use the data held in the PDS to:

  • confirm your NHS number
  • match you to your health records
  • check your contact details to send you communications related to your care

When you visit your GP practice or hospital and provide new contact information, such as a new telephone number, email or home address, their IT system is connected to the NHS Spine and they can choose to ‘push’ this information to PDS which updates your PDS record.

The Change your home address feature is a new feature which allows you to update your PDS record with your new home address without having to visit your GP practice or other healthcare provider.

How to access the feature

You can access the Change your home address feature using your NHS login details.

If you sign in using NHS login, we will ask your permission to share your NHS login information with our feature.

This allows us to fill in some personal details for you, such as your contact details.

We will not use your NHS login information for any other purposes. You can only share your NHS login information if you have proved your identity to NHS login.

For more information, view the NHS login privacy notice and terms and conditions.

Our role

Under data protection law, NHS England is a ‘joint controller’ with the Secretary of State for Health and Social Care for this feature. This means that we have jointly decided what personal data to collect and how it will be used to run this feature in accordance with Spine Services (no 2) 2014 Direction, which instructs NHS England to operate the Personal Demographics Service (PDS).

What data we collect or use

To provide this feature, we process your:

  • NHS login account information – such as your NHS number, verification proofing level and vector of trust.
  • Demographic data from your PDS record – such as your NHS number, current GP practice organisation code, and date of birth.
  • Demographic data you provide when you use the feature – your new address.
  • Log audit data – such as your session ID, time of use and actions taken when using the feature associated with technical log events.
  • Performance data – such as your Google Analytic cookie ID, time of use, your actions taken when using the feature, browser and device information and approximate geolocation. For more information, view the Change your home address cookie policy.

Where we get your data from

NHS login, which provides patients with a simple, secure and re-usable way to access multiple digital health and care services.

The Personal Demographics Service (PDS) which is the national electronic database of NHS patient details in England, Wales and the Isle of Man – holding information such as your name, address, date of birth and NHS number (known as demographic information).

How we use your data

Using NHS login to verify and authenticate your session

The Change your home address feature uses your NHS login account to authenticate and verify your identity which is tied to your NHS record. See the NHS login privacy notice for more information.

Using Personal Demographic Service (PDS) to retrieve and update your PDS record

We use the demographic data from your NHS login account to match you to your PDS record. This helps us to find your NHS number so that we can update your address. It is important for the PDS to hold up to date contact information, so that the NHS can contact you to provide you with care e.g. send you appointment reminders and invites to health screening services.

Service improvement, audit and troubleshooting

We look at how the feature is being used to help us make it better. To do this we put small files called “analytics cookies” on to your device using a software called Google Analytics. These cookies are optional. The information collected includes: the type of device you used, your browser type, your operating system, the date/time you used the feature and how you interacted with the feature. For more information, please see our cookie policy.

We also store technical log data for audit and troubleshooting (bug/fix) purposes and to make improvements to the feature.

We analyse data to monitor the uptake of the feature e.g. how many addresses are being changed and also to analyse demographic data to understand the reach of the feature and ensure it is inclusive and accessible. Information on how many people use the feature and its performance will also be used to publish anonymous statistical dashboards.

Our legal basis

Data protection law requires NHS England to have a legal basis before we can use your personal data.

Our legal basis is:

  • Legal obligation - Article 6(1)(c) of UK GDPR. This is because the Secretary of State for Health and Social Care has issued us with a Direction to provide this feature. This Direction is called the Spine Services (no 2) 2014 Direction.
  • Consent – Article 6(1)(a) of UK GDPR, if you choose to accept optional analytics cookies. View our cookie policy for more information.

Who we share your data with

Your GP practice – if you use this feature to update your address this will update your PDS record. If your new address is outside of your current GP practice’s catchment area, your GP practice’s IT system will be notified of your new address. This feature gives you information on how to register with a new GP practice for your local area. If you take no action to register with a GP practice within your catchment area, you may be de-registered from your current GP practice.

Processors

The Change your home address feature uses the following data processors under a contract known as a ‘Data Processing Agreement’. They can only use, store and keep the data in accordance with our instructions and cannot use the data for any other purposes:

  • Amazon Web Services (AWS) to protect the feature from automated attacks (security purposes)
  • Ordnance Survey Limited who provide the OS Places API so that we can check if the new address you provide is within or outside of your GP practice’s catchment area
  • Google (Google Analytics) to analyse the performance on the feature by using cookies

How long we keep data for

Data item or category How long we keep it for Why
Audit7 YearsSecurity and legal purposes
Operational9 MonthsIncident/investigation purposes
Analytics2 Years Key Performance Indicators (KPIs/analytics)

We keep your data in accordance with the Records Management Code of Practice 2021.

Where we store your data

We securely store your data using Amazon Web Services (AWS) in the United Kingdom (UK).

Your data protection rights

Under data protection law, you have the following rights over your data for this feature:

  • Your right to be informed – You have the right to be told how and why we are using your personal data. We have published this privacy policy to provide you with this information.
  • Your right to get copies of your data – You have the right to ask us for copies of your personal data (right of access). For more information, view how to make a subject access request.
  • Your right to get your data corrected – You have the right to ask us to correct (rectify) your personal data if you think it is inaccurate or incomplete.
  • Your right to get your data deleted – You have a right to ask us to delete (erase) your personal data in certain circumstances.
  • Your right to limit how we use your data – You have the right to ask us to limit the way we use your personal data (restrict processing) in certain circumstances.
  • Your right to withdraw consent – You have the right to withdraw consent for analytical cookies to be placed on your device by selecting ‘Reject analytics cookies’.

To make a rights request, email us at england.contactus@nhs.net

Your right to complain

We take our responsibility to look after your data very seriously. If you have any questions or concerns about how NHS England uses your data, please contact our Data Protection Officer at: england.dpo@nhs.net

If you are not happy with our response, you have the right to make a complaint about how we are using your data to the Information Commissioner’s Office by calling 0303 123 1113 or through the ICO website.

Changes to this policy

We may make changes to this policy. If we do, the 'last edited' date on this page will also change. Any changes to this policy will apply immediately from the date of any change.