Skip to main content

Respond to an NHS cyber alert (formerly CareCERT collect): GDPR information


Why and how we process your data within CareCERT collect, and your rights.

Controller NHS Digital
How we use the information (processing activities)

Provision of cyber and data security services to the health and care system. Data collection of internet protocol (IP) data to carry out non-intrusive vulnerability scanning, user details to contact them about the output of IP scanning or other cyber matters, senior information risk owner (SIRO) details to provide a escalation point when required, and intelligence on alerts to focus our limited resources on sites needing our support during a cyber incident. Data collected also helps us determine the scope of a cyber incident when it occurs.

Does this contain sensitive (special category) data such as health information? No
Who are recipients of this data?


Is data transferred outside the UK? No
How long the data is kept 20 years after no longer required
Our lawful basis for holding this data Public task
Your rights
  • Tick Be informed
  • Tick Get access to it
  • Tick Rectify or change it
  • Cross Erase or remove it
  • Tick Restrict or stop processing it
  • Cross Move, copy or transfer it
  • Tick Object to it being processed or used
  • Tick Know if a decision was made by a computer rather than a person
How can you withdraw your consent?

Consent not the basis for processing

Is the data subject to decisions made solely by computers? (automated decision making) No
Where does this data come from? Networking device
The legal basis for collecting this data

Public task and Health and Social Care Act (2012) – Schedule 18, part 10 (1)

Where NHS Digital uses this data