Skip to main content Skip to footer


The NHS Business Services Authority (NHSBSA) provides services on behalf of the NHS.

As Data Controller, we are responsible for how your information is used and explaining that to you.

Why we process your information

By law, we must process your information on behalf of the NHS to be able to provide our services.

Depending on the service, this could be to:

  • process applications for help with health costs
  • discuss your application with you
  • check your claim for help with NHS charges
  • process payments to you
  • administer an NHS payment scheme
  • prevent and detect fraud and errors
  • help plan and make improvements to NHS services and direct patient care

We may contact you about taking part in surveys and research to learn what you need from our services. 

Sharing your personal information

We may share your information with other organisations:

  • as required by law
  • to prevent and detect fraud and mistake
  • to make payments to NHS Service providers
  • to secure the effective and efficient delivery of NHS and related services
  • for benefits and tax administration
  • as part of an appeal
  • acting on our behalf

Details of the organisations we share with can be found in the specific privacy notice of each of our services.

Your information will not be transferred outside the UK or European Economic Area, unless this is stated in the privacy notice of the service you use.

Keeping your personal information

Your personal data will be deleted or anonymised when we no longer need to be able to identify you from that information.

Your rights

The information you provide will be managed as required by Data Protection law.

You have the right to:

  • receive a copy of the information we hold about you
  • request your information be changed if you believe it was not correct at the time you provided it
  • request that your information be deleted if you believe we are keeping it for longer than necessary

You have other rights depending on which service you use. Find these in the specific privacy notice for each service.

We comply with the national patient data opt-out. This applies when you can be identified in patient information shared for NHS Health Research Authority authorised research.  

All other uses of your information are exempt from the national data opt-out. This is because:

  • the law requires that NHS prescription and dental information is provided to the NHSBSA to be processed
  • you have consented to the NHSBSA sharing your information as part of a research project

You can view or change your national data opt-out choice online or by calling 0300 303 5678.

Find out about call charges

Request a copy of your personal information

The easiest way to make a request is by using our subject rights request portal:

Alternatively, you can contact us using the details shown in the Contact us section on this page.

We follow the Subject Rights Request Procedure (Word: 252KB) when we receive your request and will respond within 1 month. If you are not happy with our response, you can request a review (PDF: 187KB).

Contact us

If you have any queries, or want to request that we change or delete your information, contact us:

Data Protection Officer
Information Governance
NHS Business Services Authority
Stella House
Newcastle upon Tyne
NE15 8NY


Data Protection Officers are responsible for upholding your rights and making sure we process your information correctly. 

Concerns about how we are using your information

If you have any concerns about the processing of your information, contact the Data Protection Regulator:

Information Commissioner’s Office
Wycliffe House

Tel 0303 123 1113


How each of our services use your information

You can view the privacy notices for each of our services: