Skip to main content
Creating a new NHS England: Health Education England, NHS Digital and NHS England have merged. More about the merger.

Use of personal data in our corporate email communications: GDPR information


Why and how we process your data and how our communications team uses personal data in bulk email communications with the NHS and care system and your rights.

Controller NHS England
How we use the information (processing activities)

Our corporate communications team use the govDelivery platform (managed by our processor Granicus) to send bulk emails to people across the health and care system to help them get the best out of our products and services and stay abreast of new standards and requirements for the use of data and digital technology. We maintain email distribution lists for key groups in the health and care system (for example, GP practice staff, Chief Information Officers, and pharmacy professionals) and use these lists to distribute regular bulletins and one-off announcements. We ask people on these distribution lists to provide information about themselves to help us make these communications more useful. For example, by understanding the job roles recipients in GP practices are performing, we can tailor our emails to their needs. We also collect information about how recipients use our emails. This helps us make our emails more effective. For example, information about the number of recipients who open and click links in a bulletin shows us how useful people found it and helps us make the next bulletin more useful. We use web beacons in our emails to do this. More information is available in Granicus’ GovDelivery platform privacy policy and cookie policy.

Does this contain sensitive (special category) data such as health information? No
Is data transferred outside the UK? We use the Granicus govDelivery platform to hold mailing list data and send regular email bulletins to our stakeholders. Granicus are our data processor and their data centres are based in the United States (US). Granicus also use sub-processors based in the US and India. We have an International Data Transfer Agreement (ITDA) in place with Granicus.
How long the data is kept We will hold your information for as long as you are using our bulletins.
Your rights
  • Tick Be informed
  • Tick Get access to it
  • Tick Rectify or change it
  • Tick Erase or remove it
  • Tick Restrict or stop processing it
  • Cross Move, copy or transfer it
  • Tick Object to it being processed or used
  • Cross Know if a decision was made by a computer rather than a person
How can you withdraw your consent?

Bulletins issued include a link to enable subscribers to unsubscribe or manage their preferences.

Alternatively, subscribers may email [email protected] with their full name and email address and we will respond within 48 hours.

Is the data subject to decisions made solely by computers? (automated decision making) No
Where does this data come from? (1) From individuals who have signed up to receive the bulletins of their choice via a sign-up page hosted on our website. (2) From research done by NHS Digital (now merged with NHS England) which indicates you are in one of the key audience groups with whom we need to share information and, if you were not to receive this information, may harm your ability to work effectively with us and use our products and services. Personal data collected includes the subscriber's name, email address, job role, organisation name and the use of our emails (for example, whether recipients have opened a bulletin and what links they clicked on).
The legal basis for collecting this data

UK GDPR Article 6(1)(e) – public task
UK GDPR Article 6(1)(a) - consent