Skip to main content

Digital

Secondary Care Electronic Prescribing and Medicines Administration (ePMA)

Summary

Why and how we process your data in the Secondary Care ePMA (Electronic Prescribing and Medicines Administration) Data Collection, and your rights. 

Controller Under the UK General Data Protection Regulation (UK GDPR), NHS England is the controller of your personal data where we have been told to collect and use your data by law (we have a legal obligation). The Secretary of State for Health and Social Care has issued NHS England with a legal document, called Directions, which instructs NHS England to collect and analyse Secondary Care ePMA data. This means we are a joint controller with the Department of Health and Social Care, which is a government department the Secretary of State for Health and Social Care holds responsibility for. Where we share data, NHS England is usually the sole controller, unless we have been directed to share the data by the Secretary of State in which case, we will be joint controllers with the Department of Health and Social Care.
How we use the information (processing activities)

NHS England collects patient-level (identifiable) data for medicines prescribed and administered to patients by secondary care providers (such as hospitals) in England when this is recorded on electronic Prescribing and Medicines Administration (ePMA) systems.

We aim to improve the usefulness of this data by assessing the data coding and providing data quality reports back to the secondary care provider who submitted the data to NHS England.  We will also make the data available to approved NHS organisations, or other organisations that have been directly commissioned by the NHS, for analysis to inform health care planning and commissioning. 
Does this contain sensitive (special category) data such as health information? Yes
Who are recipients of this data?

Data from this collection will be available through NHS England’s Data Access Request Service (DARS) to applicants that have a lawful basis to process this data and where the use of the data is in line with the purposes of or otherwise permitted by the Directions. Where a DARS application is approved, data will only be shared for analysis through a Secure Data Environment, in line with NHS policy on Secure Data Environments.

Analysis and linkage by NHS England will be carried out to support medicine optimisation, and build intelligence on the effectiveness and safety of medicines.
Is data transferred outside the UK? No. This data is not transferred out of the UK
How long the data is kept We will keep your personal data for as long as is necessary for the purposes outlined above in accordance with the NHS Records Management Code of Practice 2021. An initial retention period of 8 years has been decided for this data collection. At the end of this retention period a review will take place to decide whether the data collection is still required. The review will consider serious incidents which requires records to be retained for up to 20 years as set out in the Code; use of the record during the retention period which could extend its retention; potential for long-term archival preservation in a Place of Deposit - this may particularly be the case where the records relate to rare conditions or innovative treatments, for example, new cancer treatments. The review might also determine the data is no longer needed and should be securely deleted. Other organisations with whom we share your personal data have obligations to keep it for no longer than is necessary for the purposes for which we have shared your personal data. Information about this will be provided in their transparency or privacy notices which are published on their websites. NHS England’s Data Access Request Service will determine retention periods for each application.
Our lawful basis for holding this data Legal obligation
Your rights
  • Tick Be informed
  • Tick Get access to it
  • Tick Rectify or change it
  • Cross Erase or remove it
  • Tick Restrict or stop processing it
  • Cross Move, copy or transfer it
  • Cross Object to it being processed or used
  • Cross Know if a decision was made by a computer rather than a person
How can you withdraw your consent?

Not applicable – we do not rely on consent as our legal basis for processing.
Is the data subject to decisions made solely by computers? (automated decision making) No
Where does this data come from? We collect this data from secondary care provider organisations (e.g., hospitals) in England, where information about medicines prescribed and administered in this setting is recorded electronically in the hospital’s main ePMA system. For example, where a patient has been given medicine whilst as an inpatient, outpatient or on discharge from hospital, the data about what medicines they have been given is part of this collection, if the hospital records that electronically in their main system. Some hospitals have more than one ePMA system, for example a secondary system for cancer care, paediatrics, or maternity. We are not collecting data from those secondary ePMA systems.
The legal basis for collecting this data

NHS England has been issued a legal document, called Directions, by the Secretary of State for Health and Social Care which places a legal obligation on NHS England to collect and analyse secondary care ePMA data. These Directions are issued to NHS England under section 254 of the Health and Social Care Act 2012 and are called the Secondary Care ePMA Directions 2024.

Our legal basis under the UK GDPR and Data Protection Act 2018 (DPA 2018) is: 

  • UK GDPR Article 6(1)(c) – Legal Obligation
  • UK GDPR Article 9(2)(h) – Healthcare purposes, plus Schedule 1, Part 1, paragraph 2 (health or social care purpose) of DPA 2018