Skip to main content
Creating a new NHS England: NHS England and NHS Digital will merge on 1 February 2023. Learn more.

General Data Protection Regulation (GDPR) - information

How we've ensured compliance with data protection law, to make sure health and care data is always collected, stored, analysed and shared securely and legally.

The GDPR came into effect in the UK on 25 May 2018. We are the guardians of health and care data in England, and have made sure we comply with GDPR. This means that your health and care data will carry on being handled securely and in line with the regulations.

Contact the Information Commissioner's Office (ICO) if you have an enquiry about complying with the GDPR in your own organisation.

Official guidance for health and care

The Information Commissioner's Office (ICO) has published guidance on the GDPR. A national GDPR working group and the Information Governance Alliance have created official guidance for the NHS, social care and partner organisations on how health and care organisations should prepare for these changes to data protection law. You should go to these organisations for guidance on what your organisation should do to prepare for GDPR.

Implementing GDPR within NHS Digital

We have built on our track record of data security and our compliance with the Data Protection Act 1998 (DPA) to remain compliant with changing data protection law. We established an internal working group to implement the GDPR before it came into effect. This group was supported by guidance issued by the ICO and the GDPR health working group.  We outlined our strategic approach in our GDPR Strategy document and in our GDPR Prioritisation plan.

Impact on customers and stakeholders

Our systems and services have not changed and there has been no impact on our service delivery.

Impact on the public whose data we hold

Our duty to safeguard patient data has not changed and is our priority. The GDPR creates some new rights for individuals and also it strengthens some of the rights that currently exist under the DPA. We have worked to make sure that these rights are properly implemented, and any changes in the ways we collect, store or share your data are communicated through the website.

Finding out more about GDPR and the information we collect

We have developed a register of our collections that has been designed to tell you which of the the rights under GDPR apply to each collection, and what, in terms of the law, allows us to collect the information.

View the new GDPR register page

Contact us

We are keen to be as transparent as possible. If you would like any further information on how we are responding to the changes introduced by the GDPR, please email

Last edited: 14 November 2022 5:35 pm