Information is provided under the requirements of the General Data Protection Regulation and the Data Protection Act 2018.
NHS England is the data controller for all information collected and processed as part of disease registration. The data protection officer can be contacted on [email protected].
The NDRS has legal permission to collect patient data to use it to protect the health of the population. Previously this permission was granted to Public Health England under section 251 of the National Health Services Act 2006.
From 1 October 2021, permission was granted to NHS Digital. under legal instructions known as Directions, from the Secretary of State for Health and Social Care, under section 254 of the Health and Social Care Act 2012 (2012 Act). The Directions are called the National Disease Registries Directions 2021. They instructed NHS Digital to collect and use confidential patient information to operate the NDRS.
Building on the huge progress made on digital transformation during the pandemic, on the 1 February 2023, NHSD and NHSX merged into NHS England. NHS England is now therefore the controller of the personal data held by the NDRS under data protection law.
Under UK GDPR we can only collect and use personal data if we have a legal basis under Articles 6 and 9 of the UK GDPR.
Our legal basis to collect and use your personal data is:
- Article 6(1)(c) – legal obligation – as we are required to do this to operate the National Disease Registration Services under the National Disease Registries Directions 2021.
- Article 9(2)(g) – substantial public interest – because the processing of the data is substantially in the public interest and in accordance with the law, for the purposes of NHS England exercising its statutory functions under the National Disease Registries Directions 2021. It is substantially in the public interest to improve NHS cancer treatment and care, improve patient outcomes and to understand the prevalence of congenital anomalies and rare diseases in England and how these are affected by gender, ethnicity, disease type and geographic region. This is also permitted under paragraph 6 of Schedule 1 of the Data Protection Act 2018 (DPA)