Skip to main content

Access Request System (ARS): GDPR information


Why and how we process your data in the Access Request System, and your rights.

Controller NHS Digital
How we use the information (processing activities)

The Access Request System processes the authorisation of access to Systems and Services (provided under the Exeter Service Catalogue, previously known as SSD). The system enables SSD staff to comply with the Access Control Policy, ensuring the systems they require access to are formally recorded and an audit trail exists. The system produces an extract of users with access to systems containing Personal Confidential Data (PCD) to support the annual Information Governance Toolkit return.

Does this contain sensitive (special category) data such as health information? No
Who are recipients of this data?


Is data transferred outside the UK? No
How long the data is kept 8 years minimum after no longer required
Our lawful basis for holding this data Public task
Your rights
  • Tick Be informed
  • Tick Get access to it
  • Tick Rectify or change it
  • Cross Erase or remove it
  • Tick Restrict or stop processing it
  • Cross Move, copy or transfer it
  • Tick Object to it being processed or used
  • Tick Know if a decision was made by a computer rather than a person
How can you withdraw your consent?

Consent not the basis for processing

Is the data subject to decisions made solely by computers? (automated decision making) No
Where does this data come from? Data subject
The legal basis for collecting this data

Public task and Health and Social Care Act (2012) – General Powers