Skip to main content
Creating a new NHS England: Health Education England, NHS Digital and NHS England have merged. More about the merger.

Data protection impact assessment support for Information Asset Owners (IAOs)

Information Asset Owners (IAOs) can use the information in this section to help them complete the data protection impact assessments (DPIAs) for the assets they own.

Hospital Episode Statistics (HES) is not a new asset and stakeholder engagement has taken place at numerous points through the life of these statistics. 

HES is the statistical name for the Commissioning Data Sets (CDS) data processed through the Secondary Uses Service (SUS). Changes to CDS and SUS are also extensively consulted on.

Stakeholder groups we consulted

We followed best practice guidance of the consultation in the HES privacy assessment.

The Information Commissioner’s Office (ICO) code of practice sets out the main steps to follow:

  1. Identify the need for a PIA.
  2. Describe the information flows.
  3. Identify the privacy and related risks.
  4. Identify and evaluate the privacy solutions.
  5. Sign off and record the PIA outcomes.
  6. Integrate the outcomes into the project plan.
  7. Consult with internal and external stakeholders throughout the process.

We carried all these steps as part of this project, except the second to last step, which will be carried out once the project is finished. We may need significant resources and the involvement of a variety of the Health and Social Care Information Centre (HSCIC) staff.

Consulting internal and external stakeholders

Consultation allows an organisation to:

  • understand the concerns of those affected by the project
  • improves transparency by making people aware of how we use information about them
  • provides an organisation with the opportunity to benefit from wider views and expertise that may not exist in the organisation

Consultation in the HES PIA project is in 3 phases:

  • a narrow, targeted set of interviews and meetings with people in the Health and Social Care Information Centre interested and/or responsibility for the governance of Hospital Episode Statistics
  • a wider, targeted stakeholder engagement to seek the involvement and feedback of people or bodies who can be expected to be interested and/or affected by the governance of Hospital Episode Statistics

Processing and collecting data

To show a clear legal basis for processing, collecting, analysing or disclosing your personal data, the Secretary of State for Health directed us to:

  • collect the Commissioning Data Sets (CDS)
  • process this data in the Secondary Uses Services (SUS)
  • publish it as the Hospital Episode Statistics (HES)

Find out more information from the spine services direction 2.

Find out how we use your personal data from the HES and information governance pages of our website.

These tables explain why we collect and process all data.

Personal data

Data categories

Yes N/A


Name   X May be flowed by the provider to SUS if the NHS number is not known; never received in HES.



May be flowed by the provider to SUS if the NHS number is not known; never received in HES.


X   Postcode is required for various geographical analyses; these derivations are performed during processing and only the postcode area and derived geographies are available for analysis, not the full postcode.

It is important to know the age of people accessing NHS services for planning and commissioning purposes.  Various “age at” derivations are performed during processing and it is those derivations which are made available for analysis, not the date of birth.

Age X  

Derived, not flowed. (see note on DOB).

Sex   X  

Marital status

Gender X  

It is important to know the gender of people accessing NHS Services for planning and commissioning purposes.

Living habits


Professional training / awards


Income / financial / tax situation


Email address


Physical description


General identifier for example NHS number


The NHS number is collected by SUS but is converted into a consistent, anonymised identifier which is then used for analytical purposes.  Data containing NHS number is available for analysis but access is for specific purposes e.g. linkage to other data, only.

Home phone number


Data categories




Online identifier, such as IP address and event logs


Website cookies


Mobile phone or device number


Mobile phone or device IMEI number


Location data (travel, GPS or GSM data)


Device MAC address (Wireless Network Interface)


Sensitive personal data

Data categories

Yes N/A Justifications

Physical or mental health or condition


The purpose of HES is to help the public, patients, staff, policy makers and other commentators to understand the demands placed on the NHS and use made of those services. This could not be done without some information on physical or mental health conditions. This information is provided in the form of a diagnostic or operative procedure code or code

Sexual Life / orientation


A limited amount of information may be gleaned from some of the data, such as birth data

Family / lifestyle / social circumstance


A limited amount of information may be gleaned from some of the data, such as diagnosis of cirrhosis of the liver

Offences committed or alleged to have committed 


Criminal proceedings, outcomes or sentences

Education or professional training   X  
Employment history   X  
Financial affairs   X  

Religion or other beliefs


Trade union membership


Racial or ethnic origin


It's important to understand the ethnicity of people using NHS services to guard against institutional racism.

Biometric data (fingerprints / facial recognition)


Genetic data


Sharing and merging personal data

HES is routinely linked with other data sets to reduce the data burden on the NHS of submitting the same data several times. It's routinely linked with the ONS, mortality data, Diagnostic Imaging Data Set, Patient Reported Outcomes Monitoring data and Patient Level Information Costing System data. 

Linkage is either directed by NHS England or the Department of Health, or performed under the terms of the Health and Social Care Information Centre Commencement Order. It can be linked with other data for external customers. Details of these disseminations can be found in the data release register.

How long we retain personal data

Data retention is in line with NHS guidance (30 years) and reviewed annually.

Achieving and maintaining data quality standards

Overview of the HES cleansing process

Graphic showing overview of the HES cleansing process

Full information about HES data quality can be found at the processing cycle.

HES data quality note

When Hospital Episode Statistics (HES) is published, additional data quality information and explanatory notes are also made available. For HES system users and those requesting extracts, data quality notes are published highlighting any specific known issues with the data to be considered when analysing the data.

HES data quality note content

The HES data quality notes are updated for each extract published and are available from 2007-08 data year onwards.

A typical note will contain:

  • issues with specific fields
  • issue with fields for a specific provider
  • coverage issues
  • processing errors
  • mapping issues / duplicates missed / Auto clean error
  • errors at SUS Ops stage / XML
  • anything else that is considered useful for users to be made aware of

Where possible each entry will highlight the impact on analysis of the area it relates to and give a timescale of when this issue will be resolved.

Each note records the issues that are found at the time of publication. If additional issues are found post-publication, the note will be updated to reflect this.

Making people aware of their rights

NHS opt out – how it has been considered

Patients can either opt out with their health care provider (up to 10) and is recognised using the withheld identity reason code or using the opt out available through their GP practice. All identifiable disseminations of data have objections recorded at a GP Practice applied. Find more information about opting out of sharing your health records.

How individual rights are upheld

Patients can either opt out with their health care provider (up to 10) and is recognised using the withheld identity reason code. All identifiable disseminations of data have objections recorded at a GP Practice applied.  Information about that process is found at opting out of sharing your confidential patient information webpage.

Technical and organisational controls for “information security”

HES is housed in a corporate data centre with an approved System Level Security policy.  All internal access to HES is controlled via the internal Electronic Clear Data Access (eCDA) system. External access is controlled via the Data Access Request Service (DARS) process and Information Group Advising on the release of data (IGARD).

Personal data will not be transferred outside the EEA.

Further actions

Completed DPIA’s must be revisited during the lifecycle of the project/programme to ensure:

  • outcomes and measures identified are still relevant
  • actions recommended to mitigate risks are implemented
  • mitigating actions are successful
  • upload the approved DPIA to the Unified Register

Last edited: 22 March 2023 1:02 pm