This is the privacy statement for professional users of the Emergency Department Digital Integration (EDDI) platform.
This privacy statement relates to the Emergency Department Digital Integration (EDDI) web-based platform provided by NHS Digital. This is used by NHS 111 services to book patients a slot at an appropriate emergency department/urgent treatment centre/same-day emergency care service (ED/UTC/SDEC) and provides ED/UTC/SDEC information about the patients that are due to attend their department for further healthcare.
The NHS EDDI team understands your needs as an individual to ensure your data is being used and held in a responsible way and we aim to reassure you that every reasonable step is being taken to secure your personal information.
who the controller is for the personal data processed when you access EDDI
what information is collected about you
what information is held about you and from where that information is obtained
how your personal data is used and why
where your data is stored
points of contact for queries, objections, and complaints
In this privacy statement the following terms have the following meanings:
Controller: "The person or entity which alone or with others determines the purposes or means or processing of personal data"
Processor: "Any person or legal entity who processes personal data on behalf of the controller"
Special Category Data: "Sensitive personal data given special consideration in data protection law including personal data about your health"
"Authentication Token" means Physical Smartcards, Virtual Smartcards, Authorised Devices and iPad Devices which enable healthcare professionals to access clinical and personal information appropriate to their role and the type of Authentication Token
"Physical Smartcards" means an approved physical card. Physical Smartcards are supplied by the authorised supplier(s) of cards to NHS Digital and are similar to chip and PIN bank cards.
"Registration Authority (RA)" means NHS Digital as the single national Registration Authority and all other organisations that provide local Registration Authority services on a delegated authority basis from NHS Digital.
Professional Users: "Any person who has a legitimate reason to access EDDI as part of their professional role."
“Same Day Emergency Care (SDEC)” means the service of same-day emergency care for patients being considered for emergency admission.
“Urgent Treatment Centre (UTC)” means a GP-led service which is open at least 12 hours a day, every day, offer appointments that can be booked through 111 or through a GP referral, and are equipped to diagnose and deal with many of the most common ailments people attend A&E for.
1. Who we are
The Emergency Department Digital Integration (EDDI) platform is provided by NHS Digital. This is used by NHS 111 services to book patients a slot at emergency departments/urgent treatment centres/same-day emergency care services (ED/UTC/SDEC) and provides a quick and secure way for emergency departments/urgent treatment centres to be able to see which patients have been referred to them for further treatment. Professional users access this web-based platform via the use of a physical smartcard.
NHS Digital was set up by the Department of Health and Social Care in April 2013 and is an executive non-departmental public body that provides national information, data and IT systems for health and care services. We exist to help patients, clinicians, commissioners, analysts and researchers. Our goal is to improve health and social care in England by making better use of technology, data and information.
We utilise data provided by NHS Identity and the Care and Information Service (CIS), some of which you provided to your local RA in your application for an authentication token, some of which is collected by cookies when you access the EDDI product, and some of which we generate as explained further below.
The personal data used by the EDDI web-platform is:
your smartcard unique identifier (UID)
your access profile(s) (which includes NHS Business Function and NHS job role) - this is assigned to you by your local RA, based uplon your role and responsibilities and is approved by your employing organisation's policy
We collect this personal data from NHS Identity and CIS service to check your identity and provide appropriate role-based access to the EDDI platform.
We also collect online identifiers, for example, IP address and events logs, and device information for example device type and browser used.
Collecting this information also allows us to manage our service so that we can:
As NHS Digital processes personal data under the legal direction from NHS England, both organisations are therefore joint controllers for data protection purposes. The legal basis under the Data Protection Act 2018 and General Data Protection Regulation (GDPR) for the processing is explained further below.
We only collect, use, and share your information when we have an appropriate legal basis to do so. Under data protection law, the use of personal data must be justified under one of a number of legal grounds. The principal legal grounds that justify our use of your personal data are:
legal obligation: where we need to use your personal information to comply with our legal obligations
Processing of personal data
GDPR Article 6(1)(c) - the 'processing is necessary for compliance with a legal obligation to which the controller is subject'
4. How we process your personal information
This data will be processed:
by NHS Digital for the purposes of validating your identity and ensuring that you are given appropriate access to EDDI
by NHS Digital to record your use of the EDDI platform
by NHS Digital for disclosure and auditing of access to systems as part of our commitment to patients within the Care Record Guarantee, and in accordance with any complaint, investigation or as required by appropriate legislation
by NHS Digital to complete analysis to ensure that the system meets the needs of the service
5. Sharing your information
EDDI platform will not routinely share your information but may disclose information regarding your activity on EDDI if requested to do so to support an investigation or complaint.
We may need to share your personal data if we are required to do so by law.
NHS Digital will also share anonymous aggregated data on how the service is used with the receiving healthcare provider (ED/UTC/SDEC), NHS X and NHS England/Improvement to enable them to monitor service utilisation.
6. How we protect your personal information
We take the security of your personal information very seriously. We have set up security measures, policies and procedures to make sure your personal information is protected.
We protect your personal information by:
training staff to understand data and security protection
ensuring security and confidentiality policies are in place for our staff who have access to personal information
using legally binding agreements with all organisations that we appoint to process your personal information
restricting access to personal information to only those staff who need access to perform their role
However, no software or application can be completely secure. If you have any concerns that your information could have been compromised, please contact email@example.com
7. How long and where we store your personal information
We store your personal information for as long as it is reasonably necessary and legally justifiable. The length of time we store your information for will depend on legal, regulatory or technical requirements. In any event, we follow the Records Management Code of Practice for Health and Social Care (2016). Find out more about retention periods.
Your data will:
be held by EDDI as part of the activity records of user interactions for a period of eight years from the date of interaction at which point it will be subject to review
not be transferred out of the UK
not be used for any automated decision making
8. Your rights
We respect your rights to access and control the personal data that we hold about you, as required by Data Protection Legislation.
You have the right to access the data that EDDI holds about you. This should be exercised making a subject access request to NHS Digital.
You do not have the right to erase your data, object to it being recorded, transport it elsewhere, withdraw consent to its capture or use, or restrict its processing. This is because the capture and processing of this data is necessary for a statutory requirement and the provision of the service. NHS Digital is also legally bound to record this data.
To know how your data will be collected, processed and stored, and for what purposes, you can contact our Data Protection Office to make a complaint by emailing firstname.lastname@example.org or by writing to:
Information Governance Compliance Team
NHS Digital 7 and 8 Wellington Place Leeds West Yorkshire LS1 4AP
We ask that you try to resolve any issues with us first, although you have a right to lodge a complaint with the Information Commissioner's Office (ICO) at any time about our processing of your personal information.
The ICO is the UK regulator for data protection and upholds information rights.