We have detected that you are using Internet Explorer to visit this website. Internet Explorer is now being phased out by Microsoft. As a result, NHS Digital no longer supports any version of Internet Explorer for our web-based products, as it involves considerable extra effort and expense, which cannot be justified from public funds. Some features on this site will not work. You should use a modern browser such as Edge, Chrome, Firefox, or Safari. If you have difficulty installing or accessing a different browser, contact your IT support team.
NHS Business Services Authority (NHSBSA) Medicines Data: GDPR information
Summary
| Controller | NHS Digital (in relation to processing the personal data) and the Department of Health and Social Care (DHSC) (in relation to determining the purpose for processing the data through the issuing of a direction to NHS Digital) |
| How we use the information (processing activities) | NHS Digital collects, publishes and distributes medicines data received from the NHS Business Services Authority (NHSBSA) each month to improve patient safety, help plan and improve NHS services and for research via NHS Digital's Data Access Request Service (DARS). NHS Digital will be collecting this data from July 2020. Medicines data was previously collected by NHSBSA since April 2015 and this historical data will also be transferred to NHS Digital. |
| Does this contain sensitive (special category) data such as health information? | Yes |
| Who are recipients of this data? |
Data recipients are recorded in the Register of approved Data Releases. Information is also shared with NHS Business Services Authority to support medicines safety. |
| Is data transferred outside the UK? | Not for the purpose of processing it by NHS Digital. It may be transferred outside of the UK if this was approved by NHS Digital through the DARS process for any particular dissemination. |
| How long the data is kept | Data retention will be reviewed after 8 years (on 1 April for any data received in the previous 12 months) |
| Our lawful basis for holding this data | Legal obligation |
| Your rights |
|
| How can you withdraw your consent? |
Consent not the basis for processing. |
| Is the data subject to decisions made solely by computers? (automated decision making) | No |
| Where does this data come from? | NHS Business Services Authority (NHSBSA) |
| The legal basis for collecting this data | GDPR:Article 6 (1) (c) - Legal Obligation (Direction), DPA 2018:Schedule 1, Part 1 - Health or social care purpose |
