We have detected that you are using Internet Explorer to visit this website. Internet Explorer is now being phased out by Microsoft. As a result, NHS Digital no longer supports any version of Internet Explorer for our web-based products, as it involves considerable extra effort and expense, which cannot be justified from public funds. Some features on this site will not work. You should use a modern browser such as Edge, Chrome, Firefox, or Safari. If you have difficulty installing or accessing a different browser, contact your IT support team.
Privacy Statement - NHS e-Referral Service
This privacy statement covers the NHS e-Referral Service professional application and the Manage Your Referral patient application.
Version 0.6 - 23 February 2021
This update reflects amendments to:
- your rights in relation to personal data
- the originator of the NHS e-Referral Service legal direction
- where we store and process personal data
- typo corrections
- update of contact email addresses
This privacy statement relates to two of the services provided by NHS Digital. This is a privacy statement for the NHS e-Referral Service professional application for use by healthcare staff in the referral of patients. This is also the privacy statement for patients using the Manage Your Referral website for managing appointments and reviewing referral statuses.
This page is primarily aimed at a patient audience. Professional users should read this privacy statement in conjunction with the 'Approved authentication tokens privacy notice and terms and conditions for NHS Identity and Care Information Service (CIS) users'. This is the Registration Authority Smartcard Privacy notice, which all users who have smartcards should be aware of.
The NHS e-Referral Service programme team understands your needs as an individual to ensure that your data is being used and held in a responsible way and we aim to reassure you that every reasonable step is being taken to secure your personal information.
Please ensure that you read this statement carefully and contact the NHS e-Referral Service programme team at email@example.com if you have any questions or concerns relating to this privacy statement.
This privacy statement explains the following:
- the services available via the NHS e-Referral Service and who is involved
- who the controller is for the personal data processed when you use the NHS e-Referral Service or Manage Your Referral
- what information is collected about you
- what information is held about you and where this information is obtained
- how your personal data is used and why
- where your data is stored
- your rights
- points of contact for queries, objections and complaints
In this privacy statement, these terms have the following meanings:
- Controller: "The person or entity which alone or with others determines the purposes or means or processing of any personal data"
- Processor: "Any person or legal entity who processes personal data on behalf of the controller"
- Special Category Data: "Sensitive personal data given special consideration in data protection law including personal data about your health"
The NHS e-Referral Service
The NHS e-Referral Service provides a quick and secure way for patients to be referred for specialist care. Patients are empowered to choose their own first hospital or clinic appointment with a specialist. Bookings can be made online using Manage Your Referral, using the telephone, or directly in the GP surgery at the time of referral.
Services provided by the NHS e-Referral Service include:
- electronic referrals for specialist assessment and treatment (as of October 2018, 100% of GP to first-outpatient referrals in England are made this way)
- Manage Your Referral - the patient-facing website that allows users to book, rearrange or cancel their appointments online as well as providing an overview of the status of a referral
- advice and guidance - allowing one clinician to seek advice from another, providing digital communication between two clinicians
- referral assessment services - allowing specialist clinicians to review referral information before an appointment is booked
Who we are
The NHS e-Referral Service is a programme of NHS Digital. The controller for this information is NHS Digital (in relation to the processing of personal data) and the Department of Health and Social Care (DHSC) (in relation to determining the purpose for processing the data through the issuing of a direction to NHS Digital).
The Data Protection Officer is the named individual within an organisation who is responsible for GDPR regulations. For NHS Digital, the named Data Protection Officer is Kevin Willis. The team can be contacted at firstname.lastname@example.org.
About NHS Digital
NHS Digital was set up by the Department of Health and Social Care in April 2013 and is an executive non-departmental public body that provides national information, data and IT systems for health and care services.
We exist to help patients, clinicians, commissioners, analysts and researchers.
Our goal is to improve health and social care in England by making better use of technology, data and information.
Find out more about NHS Digital.
NHS Digital has been directed by the Secretary of State for Health to provide the NHS e-Referral Service and to include the services that can be accessed via the Manage Your Referral website.
NHS Digital is also responsible for managing (as well as many other services):
- the national data opt-out, which allows patients to state their data sharing preferences
- the NHS.uk website, which provides health information
- NHS 111 online, which allows patients to get triage advice based on their symptoms online
- NHS Digital also provides a public-facing service desk for user queries relating to the functionality of the NHS e-Referral Service
GP practices and referring organisations
GP practices provide primary care services to the public.
As part of the NHS e-Referral Service, GP practices and other referring organisations (this could also be dental practices, opticians etc.) can refer patients for specialist treatment, where this is clinically required.
They can also seek advice and guidance on a patient's condition, where they consult a specialist clinician on the best course of action for a patient's care. As part of the referral or advice process, clinical information, such as referral letters, diagnostic test results or images may be added to assist clinicians in treating patients. These are all added using the NHS e-Referral Service.
Once a referral has been made, the referring organisation is responsible for providing patients with the relevant information to log in to their Manage Your Referral account so that they can manage their appointments.
This may involve the patient being given a physical document that details their unique booking reference number (the number that is unique to each referral created in the NHS e-Referral Service) and an access code (this two word code is unique to each patient).
The combination of these two assets plus the patient's date of birth gives access to Manage Your Referral. Patients that have previously signed up to an NHS login account can also be granted access to Manage Your Referral by their referring organisation using their email address as a mechanism to access Manage Your Referral.
The referring organisation that made the referral remains in charge of your personal information and decides what information is relevant to share as part of your referral. Your referring organisation carries the responsibility of ensuring your personal information is kept secure through their own use of the NHS e-Referral Service. For more information, contact your referring organisation.
In this guidance, the term "service providers" is used to describe any organisation that provides specialist care to patients. This can include hospital consultants, allied health professionals (such as physiotherapists and podiatrists), GPs with a special interest, and the support staff that assist these healthcare providers. These may be NHS organisations or independent providers.
Service providers will receive information as well as any attachments that have been included and will provide relevant advice or treatment to patients. They may forward on your information to other providers, should they feel this is clinically necessary.
Service providers remain in charge of your personal information through the responsible use of the NHS e-Referral Service. For more information, contact your service provider or patient advice and liaison service (PALS).
The appointment line (TAL)
NHS Digital contract a telephone appointment line for use by patients. Agents at the appointment line can book, rearrange or cancel appointments.
They have access to demographic data and the clinical context of referrals but do not have access to any other clinical information such as referral letters or test results. TAL agents can also see and change a patient's access code.
The information we collect
- full name
- date of birth
- NHS number
- telephone number
- email address (in the case of patients wishing to use an NHS login account to access Manage Your Referral)
Referral specific information
- unique booking reference number
- access code
- service preference (which service(s) a patient is willing to have their referral sent to)
Special category data
- clinical context of a referral (this includes the specialty of a referral e.g. dermatology, cardiology etc.)
- referral letter detailing the specific clinical reasons for referral
- blood tests
- diagnostic test results (e.g. x-ray, MRI, ECG results etc.)
- information from previous referrals, should this be relevant
Patients that use the Manage Your Referral website are asked to complete an optional survey of their experience after their appointment has been confirmed. We do not collect any personal data with this feedback unless the patient elects to provide it as part of their survey completion.
Personal data will only be captured if you elect to provide it as part of participating in user research relating to the NHS e-Referral Service or Manage Your Referral. We may ask general questions about your health and background in order to ensure we are inclusive in our research. Specific information about consent forms will be provided to any individuals participating in user research.
How we use personal information
We use personal information to transfer clinical referral data to the relevant healthcare professionals so that patients can be treated as quickly and effectively as possible.
Professional users need to be aware that, in support of routine testing processes for the NHS e-Referral Service prior to any release, a test data set is used which contains no patient identifiable data, but can include the names of clinicians, as would be shown in the live system. This data set is held in a secure location and is only accessible to limited security-cleared staff involved in the release testing process.
The legal basis for processing your personal data
Directions given by the Secretary of State for Health requiring NHS Digital to establish and operate informatics systems for the collection of analysis of information, and to exercise systems delivery functions in respect of the NHS e-Referral Service.
The Secretary of State for Health has directed NHS Digital to collect certain data with regards to referrals and referral management. The legal direction is titled "Electronic Prescription Service, Health and Social Care Network, N3, NHS Choices, NHS e-Referral Service, Secondary Uses Service (SUS), Spine (Named Programmes) Directions 2016". More information about the legal directions can be found on the NHS Digital website.
When we share personal data
Data is shared with the relevant service providers that are responsible for the patient's care.
In the event that a patient is given the option of several services to choose from, we will only share patient information with the service that the patient has booked an appointment with, or a service that needs to contact the patient in order to book an appointment for them.
We may need to share your personal information, if we are required to do so by law.
Other uses of your data
NHS Digital will also share:
- anonymous information on how the service is used with the Department of Health and Social Care, NHS England and Clinical Commissioning Groups (CCGs)
- anonymous information to improve the service with the Department of Health and Social Care, NHS England and Clinical Commissioning Groups (CCGs)
Where we store and process personal data
We only store and process your personal data within the UK. Currently there are no plans for this to change.
How we secure personal data
Whenever you provide personal information to a care organisation, that organisation is legally obliged to use your information in line with data protection law.
We take the security of your personal information very seriously. We have set up security measures, policies, and procedures such as:
- protecting the professional application so that only users with an authorised smartcard can access a patient's referral record
- training all staff annually in data and security protection
- monitoring our platform to keep your personal information secure
- following good practice guidance provided by the National Technical Authority
- always using legally binding agreements with all organisations we use
- having security and confidentiality policies in place across the organisation, to which staff must agree before they're given access to personal information
- restricting access to personal information to only those staff who need access to perform their role
However, no software or application can be completely secure. If you have any concerns that your information could have been compromised, please contact email@example.com.
How long we keep your personal data for
Referrals created within the NHS e-Referral Service remain available for viewing by relevant parties (such as GP practice and the service provider staff) until the referral has been inactive for 18 months, at which point the referral is archived.
Archived referrals are held in the NHS e-Referral Service database. They can be accessed by a user with a "legitimate relationship" with the patient (an example of a legitimate relationship would be the patient's GP practice/referring clinician).
Archived referrals are retained for the life of the patient plus 10 years after the death of the patient.
Your rights in relation to personal data
We respect your rights to access and control the personal data that we hold about you, as required by data protection legislation. This includes:
- right to be informed
- right to get access to it
- right to rectify or change it
- right to restrict or stop processing it
If you wish to know what personal data NHS Digital holds about you, you should complete a Subject Access Request.
Where the data you request is not relating to your own personal data then a Freedom of Information request can be submitted.
Requests to rectify or change your data, or to restrict or stop processing your data should be made to National Service Desk - firstname.lastname@example.org
Following receipt of your request the relevant team will respond in line with NHS Digital corporate policies and procedures.
If you wish to make a complaint about how we have managed your data, contacts for the Regulator are provided below:
Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, WSK9 5AF.
How to contact us
If you have any questions or concerns about this privacy statement or the way in which we process your data, please contact us at email@example.com.
To know how your data will be collected, processed, and stored, and for what purposes, you can contact our Data Protection Office:
Information Governance Compliance Team
7 and 8 Wellington Place
We ask that you try to resolve any issues with us first, although you have a right to lodge a complaint with the Information Commissioner's Office (ICO) at any time about our processing of your personal information.
The ICO is the UK regulator for data protection and upholds information rights.