NHS Notify transparency notice

This transparency notice explains for the NHS Notify service: 

• why we collect information about you (we call this “personal data”) 

• what we do with it, including who we share it with 

• how long we keep it for and where we store it 

• our legal basis for using it 

• what your data protection rights are

To read more about how NHS England uses personal data to improve health and care, see Transparency Notice: how we use your personal data.

NHS England are responsible for the NHS Notify service, which centralises and standardises the way that NHS England services send communications to patients and the public about their health and care. 

The NHS Notify service will be capable of being used by (referenced as consuming organisations): 

• NHS England

• any public body which exercises functions in connection with the provision of health services or of adult social care in England

• any person (other than a public body) who provides health services, or adult social care in England, pursuant to arrangements made with a public body exercising functions in connection with the provision of such services or care

• any person who undertakes health or adult social care research

The purpose of the NHS Notify service is to: 

• deliver a communication service that facilitates communication with patients, recipients of adult social care and the public on behalf of the consuming organisations  

• collect and analyse data required to support consuming organisations in the use of the service

• enable the use of anonymised statistical data, including through analysis and linkage of data, to support service delivery management, monitoring and improvement, and to provide status reports to consuming organisations and inform improved consuming organisation communications

The NHS Notify service will provide communications (including for the purposes of supporting accessibility) securely, simply and easily through a variety of digital channels including but not limited to NHS App, SMS and email and physical channels and including but not limited to letters, packages, leaflets and test kits either individually or as part of a defined cohort. 

If you are an NHS App user, NHS Notify may send you messages relating to your health and care through the NHS App Messaging Service. The NHS App Messaging Service is provided by NHS England. For further information see the NHS App and Account privacy policy.

The NHS Notify service is responsible for: 

• receiving contact lists for intended recipients from consuming organisations and validating the intended recipient of communications to ensure the right person receives communications (including consideration of patients with restricted access) and to obtain their contact information 

• the sending of the communication through either the NHS App Messaging service, or by other delivery methods such as SMS text message, email, or letter using third-party communication suppliers (data processors) 

• keeping an audit log of communications sent, delivery status and associated metadata 

• supporting data accuracy of contact information within the Personal Demographics Service (PDS)

Any consuming organisation, including NHS England services that use the NHS Notify service, is responsible for:  

• deciding who needs to be sent a communication 

• the content of the communication and when it needs to be sent 

• the delivery method (for example by NHS App, SMS text message, email, or by letter)

• having a legal basis to send communications to patients and the public about their health and care 

This transparency notice should be read in conjunction with the transparency notices of the NHS England services that use the NHS Notify service: 

For consuming organisations outside of NHS England, refer to their transparency or privacy notice. 

Under data protection law, NHS England is the controller for the NHS Notify service. This means that we make decisions about what personal data we need to collect and how we will use your data to provide this service.

To run the NHS Notify service, we process the following data to support sending of communications: 

The NHS Notify service receives data from: 

• the NHS Personal Demographics Service (PDS) - we check the information held on the PDS to make sure we are contacting the correct person and retrieve your contact information to be able to send you communications
• consuming organisations who use the NHS Notify service provide us with information on who needs to be contacted, the content of the communication, when it needs to be sent and the delivery method (for example by NHS App, SMS text message, email, or by letter)
• data processors - our service uses third-party communication suppliers (data processors) to send you the communication. They provide us with data on the number and type of messages delivered which is used for analysis, audit and reporting purposes

We use your data to: 

• support sending you a message or push notification on your NHS App, or by email, SMS text notification or letter
• answer enquiries and investigate issues with the service - if any consuming organisation contacts NHS Notify about any issues they are having with the service, we may need to process your data to investigate and resolve any issues
• make improvements to the service - we monitor how the NHS Notify service is operating to understand how well it is working and what service improvements may be needed. This also includes sharing the analysis of the activity of sending communications via NHS Notify back with the NHS England service that use NHS Notify
• support data accuracy of contact information held in PDS - if data is found to be inaccurate following NHS Notify activities, PDS are informed so remedial activities can be progressed by the PDS team to obtain the correct data and update PDS

Data protection law requires NHS England to have a legal basis before we can use your personal data. 

Under Section 254 of the Health and Social Care Act 2012, the Secretary of State has directed us to deliver the NHS Notify service. Therefore, our legal basis to provide the NHS Notify service is:  

• UK GDPR Article 6(1)(c) - processing is necessary for compliance with a legal obligation to which the controller is subject (the Directions)

We also need an additional legal basis in the UK GDPR and the Data Protection Act 2018 (DPA 2018) to process data which is extra sensitive. This is known as ‘special categories of personal data’. As the contents of the communications we send may include (or infer) information relating to your health or interaction with healthcare services, our legal basis to process this data is:  

• health or social care – Article 9(2)(h) of UK GDPR, plus Schedule 1, Part 1, Paragraph 2 “Health or social care purposes” of DPA 2018 

All consuming organisations (including NHS England services) that use the NHS Notify service have a legal basis to send communications relating to your health and care. This will be explained in each consuming organisation's respective transparency or privacy notice.

Data processors 

The NHS Notify service uses third-party communication suppliers (our data processors) to send the communications. We have contracts in place with each data processor so that they can only use, store and keep the data in accordance with our instructions and cannot use the data for any other purposes. 

The NHS Notify service keeps your data in accordance with the Records Management Code of Practice 2021 and our Records Management Policy.

See our retention periods for this service. 

There are different retention periods for the data held in PDS and the NHS App. To learn more, read the: 

• PDS privacy policy 
• NHS App privacy policy 

We (including our data processors) securely store your data on UK servers or countries on the UK’s data adequacy list. 

Under data protection law, you have the following rights over your data for this service: 

To make a rights request, email us at [email protected].

Opt-outs 

Depending on the purpose of communications you receive from a consuming organisation, you may have the right to opt-out of being contacted. You should contact the consuming organisation directly to discuss your preferences. 

Consuming organisations are responsible for the application of right to object under Article 21 of UK GDPR where their legal bases for processing is Article 6(1)(e) – Public Interest or Article 6(1)(f) legitimate interest in relation to their processing of personal data to send communications using the NHS Notify Service. 

National data opt-out 

Where you are sent communications by consuming organisations using the NHS Notify service, they are responsible for the application of the national data opt-out and they should apply the national data opt-out in line with the national data opt-out operational policy guidance. 

For consuming organisations with research purposes under a s251, where the consuming organisation does not have access to the national data opt-out for application, NHS England will apply the national data opt-out on their behalf. 

If you have any questions or concerns about the communications you receive from consuming organisations that use the NHS Notify service, you are advised to contact these organisations directly.  

We take our responsibility to look after your data very seriously. If you have any questions or concerns about how NHS England uses your data, please contact our Data Protection Officer at [email protected]. 

If you are not happy with our response, you have the right to make a complaint about how we are using your data to the Information Commissioner’s Office by calling 0303 123 1113 or making a complaint online. 

We may make changes to this policy. If we do, the 'last edited' date on this page will also change. Any changes to this policy will apply immediately from the date of any change.