What type of information we have:
The Booking and Referral Standard is an interoperability standard for patient record systems that enables booking and referral information to be sent between NHS service providers quickly, safely and in a format that is useful to clinicians. The data that traverses the NHS Digital infrastructure in the form of messages is a combination of personal data and special category. NHS Digital will only collect audit and monitoring data for the Booking and Referral Standard. Alongside the Standard, an information model has been developed and approved by the Professional Records Standards Body (PRSB) that defines the booking and service request and confirms the data items that will travel with the request.
The Health and Social Care Act sets out the powers of the Secretary of State and NHS England to direct NHS Digital to carry out additional functions concerning information functions, the information functions of any health or social care body and systems delivery functions. Section 254 of the Health and Social Care Act enables NHS England to direct the HSCIC (now known as NHS Digital) on matters concerning the provision of NHS services in England.
NHS England has directed NHS Digital under sections 254(1) and (6), and section 304(9), (10) and (12) of the Health and Social Care Act 20121 (the 2012 Act) and Regulation 32 of the National Institute for Health and Care Excellence (Constitution and Functions) and the Health and Social Care Information Centre (Functions) Regulations 20132 (the Regulations) to develop an interoperability standard for patient record systems that enables booking and referral information to be sent between NHS service providers quickly, safely and in a format that is useful to clinicians.
Service providers on the sending system will collect the following mandatory data items, which will be carried in the payload and used by the receiving system to verify the patients’ details. NHS Digital will not store these data items.
There are a number of recommended data items for system suppliers that they can choose to use dependent upon their system configuration. The BaRS system will not store this data:
Home phone number
Mobile phone number
The following data items will be stored in Splunk by NHS Digital for audit purposes when it is included in a BaRS API request:
Special Category Data
How we get the information and why we have it:
Data items are collected by sending and receiving systems when a sending organisation makes the booking and referral request; they use the API to send the payload to the receiving organisation. System suppliers will have the option to include a number of optional data items based on the PRSB information model.
To the extent that any personal data is processed by NHS Digital in the provision of the BaRS Service, NHS Digital’s lawful basis will be:
To the extent that any special categories of personal data are processed by NHS Digital in the provision of the BaRS Service, the Article 9 condition for doing so will be one or both of:
What we do with the information we have:
NHS Digital does not collect the personal data directly from patients except in the case of 111 online which NHS Digital is controller for. The personal data is collected by the sending and receiving systems to enable a booking and referral to be made using the BaRS API. The data that traverses the NHS Digital infrastructure in the form of messages (payload) is a combination of personal data and special category. NHS Digital will only collect BARS API transactional data for the Booking and Referral Standard.
How we store your information:
NHS Digital is the trusted national provider of high-quality information, data and IT systems for health and social care. Information is the core business of NHS Digital and it is NHS Digital's duty to keep information safe.
An information asset has been created for the Booking and Referral Standard and an Information Asset Owner (IAO) assigned. An IAO is a senior member of NHS Digital staff who is responsible for the management of the information asset created and utilised by their team. The IAO role is mandatory across all government departments.
NHS Digital does not collect patients personal data. The only data that will be stored by NHS Digital is BaRS API transactional data on splunk, this will be stored for 90 days only
Your data protection rights:
Under data protection law, you have rights including:
Your right to be informed – You have the right to be informed about when your personal data is being used
Your right of access - You have the right to ask us for copies of your personal information.
Your right to rectification - You have the right to ask us to rectify information you think is inaccurate. You also have the right to ask us to complete information you think is incomplete.
Your right to restriction of processing - You have the right to ask us to restrict the processing of your information in certain circumstances.
You are not required to pay any charge for exercising your rights. If you make a request, we have one month to respond to you.
If you would like to make a request, please contact us at [email protected]
Further information on how NHS Digital is keeping patient data safe is available here.
We may make changes to this Privacy Notice. If we do, the 'last edited' date on this page will also change. Any changes to this notice will apply immediately from the date of any change.
Last edited: 22 August 2022 12:20