We have detected that you are using Internet Explorer to visit this website. Internet Explorer is now being phased out by Microsoft. As a result, NHS Digital no longer supports any version of Internet Explorer for our web-based products, as it involves considerable extra effort and expense, which cannot be justified from public funds. Some features on this site will not work. You should use a modern browser such as Edge, Chrome, Firefox, or Safari. If you have difficulty installing or accessing a different browser, contact your IT support team.
Access Request System (ARS): GDPR information
Summary
Why and how we process your data in the Access Request System, and your rights.
| Controller | NHS Digital |
| How we use the information (processing activities) | The Access Request System processes the authorisation of access to Systems and Services (provided under the Exeter Service Catalogue, previously known as SSD). The system enables SSD staff to comply with the Access Control Policy, ensuring the systems they require access to are formally recorded and an audit trail exists. The system produces an extract of users with access to systems containing Personal Confidential Data (PCD) to support the annual Information Governance Toolkit return. |
| Does this contain sensitive (special category) data such as health information? | No |
| Who are recipients of this data? |
None |
| Is data transferred outside the UK? | No |
| How long the data is kept | 8 years minimum after no longer required |
| Our lawful basis for holding this data | Public task |
| Your rights |
|
| How can you withdraw your consent? |
Consent not the basis for processing |
| Is the data subject to decisions made solely by computers? (automated decision making) | No |
| Where does this data come from? | Data subject |
| The legal basis for collecting this data | Public task and Health and Social Care Act (2012) – General Powers |
