NHS Digital is directed by the Secretary of State for Health and Social Care, under powers conferred by the Health and Social Care Act 2012 and regulation 32 of the National Institute for Health and Care Excellence (Constitution and Functions) and the Health and Social Care Information Centre (Functions) Regulations 2013.
The relevant directions are the Health and Social Care Information Centre (Spine Services) (No.2) Directions 2014, and the Novation of Information and Technology Contracts from DH to NHS Digital: Electronic Prescription Service, Health and Social Care Network, N3, NHS Choices, NHS e-Referral Service, Secondary Uses Service (SUS), Spine (Named Programmes) Directions 2016.
As NHS Digital processes personal data under the legal direction from the Secretary of State, then the organisations are joint controllers for data protection purposes. Acting under NHS Digital’s delegated authority local RAs are also joint controllers with NHS Digital. The legal bases under the Data Protection Act 2018/General Data Protection Regulation (GDPR) for the processing is explained here.
RA processing of personal data:
GDPR Article 6(1)(c) – the ‘processing is necessary for compliance with a legal obligation to which the controller is subject’
RA processing of special category data (sensitive personal data):
GDPR Article 9(2) (h) – ‘processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services’.
Data Protection Act 2018, schedule 1, part 1, paragraph 2, sub paragraph (2), sub paragraph (f) – ‘the management of health care systems or services or social care systems or services’.
Secretary of State processing of personal data:
GDPR Article (6)(1)(e) – ‘processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller’.
We only collect, use and share your information when we have an appropriate legal basis to do so.