Skip to main content Skip to footer

Data protection

The personal data we use is notified to the Information Commissioner and appears on his Register of Data Controllers (enter Z9395747 in the registration number box).

Subject Access Requests

You can apply for the personal data we hold about you by making a Subject Access Request (SAR):

Make a SAR (apply for your personal data) (270KB)SAR procedure (286KB)

There is a fee of £10 to make a SAR.

Subject Access Request procedure

You’ll need to pay the £10 fee after you have completed the application form.

How to pay

Pay by:

  1. Cheque - make cheques payable to ‘NHSBSA’.
  2. Bank transfer  - for the reference, please put ‘SAR’ followed by your full name
  • Account name: NHSBSA
  • Sort code: 60-70-80
  • Account number: 10021205

After you make an application

We’ll either provide you with a readable copy or allow you to view the personal data which we keep about you.

This will be done within a maximum of the 40 calendar days allowed under the Data Protection Act for the handling of a Subject Access Request.

We will require proof of your identity.

We allow you to challenge the data that we hold about you and, where we agree, you may have the data:

  • erased
  • rectified or amended
  • completed

We reserve the right to refuse to provide you with a copy of your personal data, but will give reasons for our refusal.

If you aren’t happy with our decision

If you aren’t happy with the outcome of your SAR, you can ask for a review. This must be done in writing (including email).

Review procedure (107KB)

Contact us

You can discuss your application by contacting us at:

Information Governance
NHS Business Services Authority
Stella House
Goldcrest Way
Newburn Riverside
Newcastle upon Tyne
NE15 8NY

Telephone: 0191 203 5484
Fax: 0191 264 5281

How we collect and use your personal data

There are several ways that we collect and use your personal data:

  • We collect the personal data that you may volunteer while using our services.
  • We do not collect information about our visitors from other sources, such as public records or bodies, or private organisations.
  • We do not knowingly collect personal data from children.
  • We do not disclose your personal data to other organisations.

If we wish to use your personal data for a new purpose, we’ll contact you to ask for your consent.

Information collected by customer administration

The following information is volunteered by each visitor and is used for customer administration.

Primary personal data Business information Other personal details and profiling data Identifiers
  • Name
  • Gender
  • Address
  • Email address
  • Phone/fax number
  • Employer/organisation
  • Job title
  • Address
  • Email address
  • Phone/fax number
  • Personal details
  • Online identifiers
  • Financial identifiers
  • Identifiers assigned by public bodies

Prescription data (from April 2015)

From April 2015, we are collecting additional information to help us analyse general trends and correlations to support more effective planning of NHS services.

  • Age – to look at prescribing trends by patient age
  • NHS number – to analyse dispensed prescription information by the number of patients

Strongly pseudonymised patient information is securely shared with Public Health England to allow them to fulfil the Secretary of State for Health's statutory duties to protect and improve the health of the population of England.

Patients can only be identified where Public Health England have the legal power to do so. This includes maintaining cancer patient registers, monitoring rare or infectious diseases and congenital abnormalities.

Freedom of Information

The Freedom of Information (FOI) Act gives everybody the right of access to all information held by public authorities.

Find out more about FOI

View our publication scheme