Privacy Policy – My Planned Care NHS

Our privacy policy

Your privacy is important to us. This privacy policy covers what we collect and how we use, disclose, transfer, and store your information.

What information do we collect when you use this website?

When you use this NHS website, we use various technologies to collect information automatically – such as your IP address. This is commonplace across all internet services to enable the investigation of issues such as service availability and the identification of malicious use. This information is then kept in our internet access logs.

How do we use the information we collect about you?

We analyse information to see what is most effective about our website and associated services to help us identify ways to improve it and to make it more effective. We may also use information for other purposes, which we would describe to you at the point when we collect the information.

Third-party services

If you turn on cookies that measure website use (on our cookies page) we may use the following services on this NHS website:

New Relic provides information on how well our site is working.
Google Analytics collect information about how you use our website, to help us make it better. For more information about how these services process your data, see Google Analytics privacy policy.
We partner with Microsoft Clarity and Microsoft Advertising to capture how you use and interact with our website through behavioural metrics, heatmaps, and session replay to improve and market our products/services. Website usage data is captured using first and third-party cookies and other tracking technologies to determine the popularity of products/services and online activity. Additionally, we use this information for site optimization, fraud/security purposes. For more information about how Microsoft collects and uses your data, visit the Microsoft Privacy Statement.

Cookies

Our website uses cookies. These are small files saved on your phone, tablet, or computer when you visit a website. They store information about how you use the website, such as the pages you visit.

The law states that we can store cookies on your device if they are strictly necessary for the operation of this site. For all other types of cookies, we need your permission before we can use them on your device.

For further information or to manage your settings see Cookie Policy.

How long do we hold this information?

Unless otherwise stated, business information that falls under NHS Digital is held for a minimum of 3 years and will be subject to review. We will hold the information for as long as we are providing you services.

Do we share information?

We strive to capture the minimal amount of personal data, and only share with other organisations where the law permits us to do so or where we require and have gained your consent
We only share information with our authorised Data Processors for the sole purpose of processing the data in connection with the service we have procured from them. These processors must always act on our instructions as the Data Controller under the Data Protection legislation
We do not sell individuals’ information
We host health information campaigns on behalf of Public Health England, where we are Data Processors. These campaigns may have separate privacy terms and consent requirements
Before you submit any information, you will be informed why we are asking for specific information and it is up to you whether you provide it

How can you access, amend, or withdraw the personal data you have given us?

To get in touch about these rights, please contact us via the Data Controller details. We will seek to deal with your request without undue delay, and in any event within 1 month (subject to any extensions to which we are lawfully entitled).

*Please note that we may keep a record of your communications to help us resolve any issues that you raise.

Right to object

If we are using your data because we have a legal basis to do so under the Health and Social Care Act, and you do not agree, you have the right to object. We will respond to your request within the required time frame (although we may be allowed to extend this period in certain cases). Generally, we will only disagree with you if certain limited conditions apply
this right enables you to object to us processing your personal data where we do so for one of the following reasons: (i) to enable us to perform a public task or exercise official authority; (ii) to send you direct marketing communications; and (iii) for research or analytical purposes

Right to withdraw consent

Where we have obtained your consent to process your personal data, or consent to send you information, you may withdraw your consent at any time and we will cease to carry out the particular activity that you previously consented to, unless we consider that there is an alternative reason to justify our continued processing of your data for this purpose, in which case we will inform you of this condition.

Data access requests

You may ask us to confirm what information we hold about you at any time, and request us to modify, update or delete such information. We may ask you to verify your identity and for more information about your request.

If we provide you with access to the information we hold about you, we will not charge you for this. If we refuse your request for any legitimate reason, we will always tell you the reasons for doing so.

Right to remove

In certain situations, you have the right to request us to “remove” your personal data. We will respond to your request within the agreed timeframe (although we may be allowed to extend this period in certain cases) and will only disagree with you if certain limited conditions apply.

If we do agree to your request, we will delete your data but will generally assume that you would prefer us to keep a note of your name on a register of individuals who would prefer not to be contacted. That way, we will minimise the chances of you being contacted in the future where your data is collected in unconnected circumstances. If you would prefer us not to do this, you are free to say so.

Normally, the information must meet one of the following criteria:

The data is no longer necessary for the purpose for which we originally collected and/or processed it
Where previously given, you have withdrawn your consent to us processing your data, and there is no other valid reason for us to continue processing
The data has been processed unlawfully (i.e. in a manner that does not comply with existing Data Protection regulations)
It is necessary for the data to be deleted for us to comply with our legal obligations as a data controller

We would only be entitled to refuse to comply with your request for one of the following reasons:

To exercise the right of freedom of expression and information
To comply with legal obligations or for the performance of a public interest task or exercise of official authority
For public health reasons in the public interest
For archival, research or statistical purposes
To exercise or defend a legal claim. When complying with a valid request for the removal of data, we will take all reasonably practicable steps to delete the relevant data.

Right to restrict processing

You have the right to request that we restrict our processing of your personal data in certain circumstances.

This means that we can only continue to store your data and will not be able to carry out any further processing activities with it until either: (i) one of the circumstances listed below is resolved; (ii) you consent; or (iii) further processing is necessary for either the establishment, exercise or defence of legal claims, the protection of the rights of another individual, or reasons of important public interest.

The circumstances in which you are entitled to request that we restrict the processing of your personal data are:

Where you dispute the accuracy of the personal data that we are processing about you. In this case, our processing of your personal data will be restricted for the period during which the accuracy of the data is verified
Where you object to our processing of your personal data for our legitimate interests. Here, you can request that the data be restricted while we verify our grounds for processing your personal data
Where our processing of your data is unlawful, but you would prefer us to restrict our processing of it rather than erasing it
Where we have no further need to process your personal data, but you require the data to establish, exercise or defend legal claims

If we have shared your personal data with third parties, we will notify them about the restricted processing unless this is impossible or involves disproportionate effort. We will, of course, notify you before lifting any restriction on processing your personal data.

Right to rectification

You also have the right to request that we rectify any inaccurate or incomplete personal data that we hold about you. If we have shared this personal data with third parties, we will notify them about the rectification unless this is impossible or involves disproportionate effort.

Where appropriate, we will also tell you which third parties we have disclosed the inaccurate or incomplete personal data to. Where we think that it is reasonable for us not to comply with your request, we will explain our reasons for this decision.

Purpose and legal basis for processing

NHS Digital operates the NHS website as directed by the Electronic Prescription Service, Health and Social Care Network, N3, NHS e-Referral Service, Secondary Use Service (SUS), Spine 2 (Named Programmes) Directions 2016 under the powers of sections 254(1) and (6), 274(2), 304(9) and (10) of the Health and Social Care Act 2012.

This direction supplements the Health and Social Care Information Centre (Systems Delivery Functions for the NHS website and Additional Systems Delivery Functions for the NHS website) Directions 2013.

Keeping information secure

We invest significant resources to protect your personal information, from loss, misuse, unauthorised access, modification, or disclosure. However, no internet-based site can be 100% secure and so we cannot be held responsible for unauthorised or unintended access that is beyond our control.

The NHS website Data Controller

The Health and Social Care Information Centre (known as NHS Digital) is the Data Controller for the NHS website.

If there are any queries regarding this privacy policy, you may contact us using the information below:

Information Governance Compliance Team
NHS Digital
1 Trevelyan Square
Boar Lane
Leeds LS1 6AE

or email [email protected].

In some cases, the NHS website is acting as a Data Processor on behalf of another Data Controller e.g. Health Campaigns by Public Health England

We will process your data in accordance with the Data Protection regulations in force in the UK at the time

You are entitled to know whether we hold information about you and, if we do, to have access to that information and require it to be corrected if it is inaccurate

You also have the right to lodge a complaint with the Information Commissioner’s Office. Contact the ICO.

Cookie	Duration	Description
cookielawinfo-checkbox-analytics	1 year	Set by the GDPR Cookie Consent plugin, this cookie is used to record the user consent for the cookies in the "Analytics" category .
cookielawinfo-checkbox-functional	1 year	The cookie is set by the GDPR Cookie Consent plugin to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	1 year	Set by the GDPR Cookie Consent plugin, this cookie is used to record the user consent for the cookies in the "Necessary" category .
cookielawinfo-checkbox-others	1 year	Set by the GDPR Cookie Consent plugin, this cookie is used to store the user consent for cookies in the category "Others".
cookielawinfo-checkbox-performance	1 year	Set by the GDPR Cookie Consent plugin, this cookie is used to store the user consent for cookies in the category "Performance".
CookieLawInfoConsent	1 year	Records the default button state of the corresponding category & the status of CCPA. It works only in coordination with the primary cookie.

Cookie	Duration	Description
hustle-hide-module	5 mins	Used for the Closing Behavior functionality of a pop-up.
inc_optin_never_see_again	1 year	Used for the "Never see this again" functionality of a pop-up
VISITOR_INFO1_LIVE	5 months 27 days	YouTube sets this cookie to measure bandwidth, determining whether the user gets the new or old player interface.
yt-remote-connected-devices	never	YouTube sets this cookie to store the user's video preferences using embedded YouTube videos.
yt-remote-device-id	never	YouTube sets this cookie to store the user's video preferences using embedded YouTube videos.
yt.innertube::nextId	never	YouTube sets this cookie to register a unique ID to store data on what videos from YouTube the user has seen.
yt.innertube::requests	never	YouTube sets this cookie to register a unique ID to store data on what videos from YouTube the user has seen.

Cookie	Duration	Description
SRM_B	1 year 24 days	Used by Microsoft Advertising as a unique ID for visitors.
VISITOR_INFO1_LIVE	5 months 27 days	YouTube sets this cookie to measure bandwidth, determining whether the user gets the new or old player interface.

Cookie	Duration	Description
_clck	1 year	Microsoft Clarity sets this cookie to retain the browser's Clarity User ID and settings exclusive to that website. This guarantees that actions taken during subsequent visits to the same website will be linked to the same user ID.
_clsk	1 day	Microsoft Clarity sets this cookie to store and consolidate a user's pageviews into a single session recording.
_ga	2 years	The _ga cookie, installed by Google Analytics, calculates visitor, session and campaign data and also keeps track of site usage for the site's analytics report. The cookie stores information anonymously and assigns a randomly generated number to recognize unique visitors.
_ga_*	1 year 1 month 4 days	Google Analytics sets this cookie to store and count page views.
_ga_D8DM7PW0Z0	2 years	This cookie is installed by Google Analytics.
_gat_gtag_UA_*	1 minute	Google Analytics sets this cookie to store a unique user ID.
_gid	1 day	Google Analytics sets this cookie to store information on how visitors use a website while also creating an analytics report of the website's performance. Some of the collected data includes the number of visitors, their source, and the pages they visit anonymously.
ANONCHK	10 minutes	Microsoft Clarity sets this cookie to indicate whether MUID is transferred to ANID, a cookie used for advertising. Clarity doesn't use ANID and so this is always set to 0.
CLID	1 year	Microsoft Clarity set this cookie to store information about how visitors interact with the website. The cookie helps to provide an analysis report. The data collection includes the number of visitors, where they visit the website, and the pages visited.
CONSENT	2 years	YouTube sets this cookie via embedded YouTube videos and registers anonymous statistical data.
MR	7 days	Microsoft Clarity sets this cookie, to indicate whether to refresh MUID.
MUID	1 year 24 days	Microsoft Clarity sets this cookie to recognise unique web browsers visiting Microsoft sites. This cookie is used for advertising, site analytics, and other operations.
SM	session	Microsoft Clarity cookie set this cookie for synchronizing the MUID across Microsoft domains.
YSC	session	Youtube sets this cookie to track the views of embedded videos on Youtube pages.

Cookie	Duration	Description
MUID	1 year 24 days	Microsoft Clarity sets this cookie to recognise unique web browsers visiting Microsoft sites. This cookie is used for advertising, site analytics, and other operations.
SRM_B	1 year 24 days	Used by Microsoft Advertising as a unique ID for visitors.