Terminology server privacy policy

Privacy Notice Applicable to use of the Terminology Server

Your privacy is important to us. This privacy notice covers what personal information we collect and how we use, disclose, transfer and store your information if you choose to use the Terminology Server.

1. Who we are

NHS Digital (now NHS England) was set up by the Department of Health and Social Care in April 2013 and is an executive non-departmental public body that provides national information, data and IT systems for health and care services. We exist to help patients, clinicians, commissioners, analysts and researchers. Our goal is to improve health and social care in England by making better use of technology, data and information.

Find out more about NHS England.

NHS England is the controller for the personal information we process, unless otherwise stated.

2. What personal information we collect about you

We collect your basic personal details needed to process your developer account used to access the API Service , including:

first name
last name
email address
IP address

We also collect technical information needed for security and to set up and manage your account. This includes:

log and audit data
identifiers relating to you and your device

3. Why we collect your personal information

We collect personal information from you to:

create an account so you can access and use the Terminology Server
diagnose problems, understand usage by individuals and manage and improve our service

4. Our legal basis for using your information

The legal basis for processing is

GDPR Article 6 (1e) – Public task - processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller
DPA 2018: Schedule 1, Part 1, paragraph 2 - Health or social care purpose

5. How we process your personal information

We use OntoCloak as part of the Terminology Server solution, acting only under our instructions and the terms of a legally binding agreement.

6. Who we share your personal information with

We will not share your personal data with other organisations unless required to do so by law.

7. How we protect your personal information

We take the security of your personal information very seriously. We have set up security measures, policies and procedures to make sure your personal information is protected.

We protect your personal information by:

training staff to understand data and security protection
restricting access to personal information to only those staff who need access to perform their role
ensuring security and confidentiality policies are in place for our staff who have access to personal information
monitoring our service to keep your personal information secure
following good practice guidance
using legally binding agreements with all organisations we use to process your personal information on our behalf

8. How long we store your personal information

We store your personal information for as long as is reasonably necessary and legally justifiable. The length of time we store your information for will depend on legal, regulatory or technical requirements. In any event, we follow the Records Management Code of Practice for Health and Social Care (2016). The retention periods are explained here.

Category of Information	Retention period
User accounts	Personal information relating to the Terminology Server will be stored for duration of the contracted period of operation for the Terminology Server, after which the data will deleted as part of the decommissioning of the Terminology Server. The personal information within your API Service account is: first name last name email address password Personal information relating to the Terminology Server, for the individual user, will be deleted the user no longer needs to use the Terminology Server. This may occur when NHS England is notified that the user no longer requires access (such as part of the leaver process) or when NHS England carries out housekeeping activities (such as identify dormant accounts).
Log and audit data	Log and audit data are stored for the duration of the contracted period of operation for the Terminology Server, after which the data will deleted as part of the decommissioning of the Terminology Server. This information lets us record: when your account was set up when you use your account details of activities performed when you use your account Log and audit data will be retained on individual user activities, even after the individual user no longer requires access to the Terminology Server, for business and security purposes.

Category of Information

Retention period

User accounts

Personal information relating to the Terminology Server will be stored for duration of the contracted period of operation for the Terminology Server, after which the data will deleted as part of the decommissioning of the Terminology Server. The personal information within your API Service account is:

first name
last name
email address
password

Personal information relating to the Terminology Server, for the individual user, will be deleted the user no longer needs to use the Terminology Server. This may occur when NHS England is notified that the user no longer requires access (such as part of the leaver process) or when NHS England carries out housekeeping activities (such as identify dormant accounts).

Log and audit data

Log and audit data are stored for the duration of the contracted period of operation for the Terminology Server, after which the data will deleted as part of the decommissioning of the Terminology Server. This information lets us record:

when your account was set up
when you use your account
details of activities performed when you use your account

Log and audit data will be retained on individual user activities, even after the individual user no longer requires access to the Terminology Server, for business and security purposes.

9. Where your personal information is stored and processed

We store and process your information in the UK. We will make sure your information is given the level of protection required by law and NHS policies.

10. Your rights

Data protection laws provide you with a number of rights which you can exercise by contacting the controller.

These general rights allow you to:

be informed if your personal data is being used - an organisation must inform you if it is using your personal data
get copies of your data
get your data corrected
get your data deleted
limit how organisations use your data
have data portability
object to the use of your data
object to decisions being made about you without human involvement

You can read more about your rights and when they apply on the Information Commissioner's Office's (ICO) website

11. International transfers of data

We do not transfer your personal data out of the United Kingdom.

12. Contact us

You can contact us by post, telephone or email. More details are available on our contact page.

Our postal address is:

Information Governance Compliance Team
NHS England
7 and 8 Wellington Place
Leeds
West Yorkshire
LS1 4AP

Telephone: 0300 303 5678

Email: [email protected]

Our Data Protection Officer, whose duties include monitoring internal compliance and advising the organisation on its data protection obligations, can be contacted via [email protected].

13. Complaints

You have the right to complain about how we process your personal information. You can do this by emailing [email protected] or you can go through the Information Complaints Office (ICO). The ICO is the regulator for data protection.

14. Changes to our privacy notice

Our privacy notice may change. The latest version of our privacy notice will be accessible through the API Service. We will inform you through your API Service account if we make any material changes to our privacy notice, cookies policy or terms and conditions. This will allow you to refresh your consent if you wish to continue using the API Service.

Cookie policy

What are cookies?

Cookies are files saved on your phone, tablet or computer when you visit a website. They store information about how you use the website, such as the pages you visit. Cookies are not viruses or computer programs. They are very small so do not take up much space.

How we use cookies

We use cookies to make the Terminology Server work generally for all users and specifically how it is configured for the individual user , for example by keeping it secure or to manage performance

Cookies used by the Terminology Service

The following strictly necessary cookies are used:

Snapper

Cookie name	Purpose	Expires
map_terms	Record date of Snapper:Map terms of use acceptance	1 month (although this is moving to 12 months in next release)
author_terms	Record date of Snapper:Map terms of use acceptance	1 month (although this is moving to 12 months in next release)
snomed_terms	Record date of SNOMED terms of use acceptance	1 month (although this is moving to 12 months in next release)

OntoCloak

Cookie name	Purpose	Expires
AUTH_SESSION_ID	Session ID of current authentication session	Session
AUTH_SESSION_ID_LEGACY	Session ID of current authentication session.	Session
KEYCLOAK_IDENTITY	ID of the current user	Session
KEYCLOAK_IDENTITY_LEGACY	ID of the current user	Session
KEYCLOAK_SESSION	ID of the current browser session	1 month
KEYCLOAK_SESSION_LEGACY	ID of the current browser session	1 month

Change your cookie settings

You can use the settings within your browser to determine how cookies are used. You can also update the settings to block certain types of cookers and delete cookies that have been stored on your phone, tablet or computer.

Please note that the disabling of strictly necessary cookies for the Terminology Service may result in a reduced functionality.

How you do this depends on which internet browser you use. To find out, you can consult the help function of your internet browser or visit AboutCookies.org, which describes how to delete or control cookies for different browsers.

You can find more information about cookies at:

AllAboutCookies.org

Your Online Choices