We have detected that you are using Internet Explorer to visit this website. Internet Explorer is now being phased out by Microsoft. As a result, NHS Digital no longer supports any version of Internet Explorer for our web-based products, as it involves considerable extra effort and expense, which cannot be justified from public funds. Some features on this site will not work. You should use a modern browser such as Edge, Chrome, Firefox, or Safari. If you have difficulty installing or accessing a different browser, contact your IT support team.
Diabetic Retinopathy Eye Screening - GP2DRS: GDPR information
Summary
Why and how we process your data in the Diabetic Retinopathy Eye Screening system, and your rights.
| Controller | NHS England (in relation to processing the personal data) and the Department of Health and Social Care (DHSC) (in relation to determining the purpose for processing the data through the issuing of a Direction to NHS England). |
| How we use the information (processing activities) | Diabetic retinopathy is one of the most common causes of blindness in the UK. Screening is the process which identifies people who appear healthy but may be at an increased risk of developing a disease or condition. Evidence shows that early identification and treatment of diabetic eye disease could reduce sight loss. This requirement is being implemented by the UK National Screening Committee on behalf of NHS England (NHS Diabetic Eye Screening). The collection was established to improve the process by which patients are invited to attend a screening appointment. GP2DRS is a system which automates the sharing of patient information between general practices and local diabetic eye screening programmes to make the process easier by extracting the information directly from general practice systems and removing the need for manual processing. The General Practice Extraction Service (GPES) collection identifies all patients that are currently registered with a general practice, are 12 years of age or older, have a current diagnosis of diabetes and have given express or implied consent for the extraction of demographic information. The data will be used for patient identification and communication in order to keep NHS diabetic retinopathy screening programme registers updated and to invite patients for diabetic retinopathy screening. NHS England does not routinely access the data itself for inviting patients for screening and the data is not published or shared outside of the GP2DRS programme. |
| Does this contain sensitive (special category) data such as health information? | Yes |
| Who are recipients of this data? |
NHS Diabetic Eye Screening at NHS England |
| Is data transferred outside the UK? | No |
| How long the data is kept | 3 months. Data that is stored in the NHS England Data Management Environment (DME) is replaced on a monthly basis to create a new patient cohort list. NHS England retains the previous 2 months’ worth of data but deletes any data previous to this. NHS England therefore only holds 3 months’ GP2DRS data within DME at any one time. |
| Our lawful basis for holding this data | Legal obligation |
| Your rights |
|
| How can you withdraw your consent? |
Consent is not the basis for processing |
| Is the data subject to decisions made solely by computers? (automated decision making) | No |
| Where does this data come from? | General Practice (GP) medical records |
| The legal basis for collecting this data | NHS England’s lawful basis for processing (collecting and analysing) personal data is: UK GDPR Article 6(1)(c) - processing is necessary for compliance with a legal obligation to which the controller is subject. UK GDPR Article 6(1)(e) - processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller, supplemented by: Data Protection Act 2018 Section 8(c) – the exercise of a function conferred on a person by an enactment or rule of law NHS England has the legal permission to collect these data under Section 254 of the Health and Social Care Act 2012. NHS England's lawful basis for processing (collecting and analysing) special categories of personal data is: UK GDPR Article 9(2)(h) - processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services Data Protection Act 2018, Schedule 1, Part 1, Paragraph 2(2)(f) – the management of health care systems or services or social care systems or services. |
Where we use this data
GP2DRS (Diabetic eye screening programme)
Screening is the process of identifying people who appear healthy, but who may be at increased risk of a disease or condition.