Skip to main content

Electronic Prescription Service (EPS): GDPR information


Why and how we process your data in the Electronic Prescription Service (EPS), and your rights.

Controller NHS Digital (in relation to processing the personal data) and the Department of Health and Social Care (in relation to determining the purpose for processing the data through the issuing of a direction to NHS Digital)
How we use the information (processing activities)

The Electronic Prescription Service is a delivery mechanism that enables the transmission of a prescription electronically from a prescribing system through to a dispensing system. The EPS service is used across Primary care (mainly General Practices' and Pharmacists) and Urgent Care settings. All systems are connected to the NHS Spine through a secure connection with access further secured by the use of authentication certificates.

Does this contain sensitive (special category) data such as health information? Yes
Who are recipients of this data?

Information is provided to Prescribers and Dispensers, and the NHS Business Services Authority (BSA) as well as NHS Digital NHS Business Services Authority Medicines dataset

Is data transferred outside the UK? This data is not transferred out of the UK
How long the data is kept 12 months maximum after prescriptions dispensed or after prescription prescribed but not dispensed
Our lawful basis for holding this data Legal obligation
Your rights
  • Tick Be informed
  • Tick Get access to it
  • Tick Rectify or change it
  • Cross Erase or remove it
  • Tick Restrict or stop processing it
  • Cross Move, copy or transfer it
  • Cross Object to it being processed or used
  • Cross Know if a decision was made by a computer rather than a person
How can you withdraw your consent?

Consent is not the basis for processing.

Is the data subject to decisions made solely by computers? (automated decision making) No
Where does this data come from? Prescribing systems
The legal basis for collecting this data

Article 6(1)(c) - Legal Obligation (Direction)
Article 9(2)(h) - Management of health or social care systems and services

DPA 2018:
Schedule 1, Part 1, paragraph 2 - Health or social care purpose

Where NHS Digital uses this data