Skip to main content

Privacy Statement - NHS e-Referral Service

Privacy statement relating to the NHS e-Referral Service professional application and the Manage Your Referral patient application.

Version 0.3 - 7 September 2020

This minor update reflects amendments to grammatical errors. 

This privacy statement relates to two of the services provided by NHS Digital. This is a privacy statement for the NHS e-Referral Service professional application for use by healthcare staff in the referral of patients. This is also the privacy statement for patients using the Manage Your Referral website for managing appointments and reviewing referral statuses. 

The NHS e-Referral Service programme team understands your needs as an individual to ensure that your data is being used and held in a responsible way and we aim to reassure you that every reasonable step is being taken to secure your personal information. 

Please ensure that you read this statement carefully and contact the NHS e-Referral Service programme team at if you have any questions or concerns relating to this privacy statement. 

This privacy statement explains the following:

  • the services available via the NHS e-Referral Service and who is involved
  • who the controller is for the personal data processed when you use the NHS e-Referral Service or Manage Your Referral 
  • what information is collected about you
  • what information is held about you and where this information is obtained
  • how your personal data is used and why
  • where your data is stored
  • your rights
  • points of contact for queries, objections and complaints

In this privacy statement the following terms have the following meanings:

  • Controller: "The person or entity which alone or with others determines the purposes or means or processing of any personal data"
  • Processor: "Any person or legal entity who processes personal data on behalf of the controller"
  • Special Category Data: "Sensitive personal data given special consideration in data protection law including personal data about your health"

The NHS e-Referral Service provides a quick and secure way for patients to be referred for specialist care. Patients are empowered to choose their own first hospital or clinic appointment with a specialist. Bookings can be made online using Manage Your Referral, using the telephone, or directly in the GP surgery at the time of referral. 

Services provided by the NHS e-Referral Service include:

  • electronic referrals for specialist assessment and treatment (as of October 2018, 100% of GP to first-outpatient referrals in England are made this way)
  • Manage Your Referral - the patient facing website that allows users to book, rearrange or cancel their appointments online as well as providing an overview of the status of a referral
  • advice and guidance - allowing one clinician to seek advice from another, providing digital communication between two clinicians 
  • referral assessment services - allowing specialist clinicians to review referral information before an appointment is booked


The NHS e-Referral Service is a programme of NHS Digital. The controller for this information is NHS Digital (in relation to the processing of personal data) and the Department of Health and Social Care (DHSC) (in relation to determining the purpose for processing the data through the issuing of a direction to NHS DIgital).

The Data Protection Officer is the named individual within an organisation that is responsible for GDPR regulations. For NHS Digital, the named Data Protection Officer is Kevin Willis. His team can be contacted at

NHS England leads the National Health Service (NHS) in England. It sets the priorities and direction of the NHS. 

A lot of the work NHS England does involves the commissioning of healthcare services in England.

It commissions the contracts for GPs, pharmacists and dentists, and supports local health services led by groups of GPs called clinical commissioning groups (CCGs).

NHS England wants everyone to have greater control of their health and wellbeing and to be supported to live longer, healthier lives.

Find out more on the NHS England website

NHS England has directed NHS Digital to collect certain data with regards to referrals and referral management. The legal directions are titled "Electronic Prescription Service, Health and Social Care Network, N3, NHS Choices, NHS e-Referral Service, Secondary Uses Service (SUS), Spine (Named Programmes) Directions 2016". More information about the legal directions can be found on the NHS Digital website

NHS Digital was set up by the Department of Health and Social Care in April 2013 and is an executive non-departmental public body that provides national information, data and IT systems for health and care services. 

We exist to help patients, clinicians, commissioners, analysts and researchers.

Our goal is to improve health and social care in England by making better use of technology, data and information. 

Find out more about NHS Digital

NHS Digital has been directed by NHS England to provide the NHS e-Referral Service and to include the services that can be accessed via the Manage Your Referral website.

NHS Digital is also responsible for managing (as well as many other services):

  • the national data opt-out, which allows patients to state their data sharing preferences
  • the website, which provides health information
  • NHS 111 online, which allows patients to get triage advice based on their symptoms online
  • NHS Digital also provides a public-facing service desk for user queries relating to the functionality of the NHS e-Referral Service 

GP practices provide primary care services to the public. 

As part of the NHS e-Referral Service, GP practices and other referring organisations (this could also be dental practices, opticians etc.) can refer patients for specialist treatment, where this is clinically required. They can also seek advice and guidance on a patient's condition, where they consult a specialist clinician on the best course of action for a patient's care. As part of the referral or advice process, clinical information such as a referral letter, diagnostic test results or images may be added to assist clinicians in appropriately treating patients. These are all added using the NHS e-Referral Service. 

Once a referral has been made, the referring organisation is responsible for providing patients with the relevant information to log in to their Manage Your Referral account so that they can manage their appointments. This may involve the patient being given a physical document that details their unique booking reference number (the number that is unique to each referral created in the NHS e-Referral Service) and an access code (this two word code is unique to each patient). The combination of these two assets plus the patient's date of birth gives access to Manage Your Referral. Patients that have previously signed up to an NHS login account can also be granted access to Manage Your Referral by their referring organisation using their email address as a mechanism to access Manage Your Referral. 

The referring organisation that made the referral remains in charge of your personal information and decides what information is relevant to share as part of your referral. Your referring organisation carries the responsibility of ensuring your personal information is kept secure through their own use of the NHS e-Referral Service. For more information, contact your referring organisation. 

In this guidance, the term "service providers" is used to describe any organisation that provides specialist care to patients. This can include hospital consultants, allied health professionals (e.g. physiotherapists and podiatrists), GPs with a special interest, and the support staff that assist these healthcare providers. These may be NHS organisations or independent providers. 

Service providers will receive information as well as any attachments that have been included and will provide relevant advice or treatment to patients. They may forward on your information to other providers, should they feel this is clinically necessary. 

Service providers remain in charge of your personal information through the responsible use of the NHS e-Referral Service. For more information, contact your service provider or patient advice and liaison service (PALS). 

NHS Digital contract a telephone appointment line for use by patients. Agents at the appointment line can book, rearrange or cancel appointments. They have access to demographic data and the clinical context of referrals but do not have access to any other clinical information such as referral letters or test results. TAL agents can also see and change a patient's access code.  

As part of the standard referral process, we collect:

Demographic information:

  • full name
  • date of birth
  • NHS number
  • address
  • telephone number
  • email address (in the case of patients wishing to use an NHS login account to access Manage Your Referral)

Referral specific information:

  • unique booking reference number
  • access code
  • service preference (which service(s) a patient is willing to have their referral sent to)

Special category data:

  • clinical context of a referral (this includes the specialty of a referral e.g. dermatology, cardiology etc.)
  • referral letter detailing the specific clinical reasons for referral
  • blood tests
  • diagnostic test results (e.g. x-ray, MRI, ECG results etc.)
  • images
  • information from previous referrals, should this be relevant

Other information:

Patients that use the Manage Your Referral website are asked to complete an optional survey of their experience after their appointment has been confirmed. We do not collect any personal data with this feedback unless the patient elects to provide it as part of their survey completion.

User research:

Personal data will only be captured if you elect to provide it as part of participating in user research relating to the NHS e-Referral Service or Manage Your Referral. We may ask general questions about your health and background in order to ensure we are inclusive in our research. Specific information about consent forms will be provided to any individuals participating in user research. 


We use personal information to transfer clinical referral data to the relevant healthcare professionals so that patients can be treated as quickly and effectively as possible. 

Directions given by the Secretary of State for Health requiring NHS Digital to establish and operate informatics systems for the collection of analysis of information, and to exercise systems delivery functions in respect of the NHS e-Referral Service. 

Data is shared with the relevant service providers that are responsible for the patient's care. 

In the event that a patient is given the option of several services to choose from, we will only share patient information with the service that the patient has booked an appointment with, or a service that needs to contact the patient in order to book an appointment for them. 

We may need to share your personal information, if we are required to do so by law.

We only store and process your personal data within the UK and European Economic Area (EEA). Currently there are no plans for this to change. 

Whenever you provide personal information to a care organisation, that organisation is legally obliged to use your information in line with data protection law. 

We take the security of your personal information very seriously. We have set up security measures, policies, and procedures such as:

  • protecting the professional application so that only users with an authorised smartcard can access a patient's referral record
  • training all staff annually in data and security protection
  • monitoring our platform to keep your personal information secure
  • following good practice guidance provided by the National Technical Authority
  • always using legally binding agreements with all organisations we use
  • have security and confidentiality policies in place across the organisation, to which staff must agree before they're given access to personal information
  • restricting access to personal information to only those staff who need access to perform their role

However, no software or application can be completely secure. If you have any concerns that your information could have been compromised, please contact


Referrals created within the NHS e-Referral Service remain available for viewing by relevant parties (e.g. GP practice and the service provider staff) until the referral has been inactive for 18 months, at which point the referral is archived. 

Archived referrals are held in the NHS e-Referral Service database. They can be accessed by a user with a "legitimate relationship" with the patient (an example of a legitimate relationship would be the patient's GP practice or the organisation providing their specialist treatment). 

Archived referrals are held for 25 years.

We respect your rights to access and control the personal data that we hold about you, as required by data protection legislation. This includes:

  • right to be informed
  • right to get access to it
  • right to rectify or change it
  • right to restrict or stop processing it

You can exercise these rights at any time by emailing the NHS e-Referral Service programme team on Any requests for information will be acknowledged within one working day. 

If you wish to make a complaint about how we have managed your data, contacts for the Regulator are provided below:

Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, WSK9 5AF

If you have any questions or concerns about this privacy statement or the way in which we process your data, please contact us at

To know how your data will be collected, processed, and stored, and for what purposes, you can contact our Data Protection Office to make a complaint:

By email:

By post:

Information Governance Compliance Team

NHS Digital

1 Trevelyan Square

Boar Lane



We ask that you try to resolve any issues with us first, although you have a right to lodge a complaint with the Information Commissioner's Office (ICO) at any time about our processing of your personal information.

The ICO is the UK regulator for data protection and upholds information rights. 

Contact the ICO

Last edited: 9 September 2020 1:25 pm