Privacy policy: authorised users of the ICB Access to General Practice Dashboard

This privacy policy (policy) relates to your use of the Integrated Care Board (ICB) Appointments Data Private Dashboard. The dashboard is provided by NHS Digital to authorised users of approved organisations. This policy is intended for authorised users of the dashboard and explains how we will use your personal data in relation to your access to and on-going use of the dashboard.

In this policy, ‘we’ or ‘us’ means NHS Digital. ‘You’ or ‘your’ means you, an authorised user of the dashboard.

This policy tells you what information NHS Digital collects about you and how it is used to provide you with access to and enable your on-going use of the dashboard. It includes information about your rights and how to contact us.

The ICB Appointments Data Dashboard provides information about scheduled activity and usage of GP appointments at ICB, regional and national levels. The aim of the dashboard is to inform users about activity in GP practices in their area and the impact of seasonal pressures for management information.

The Health and Social Care Information Centre, known as NHS Digital, was set up under the Health and Social Care Act 2012 (2012 Act) and is part of the NHS. We securely collect, analyse and share information to improve health and social care services.

Find out more about NHS Digital.

Our Data Protection Officer is Jon Moore, whose duties include monitoring internal compliance and advising the organisation on its data protection obligations, and can be contacted via [email protected].

NHS Digital is registered with the Information Commissioner's Office as required by data protection legislation.

NHS Digital is the controller of the personal data that we collect from you for the purposes of enabling and maintaining your access to the dashboard.

Our legal bases for processing your personal information under the UK GDPR are:

• UK GDPR Article 6 (1) (c) – processing is necessary for compliance with a legal obligation to which the Controller is subject, and;
• UK GDPR Article 6 (1) (e) – processing is necessary for a task carried out in the public interest or in the exercise of official authority vested in the controller

Our lawful bases under Article 6 (1) (c) and Article 6 (1) (e) are based on the fact that NHS Digital is required to share the disclosed data within the dashboard to approved organisations in order to meet its legal obligations under Sections 254(1), (3) and (6) of the Health and Social Care Act 2012. Directions given by NHS England requiring NHS Digital to establish and operate a system for the collection of information to be known as the GP appointments data collection.

In order to share the disclosed data lawfully, it is necessary for us to implement certain controls and security measures which necessitate the processing of your personal data, as an authorised user of the dashboard, as described below.

Under the authorised user data access conditions that govern your access to the dashboard, it is necessary for you to provide your personal data for the purposes listed below.

We will not be able to grant you access to the dashboard if you do not provide us with your personal data.

We will process your personal data to: 

• verify your identity and status as an authorised user and employee/agent engaged by an approved organisation
• create and maintain your user profile
• notify you of changes to the dashboard
• notify you of changes to any of the terms and conditions associated with the dashboard
• notify you of any technical issues/changes to the dashboard
• notify you of any other changes or issues that may be relevant to your access to and/or use of the dashboard
• monitor and/or audit your use of the dashboard
• monitor and/or audit the approved organisation's use of the dashboard
• notify the approved organisation and any other relevant third parties should we have any concerns regarding your access to or use of the dashboard
• monitor security and online threats

We will collect the following information about you for the purposes above:

• your name
• your email address/NHSmail address and account details
• the ICB ODS code(s) which you have been granted access to the data for
• Information relating to the frequency and duration of your access to the dashboard, what information you view and when
• data relating to your access credentials such as username and password
• information necessary to operate multifactor authentication

It will also be necessary for us to share your personal information with certain third parties for the purposes of monitoring security and preventing online threats.

In addition, it may also be necessary for us to share your personal information with certain other third parties where we are required to do so by law. We will only share your personal information where we have a legal basis to do so under data protection law.

All information which is shared by NHS Digital is subject to robust rules relating to privacy, security and confidentiality and only the minimum amount of information necessary will be shared.

We will retain your information for audit purposes for six years from the date on which access to the dashboard is terminated (end date). It will then be securely destroyed.

We store and process your personal information in the United Kingdom.

In relation to your personal information, you have the right to:

• be informed about how your personal information is being used
• access the personal information we hold about you
• request the correction of inaccurate personal information we hold about you (in certain circumstances)
• request the erasure of your personal information in certain limited circumstances
• restrict processing of your personal information where certain requirements are met
• object to the processing of your personal information in certain circumstances
• request that we transfer elements of your data either to you or another service provider in certain specific circumstances
• object to certain automated decision-making processes using your personal information (where processing involves automated decision making in relation to your personal data)
• raise a concern with the Information Commissioner's Office at any time
• withdraw your consent to processing (where consent is used as the legal basis for processing)

Please note that some of these rights may not apply as they have specific requirements and exemptions which apply to them and they may not apply to personal information stored and processed by us.

We want you to feel confident that we look after everyone’s personal data in line with the law. If you have any questions about your rights, you can get in touch with us at: [email protected].

More information about your legal rights can be found on the Information Commissioner’s website.

If you wish to raise a complaint concerning NHS Digital’s processing activity, visit our Contact us page.

You also have the right to raise a concern with the Information commissioner’s Office at any time.

If you have any queries in relation to the use of your personal information, or if you want to exercise any of your rights above, please contact [email protected].

The terms of this policy may change from time to time. Any updates to the policy will be published on the dashboard website.

Version 1 – First Release (current version)