Skip to main content

Privacy policy - NHS e-Referral Service

This privacy policy covers the NHS e-Referral Service professional application and the Manage Your Referral patient application.


Version 0.6 - 23 February 2021

This update reflects amendments to:

  • your rights in relation to personal data
  • the originator of the NHS e-Referral Service legal direction
  • where we store and process personal data
  • typo corrections
  • update of contact email addresses


This privacy policy relates to two of the services provided by NHS England. This is a privacy policy for the NHS e-Referral Service professional application for use by healthcare staff in the referral of patients. This is also the privacy policy for patients using the Manage Your Referral website for managing appointments and reviewing referral statuses. 

This page is primarily aimed at a patient audience. Professional users should read this privacy policy in conjunction with the 'Approved authentication tokens privacy notice and terms and conditions for NHS Identity and Care Information Service (CIS) users'. This is the Registration Authority Smartcard Privacy notice, which all users who have smartcards should be aware of. 

Read the NHS Identity and CIS users Privacy notice. 

The NHS e-Referral Service programme team understands your needs as an individual to ensure that your data is being used and held in a responsible way and we aim to reassure you that every reasonable step is being taken to secure your personal information. 

Please ensure that you read this policy carefully and contact the NHS e-Referral Service programme team at [email protected] if you have any questions or concerns relating to this privacy policy. 

This privacy policy explains the following:

  • the services available via the NHS e-Referral Service and who is involved
  • who the controller is for the personal data processed when you use the NHS e-Referral Service or Manage Your Referral 
  • what information is collected about you
  • what information is held about you and where this information is obtained
  • how your personal data is used and why
  • where your data is stored
  • your rights
  • points of contact for queries, objections and complaints

In this privacy policy, these terms have the following meanings:

  • Controller: "The person or entity which alone or with others determines the purposes or means or processing of any personal data"
  • Processor: "Any person or legal entity who processes personal data on behalf of the controller"
  • Special Category Data: "Sensitive personal data given special consideration in data protection law including personal data about your health"

The NHS e-Referral Service

The NHS e-Referral Service provides a quick and secure way for patients to be referred for specialist care. Patients are empowered to choose their own first hospital or clinic appointment with a specialist. Bookings can be made online using Manage Your Referral, using the telephone, or directly in the GP surgery at the time of referral. 

Services provided by the NHS e-Referral Service include:

  • electronic referrals for specialist assessment and treatment (as of October 2018, 100% of GP to first-outpatient referrals in England are made this way)
  • Manage Your Referral - the patient-facing website that allows users to book, rearrange or cancel their appointments online as well as providing an overview of the status of a referral
  • advice and guidance - allowing one clinician to seek advice from another, providing digital communication between two clinicians 
  • referral assessment services - allowing specialist clinicians to review referral information before an appointment is booked

Who we are

The NHS e-Referral Service is a programme of NHS England. The controller for this information is NHS England (in relation to the processing of personal data) and the Department of Health and Social Care (DHSC) (in relation to determining the purpose for processing the data through the issuing of a direction to NHS England).

The Data Protection Officer is the named individual within an organisation who is responsible for GDPR regulations. For NHS England the named Data Protection Officer is Jon Moore. The team can be contacted at [email protected] ‚Äč

About NHS England

NHS England has been directed by the Secretary of State for Health to provide the NHS e-Referral Service and to include the services that can be accessed via the Manage Your Referral website.

NHS England is also responsible for managing (as well as many other services):

  • the national data opt-out, which allows patients to state their data sharing preferences
  • the website, which provides health information
  • NHS 111 online, which allows patients to get triage advice based on their symptoms online
  • NHS England also provides a public-facing service desk for user queries relating to the functionality of the NHS e-Referral Service 
  • information from e-RS which will be available in the NHS App (and other patient facing apps of your choice in the future)

Find out more about NHS England

GP practices and referring organisations

GP practices provide primary care services to the public. 

As part of the NHS e-Referral Service, GP practices and other referring organisations (this could also be dental practices, opticians etc.) can refer patients for specialist treatment, where this is clinically required.

They can also seek advice and guidance on a patient's condition, where they consult a specialist clinician on the best course of action for a patient's care. As part of the referral or advice process, clinical information, such as referral letters, diagnostic test results or images may be added to assist clinicians in treating patients. These are all added using the NHS e-Referral Service. 

Once a referral has been made, the referring organisation is responsible for providing patients with the relevant information to log in to their Manage Your Referral account so that they can manage their appointments.

This may involve the patient being given a physical document that details their unique booking reference number (the number that is unique to each referral created in the NHS e-Referral Service) and an access code (this two word code is unique to each patient).

The combination of these two assets plus the patient's date of birth gives access to Manage Your Referral. Patients that have previously signed up to an NHS login account can also be granted access to Manage Your Referral by their referring organisation using their email address as a mechanism to access Manage Your Referral. 

The referring organisation that made the referral remains in charge of your personal information and decides what information is relevant to share as part of your referral. Your referring organisation carries the responsibility of ensuring your personal information is kept secure through their own use of the NHS e-Referral Service. For more information, contact your referring organisation. 

Service providers

In this guidance, the term "service providers" is used to describe any organisation that provides specialist care to patients. This can include hospital consultants, allied health professionals (such as physiotherapists and podiatrists), GPs with a special interest, and the support staff that assist these healthcare providers. These may be NHS organisations or independent providers. 

Service providers will receive information as well as any attachments that have been included and will provide relevant advice or treatment to patients. They may forward on your information to other providers, should they feel this is clinically necessary. 

Service providers remain in charge of your personal information through the responsible use of the NHS e-Referral Service. For more information, contact your service provider or patient advice and liaison service (PALS). 

The appointment line (TAL)

NHS England contract a telephone appointment line for use by patients. Agents at the appointment line can book, rearrange or cancel appointments.

They have access to demographic data and the clinical context of referrals but do not have access to any other clinical information such as referral letters or test results. TAL agents can also see and change a patient's access code.  

The information we collect

Demographic information

We collect:

  • full name
  • date of birth
  • NHS number
  • address
  • telephone number
  • email address (in the case of patients wishing to use an NHS login account to access Manage Your Referral)

Referral specific information

We collect:

  • unique booking reference number
  • access code
  • service preference (which service(s) a patient is willing to have their referral sent to)

Special category data

We collect:

  • clinical context of a referral (this includes the specialty of a referral e.g. dermatology, cardiology etc.)
  • referral letter detailing the specific clinical reasons for referral
  • blood tests
  • diagnostic test results (e.g. x-ray, MRI, ECG results etc.)
  • images
  • information from previous referrals, should this be relevant

Other information

Patients that use the Manage Your Referral website are asked to complete an optional survey of their experience after their appointment has been confirmed. We do not collect any personal data with this feedback unless the patient elects to provide it as part of their survey completion.

User research

Personal data will only be captured if you elect to provide it as part of participating in user research relating to the NHS e-Referral Service or Manage Your Referral. We may ask general questions about your health and background in order to ensure we are inclusive in our research. Specific information about consent forms will be provided to any individuals participating in user research. 

How we use personal information

We use personal information to transfer clinical referral data to the relevant healthcare professionals so that patients can be treated as quickly and effectively as possible. 

Professional users need to be aware that, in support of routine testing processes for the NHS e-Referral Service prior to any release, a test data set is used which contains no patient identifiable data, but can include the names of clinicians, as would be shown in the live system. This data set is held in a secure location and is only accessible to limited security-cleared staff involved in the release testing process. 

When we share personal data

Data is shared with the relevant service providers that are responsible for the patient's care. To increase efficiency and security this can be achieved automatically without a user being present.

In the event that a patient is given the option of several services to choose from, we will only share patient information with the service that the patient has booked an appointment with, or a service that needs to contact the patient in order to book an appointment for them. 

We may need to share your personal information, if we are required to do so by law.

Other uses of your data

NHS England will also share:

  • anonymous information on how the service is used with the Department of Health and Social Care, NHS England and integrated care boards (ICBs)
  • anonymous information to improve the service with the Department of Health and Social Care, NHS England and integrated care boards (ICBs)

Where we store and process personal data

We only store and process your personal data within the UK. Currently there are no plans for this to change. 

How we secure personal data

Whenever you provide personal information to a care organisation, that organisation is legally obliged to use your information in line with data protection law. 

We take the security of your personal information very seriously. We have set up security measures, policies, and procedures such as:

  • protecting the professional application so that only users with an authorised smartcard can access a patient's referral record
  • training all staff annually in data and security protection
  • monitoring our platform to keep your personal information secure
  • following good practice guidance provided by the National Technical Authority
  • always using legally binding agreements with all organisations we use
  • having security and confidentiality policies in place across the organisation, to which staff must agree before they're given access to personal information
  • restricting access to personal information to only those staff who need access to perform their role

However, no software or application can be completely secure. If you have any concerns that your information could have been compromised, please contact [email protected].

How long we keep your personal data for

Referrals created within the NHS e-Referral Service remain available for viewing by relevant parties (such as GP practice and the service provider staff) until the referral has been inactive for 18 months, at which point the referral is archived. 

Archived referrals are held in the NHS e-Referral Service database. They can be accessed by a user with a "legitimate relationship" with the patient (an example of a legitimate relationship would be the patient's GP practice/referring clinician). 

Archived referrals are retained for the life of the patient plus 10 years after the death of the patient.

Your rights in relation to personal data

We respect your rights to access and control the personal data that we hold about you, as required by data protection legislation. This includes:

  • right to be informed
  • right to get access to it
  • right to rectify or change it
  • right to restrict or stop processing it

If you wish to know what personal data NHS England holds about you, you should complete a Subject Access Request.

Find out how to complete a Subject Access Request.

Where the data you request is not relating to your own personal data then a Freedom of Information request can be submitted.

Find out how to submit a Freedom of Information request.

Requests to rectify or change your data, or to restrict or stop processing your data should be made to National Service Desk - [email protected]

Following receipt of your request the relevant team will respond in line with NHS England corporate policies and procedures.

If you wish to make a complaint about how we have managed your data, contacts for the Regulator are provided below:

Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, WSK9 5AF.

How to contact us

If you have any questions or concerns about this privacy statement or the way in which we process your data, please contact us at [email protected]

To know how your data will be collected, processed, and stored, and for what purposes, you can contact our Data Protection Office:

By email

[email protected]

By post

Information Governance Compliance Team

NHS England 
7 and 8 Wellington Place
West Yorkshire

We ask that you try to resolve any issues with us first, although you have a right to lodge a complaint with the Information Commissioner's Office (ICO) at any time about our processing of your personal information.

The ICO is the UK regulator for data protection and upholds information rights. 

Contact the ICO

Last edited: 6 March 2024 9:53 am