Privacy statement for EDDI professional users

Version 0.2.

This privacy statement relates to the Emergency Department Digital Integration (EDDI) web-based platform provided by NHS Digital. This is used by NHS 111 services to book patients a slot at an appropriate emergency department/urgent treatment centre/same-day emergency care service (ED/UTC/SDEC) and provides ED/UTC/SDEC information about the patients that are due to attend their department for further healthcare. 

The NHS EDDI team understands your needs as an individual to ensure your data is being used and held in a responsible way and we aim to reassure you that every reasonable step is being taken to secure your personal information. 

Please ensure that you read this statement carefully. If you have any questions, contact the NHS EDDI team via the National Service Desk, either by calling 0300 303 035, emailing [email protected] or by logging a ticket on their self-service portal.

This privacy statement explains the following:

• who the controller is for the personal data processed when you access EDDI
• what information is collected about you
• what information is held about you and from where that information is obtained
• how your personal data is used and why
• where your data is stored
• your rights
• points of contact for queries, objections, and complaints

In this privacy statement the following terms have the following meanings:

• Controller: "The person or entity which alone or with others determines the purposes or means or processing of personal data"
• Processor: "Any person or legal entity who processes personal data on behalf of the controller"
• Special Category Data: "Sensitive personal data given special consideration in data protection law including personal data about your health"
• "Authentication Token" means Physical Smartcards, Virtual Smartcards, Authorised Devices and iPad Devices which enable healthcare professionals to access clinical and personal information appropriate to their role and the type of Authentication Token
• "Physical Smartcards" means an approved physical card. Physical Smartcards are supplied by the authorised supplier(s) of cards to NHS Digital and are similar to chip and PIN bank cards. 
• "Registration Authority (RA)" means NHS Digital as the single national Registration Authority and all other organisations that provide local Registration Authority services on a delegated authority basis from NHS Digital.
• Professional Users: "Any person who has a legitimate reason to access EDDI as part of their professional role." 
• “Same Day Emergency Care (SDEC)” means the service of same-day emergency care for patients being considered for emergency admission.
• “Urgent Treatment Centre (UTC)” means a GP-led service which is open at least 12 hours a day, every day, offer appointments that can be booked through 111 or through a GP referral, and are equipped to diagnose and deal with many of the most common ailments people attend A&E for.

The Emergency Department Digital Integration (EDDI) platform is provided by NHS Digital. This is used by NHS 111 services to book patients a slot at emergency departments/urgent treatment centres/same-day emergency care services (ED/UTC/SDEC) and provides a quick and secure way for emergency departments/urgent treatment centres to be able to see which patients have been referred to them for further treatment. Professional users access this web-based platform via the use of a physical smartcard. 

NHS Digital was set up by the Department of Health and Social Care in April 2013 and is an executive non-departmental public body that provides national information, data and IT systems for health and care services. We exist to help patients, clinicians, commissioners, analysts and researchers. Our goal is to improve health and social care in England by making better use of technology, data and information. 

Find out more about NHS Digital.

We utilise data provided by NHS Identity and the Care and Information Service (CIS), some of which you provided to your local RA in your application for an authentication token, some of which is collected by cookies when you access the EDDI product, and some of which we generate as explained further below. 

View the NHS Identity and CIS Privacy notice for more information on how NHS Identity and CIS collect and process your data. 

The personal data used by the EDDI web-platform is:

• name
• your smartcard unique identifier (UID)
• your access profile(s) (which includes NHS Business Function and NHS job role) - this is assigned to you by your local RA, based uplon your role and responsibilities and is approved by your employing organisation's policy

We collect this personal data from NHS Identity and CIS service to check your identity and provide appropriate role-based access to the EDDI platform. 

We also collect online identifiers, for example, IP address and events logs, and device information for example device type and browser used. 

Collecting this information also allows us to manage our service so that we can:

• manage and improve the service
• provide data in support of the service

NHS Digital has been directed by NHS England to provide the EDDI platform under the COVID-19 Public Health NHS England Directions 2020. 

As NHS Digital processes personal data under the legal direction from NHS England, both organisations are therefore joint controllers for data protection purposes. The legal basis under the Data Protection Act 2018 and General Data Protection Regulation (GDPR) for the processing is explained further below. 

We only collect, use, and share your information when we have an appropriate legal basis to do so. Under data protection law, the use of personal data must be justified under one of a number of legal grounds. The principal legal grounds that justify our use of your personal data are:

• legal obligation: where we need to use your personal information to comply with our legal obligations

GDPR Article 6(1)(c) - the 'processing is necessary for compliance with a legal obligation to which the controller is subject'

This data will be processed:

• by NHS Digital for the purposes of validating your identity and ensuring that you are given appropriate access to EDDI
• by NHS Digital to record your use of the EDDI platform
• by NHS Digital for disclosure and auditing of access to systems as part of our commitment to patients within the Care Record Guarantee, and in accordance with any complaint, investigation or as required by appropriate legislation
• by NHS Digital to complete analysis to ensure that the system meets the needs of the service

EDDI platform will not routinely share your information but may disclose information regarding your activity on EDDI if requested to do so to support an investigation or complaint. 

We may need to share your personal data if we are required to do so by law. 

NHS Digital will also share anonymous aggregated data on how the service is used with the receiving healthcare provider (ED/UTC/SDEC), NHS X and NHS England/Improvement to enable them to monitor service utilisation. 

We take the security of your personal information very seriously. We have set up security measures, policies and procedures to make sure your personal information is protected. 

We protect your personal information by:

• training staff to understand data and security protection
• ensuring security and confidentiality policies are in place for our staff who have access to personal information
• monitoring our service
• following good practice guidance provided by the National Cyber Security Centre and National Technical Authority
• using legally binding agreements with all organisations that we appoint to process your personal information
• restricting access to personal information to only those staff who need access to perform their role

However, no software or application can be completely secure. If you have any concerns that your information could have been compromised, please contact [email protected] 

We store your personal information for as long as it is reasonably necessary and legally justifiable. The length of time we store your information for will depend on legal, regulatory or technical requirements. In any event, we follow the Records Management Code of Practice 2021. Find out more about retention periods. 

Your data will:

• be held by EDDI as part of the activity records of user interactions for a period of eight years from the date of interaction at which point it will be subject to review
• not be transferred out of the UK
• not be used for any automated decision making

We respect your rights to access and control the personal data that we hold about you, as required by Data Protection Legislation. 

You have the right to access the data that EDDI holds about you. This should be exercised making a subject access request to NHS Digital. 

You have the right to rectify inaccuracies in your data by contacting the NHS EDDI team via the National Service Desk, either by calling 0300 303 035, emailing [email protected] or by logging a ticket on their self-service portal.

If you wish to review the smartcard data held about you or rectify inaccuracies in this data, information on how to do this can be found in the NHS Identity and CIS Privacy Notice. 

You have the right to complain. If you wish to make a complaint about how we have managed your data, contact details for the Regulator are provided below:

https://ico.org.uk 

You do not have the right to erase your data, object to it being recorded, transport it elsewhere, withdraw consent to its capture or use, or restrict its processing. This is because the capture and processing of this data is necessary for a statutory requirement and the provision of the service. NHS Digital is also legally bound to record this data. 

If you have any questions or concerns about this privacy statement or the way in which we process your data, please contact the NHS EDDI team via the National Service Desk, either by calling 0300 303 035, emailing [email protected] or by logging a ticket on their self-service portal.

To know how your data will be collected, processed and stored, and for what purposes, you can contact our Data Protection Office to make a complaint by emailing [email protected] or by writing to:

Information Governance Compliance Team

NHS Digital
7 and 8 Wellington Place
Leeds
West Yorkshire
LS1 4AP

We ask that you try to resolve any issues with us first, although you have a right to lodge a complaint with the Information Commissioner's Office (ICO) at any time about our processing of your personal information. 

The ICO is the UK regulator for data protection and upholds information rights. 

Contact the ICO.