NHS Health Check: GDPR information

Summary

Why and how we process your data in the NHS Health Check system, and your rights.

Controller	NHS England (in relation to processing the personal data) and the Department of Health and Social Care (DHSC) (in relation to determining the purpose for processing the data through the issuing of a Direction to NHS England).
How we use the information (processing activities)	NHS Health Checks data allows the Office for Health Improvement and Disparities (OHID) to monitor and evaluate the NHS Health Check programme and inform better decisions on its delivery. The NHS Health Check is a risk assessment, awareness and management programme for adults in England aged 40-74. It is designed to reduce a person’s chance of developing preventable, non-communicable diseases such as kidney disease, heart disease, type 2 diabetes, lung disease and some forms of dementia. It does this by assessing the top seven risk factors driving the burden of non-communicable disease in England and supporting people to reduce their risk through behaviour changes and/or clinical management. The purpose of the extract is to monitor access to and uptake of the programme by different populations, the quality of implementation and the impact on population outcomes. This has helped to focus and optimise the programme locally and nationally. OHID uses the data to: understand the variation of uptake across areas; for example: by local authority, ICB and across different demographic groups understand the variation in implementation of the programme across different areas; and assess the impact of NHS Health Checks and outcomes of patients following their interaction with the programme The analysis is used to assess the performance and benefits of the programme, so that its future direction can be informed.
Does this contain sensitive (special category) data such as health information?	Yes
Who are recipients of this data?	Office for Health Improvement and Disparities (OHID)
Is data transferred outside the UK?	No
How long the data is kept	NHS England will retain the data for a minimum of 6 years following the date at which the information is no longer considered to be required in accordance with the NHS England Records Management Policy and Records Retention and Disposal Schedule.
Our lawful basis for holding this data	Legal obligation
Your rights	Be informed Get access to it Rectify or change it Erase or remove it Restrict or stop processing it Move, copy or transfer it Object to it being processed or used Know if a decision was made by a computer rather than a person
How can you withdraw your consent?	Consent not the basis for processing - Type 1 objections applied
Is the data subject to decisions made solely by computers? (automated decision making)	No
Where does this data come from?	General practices in England
The legal basis for collecting this data	NHS England’s lawful basis for processing personal data is: UK GDPR Article 6(1)(c) - legal obligation (NHS Health Check General Practice Data Extraction Direction (No.2)) NHS England's lawful basis for processing special categories of personal data is: UK GDPR Article 9(2)(h) - the management of health or social care systems and services, supplemented by: Data Protection Act 2018, Schedule 1, Part 1, Paragraph 2(2)(f) – the management of health care systems or services or social care systems or services

Where we use this data

internal

NHS Health Checks

NHS Digital, acting on behalf of Public Health England (PHE), will be collecting information about the numbers of people who are invited to an NHS Health Check and either attend or do not attend.