Information governance

This page outlines BaRS information governance policy and the detail of the BaRS privacy notice.

Information governance

An NHS England Direction to enable NHS Digital to develop an interoperability standard for patient record systems and a related API (Booking and Referral Standard Service) has been published for the BaRS programme. A record has also be added to the NHS Digital GDPR Register.

BaRS Privacy Notice - A note for healthcare providers 

Healthcare providers using BaRS are responsible for transparency to patients.  If patients do not understand that their data is traversing NHS England systems as part of the referral service, there could be a breach of the fairness principle of UK GDPR.    

BaRS, developed by NHS England, does not directly collect any information except in the case of 111 online.  NHS England does not store any personal data except for 'online identifiers' of sending and receiving providers, e.g. IP Address/Event Logs and the NHS Number (if provided) which is stored for audit purposes.

We encourage all healthcare providers who will be using BaRS to review the Privacy Notice and update their transparency information accordingly.

View the BaRS Privacy Notice

What type of information we have:  

The Booking and Referral Standard is an interoperability standard for patient record systems that enables booking and referral information to be sent between NHS service providers quickly, safely and in a format that is useful to clinicians. The data that traverses the NHS England infrastructure in the form of messages is a combination of personal data and special category. NHS England will only collect audit and monitoring data for the Booking and Referral Standard. Alongside the Standard, information models are developed with the NHS England policy teams that define the booking and service request and confirm the data items that will travel with the request. These information models are typically endorsed by an appropriate body e.g. PRSB for 111 – ED and the Clinical Reference Group (CRG) for GP-Pharmacy.

The statutory functions of NHS Digital transferred to NHS England under the Health and Social Care Information Centre (Transfer of Functions, Abolition and Transitional Provisions) Regulations 2023 (Transfer Regulations) with effect from 1st February 2023 (Transfer Date). Under the Transfer Regulations, all directions by either the Secretary of State or NHS England to NHS Digital are now treated as directions made by the Secretary of State to NHS England except for system delivery directions issued by NHS England to NHS Digital, which come to an end. In such cases NHS England may provide the BARS technical system under Section 2 and Section 1H of the National Health Service Act 2006 (arranging services for the purposes of the health service in England) together with Section 13E (Duty as to improvement in quality of services) and Section 13 N (Duty as to promoting integration) and perhaps 13YA Power of NHS England to provide assistance and support.

Service providers on the sending system will collect the following mandatory data items, which will be carried in the payload and used by the receiving system to verify the patients’ details.  NHS England will not store these data items. 

Name 
Address 
Postcode
DOB

There are a number of recommended data items for system suppliers that they can choose to use dependent upon their system configuration.  The BaRS system will not store this data: 

Sex 
Gender 
Home phone number 
Mobile phone number

The following data items will be stored in Splunk by NHS England for audit purposes when it is included in a BaRS API request: 

General identifier - NHS Number can be collected by the sending and receiving organisation
Online identifier

Special Category Data  

Physical / Mental Health or Condition - The clinical referral information will be transported via the BaRS API across the NHS England network, but it is not stored as an asset by the BaRS system.

How we get the information and why we have it: 

Data items are collected by sending and receiving systems when a sending organisation makes the booking and referral request; they use the API to send the payload to the receiving organisation.  System suppliers will have the option to include a number of optional data items based on the relevant information model. 

To the extent that any personal data is processed by NHS England in the provision of the BaRS Service, NHS England's lawful basis will be: 

UK GDPR Article 6(1)(c) - legal obligation (the Direction issued under section 254 of the 2012 Act is a legal obligation on NHS England to process personal data from providers to the extent necessary to provide the Booking and Referral Standard Service.
UK GDPR Article (6)(e) – public task in relation to the delivery of the technical system for BARS.

To the extent that any special categories of personal data are processed by NHS England in the provision of the BaRS Service, the Article 9 condition for doing so will be one or both of: 

UK GDPR Article 9(2)(g) - processing is necessary for reasons of substantial public interest, supplemented by: 
DPA 2018 – Schedule 1, Part 2, (6) (1) – statutory etc and government purposes  
UK GDPR Article 9 (2) (h) – processing is necessary for the management of health or social care systems and services, supplemented by:  
DPA 2018 – Schedule 1, Part 1, (2) (2) (f) – Health or social care purposes.

What we do with the information we have:

NHS England does not collect the personal data directly from patients except in the case of 111 online which NHS England is controller for. The personal data is collected by the sending and receiving systems to enable a booking and referral to be made using the BaRS API. The data that traverses the NHS England infrastructure in the form of messages (payload) is a combination of personal data and special category. NHS England will only collect BARS API transactional data for the Booking and Referral Standard. 

How we store your information:  

NHS England is the trusted national provider of high-quality information, data and IT systems for health and social care. Information is the core business of NHS England and it is NHS England's duty to keep information safe. 

An information asset has been created for the Booking and Referral Standard and an Information Asset Owner (IAO) assigned. An IAO is a senior member of NHS England staff who is responsible for the management of the information asset created and utilised by their team. The IAO role is mandatory across all government departments. 

NHS England does not collect patients personal data. The only data that will be stored by NHS England is BaRS API transactional data on splunk, this will be stored for 90 days only 

Your data protection rights: 

Under data protection law, you have rights including: 

Your right to be informed – You have the right to be informed about when your personal data is being used  

Your right of access - You have the right to ask us for copies of your personal information.  

Your right to rectification - You have the right to ask us to rectify information you think is inaccurate. You also have the right to ask us to complete information you think is incomplete.  

Your right to restriction of processing - You have the right to ask us to restrict the processing of your information in certain circumstances.  

You are not required to pay any charge for exercising your rights. If you make a request, we have one month to respond to you. 

If you would like to make a request, please contact us at [email protected] . 

Further Information:  

Further information on how NHS England is keeping patient data safe is available here. 

We may make changes to this Privacy Notice. If we do, the 'last edited' date on this page will also change. Any changes to this notice will apply immediately from the date of any change. 

Last edited: 22 February 2024 12:20

Last edited: 22 February 2024 5:58 pm