Authorised users of the private COVID-19 dashboards: privacy policy

In this policy, ‘we’ or ‘us’ means NHS Digital. ‘You’ or ‘your’ means you, an authorised user of the dashboard. 

This policy tells you what information NHS Digital collects about you and how it is used to provide you with access to and enable your on-going use of the dashboard. It includes information about your rights and how to contact us.

The information contained in the dashboard is intended to aid the approved organisations in understanding the impact of COVID-19 for example trends in COVID-19 progressing by local area to facilitate local decision-making on handling rising infection levels in the population.

NHS Digital has been requested to provide granular data, for example post code or patient level, to support the COVID-19 response.

The data within the dashboard is only permitted to be used by the approved organisations and their authorised users who have been approved to access the dashboard. Dependent on the dashboard this may be by the Department of Health and Social Care (DHSC) or appropriate NHS Smartcard access. 

The Health and Social Care Information Centre, known as NHS Digital, was set up under the Health and Social Care Act 2012 (2012 Act) and is part of the NHS. We securely collect, analyse and share information to improve health and social care services. Find out more about NHS Digital.

Our Data Protection Officer is Jon Moore, whose duties include monitoring internal compliance and advising the organisation on its data protection obligations and can be contacted via [email protected].

NHS Digital is registered with the Information Commissioner's Office as required by Data Protection legislation.

NHS Digital is the controller of the personal data that we collect from you for the purposes of enabling and maintaining your access, as an approved user, to the dashboard.

Our legal bases for processing your personal information under the UK GDPR are:

• GDPR Article 6 (1) (c) – processing is necessary for compliance with a legal obligation to which the Controller is subject, and
• GDPR Article 6 (1) (e) – processing is necessary for a task carried out in the public interest or in the exercise of official authority vested in the controller

NHS Digital is required to share the disclosed data within the dashboard to approved organisations in order to meet its legal obligations under the COVID-19 Public Health Directions 2020, Regulation 3(1) of the Health Service (Control of Patient Information) Regulations 2002 (COPI) and to comply with the notice served upon NHS Digital by the Secretary of State under Regulation 3(4) of COPI dated 17 March 2020. In addition, the requirement for NHS Digital to disseminate the disclosed data for the agreed purposes is a task that is being carried out in the public interest in response to the threat posed by COVID-19.

In addition, in order to share the disclosed data lawfully, it is necessary for us to implement certain controls and security measures which necessitate the processing of your personal data, as an authorised user of the dashboard, as described below. This enables us to meet our obligations under Article 5 (1) (f) and Article 32 of the UK GDPR in respect of patient personal data / confidential patient information.

Under the authorised user data access conditions that govern your access to the dashboard, it is necessary for you to provide your personal data for the purposes listed below. We will not be able to grant you access to the dashboard if you do not provide us with your personal data.

We will process your personal data for the following purposes to:

• verify your identity and status as an authorised user and employee/agent engaged by an approved organisation
• create and maintain your user profile
• create your NHSmail email account and provide you with the required access credentials, if required
• notify you of changes to the dashboard
• notify you of changes to any of the terms and conditions associated with the dashboard
• notify you of any technical issues/changes to the dashboard
• notify you of any other changes or issues that may be relevant to your access to and/or use of the dashboard
• monitor and/or audit your use of the dashboard
• monitor and/or audit the approved organisation's use of the dashboard
• notify the approved organisation and any other relevant third parties should we have any concerns regarding your access to or use of the dashboard
• monitor security and online threats

We will collect the following information about you for the above purposes:

• your name
• your role/job tile/position
• your organisation
• your email address/NHSmail address and account details
• other contact information such as telephone number and place of work
• information relating to the frequency and duration of your access to the dashboard, what information you view and when
• data relating to your access credentials such as username and password
• information necessary to operate multi-factor authentication

We will share your information with the DHSC for the purposes of enabling your access to and use of the Dashboard, and to report back to DHSC in respect of usage monitoring by you and/or your organisation. We may also share your information with the approved organisation on whose behalf you are accessing the dashboard.

Multi-factor authentication access

We will also share your information with the approved service supplier, Accenture, for the purposes of creating and issuing you with an NHSmail account. You will require an NHSmail account in order to access the Dashboard. Read the NHSmail privacy policy. This is necessary so that multifactor authentication can be utilised as a security measure to control access.

Smartcard access

For information if accessing the dashboard using an NHS smartcard, registered and issued by Care Identity Services (CIS), more information can be found on the following links:

Registration authority users

Privacy notice for smartcard users on the use of personal data

It will also be necessary for us to share your personal information with certain other third parties for the purposes of monitoring security and preventing online threats. In addition, it may also be necessary for us to share your personal information with certain other third parties, where we are required to do so by law. We will only share your personal information where we have a legal basis to do so under data protection law.

All information which is shared by NHS Digital is subject to robust rules relating to privacy, security and confidentiality and only the minimum amount of information necessary will be shared.

We will retain your information for audit purposes for 6 years from the date on which access to the Dashboard is terminated (end date). It will then be securely destroyed.

We store and process your personal information in the United Kingdom. 

You have the following rights in relation to your personal information:

• the right to be informed about how your personal information is being used
• the right to access the personal information we hold about you
• the right to request the correction of inaccurate personal information we hold about you
• the right to request the erasure of your personal information in certain limited circumstances
• the right to restrict processing of your personal information where certain requirements are met
• the right to object to the processing of your personal information in certain circumstances 
• the right to request that we transfer elements of your data either to you or another service provider in certain circumstances
• the right to object to certain automated decision-making processes using your personal information
• the right to withdraw consent at any time (where consent is being relied upon as a lawful basis for processing)
• the right to raise a concern with the Information Commissioner's Office at any time.

Some of these rights may not apply as they have specific requirements and exemptions which apply to them and they may not apply to personal information stored and processed by us.

We want you to feel confident that we look after everyone’s personal data in line with the law. If you have any questions about your rights, you can get in touch with us at [email protected].

More information about your legal rights can be found on the Information Commissioner's website.

If you wish to raise a complaint concerning NHS Digital’s processing activity, visit our Contact us page.

You also have the right to raise a concern with the Information Commissioners Office at any time.

If you have any queries in relation to the use of your personal information or if you want to exercise any of your rights above, please contact [email protected].

The terms of this policy may change from time to time. Any updates to the policy will be published on the dashboard website.

Version 1 – August 2020

Version 2 – October 2020 

Version 3 – July 2021 (current version)