NHS Forms

Secure form submission for NHS Scotland

GDPR Compliance

Last Updated: November 2025

1. Introduction to GDPR

The General Data Protection Regulation (GDPR) is a comprehensive data protection law that applies to organizations operating in the European Union (EU) and the United Kingdom (UK). NHS Forms is fully compliant with GDPR requirements and is committed to protecting the privacy and rights of all data subjects.

2. Data Controller and Data Processor Responsibilities

2.1 Data Controller

Your organization (the NHS board or healthcare entity) is the Data Controller when using NHS Forms. As the Data Controller, you are responsible for:

  • Determining the purposes and means of data processing
  • Ensuring lawful basis for processing
  • Obtaining and maintaining records of consent (where required)
  • Responding to data subject requests
  • Conducting Data Protection Impact Assessments (DPIA) where necessary
  • Notifying the Information Commissioner's Office (ICO) of any data breaches

2.2 Data Processor

NHS Forms acts as a Data Processor on your behalf. We are responsible for:

  • Processing data only as instructed by you (the Data Controller)
  • Implementing appropriate technical and organizational measures to ensure security
  • Ensuring all staff sign confidentiality agreements
  • Notifying you without undue delay in the event of a personal data breach
  • Providing evidence of compliance upon request
  • Assisting with your rights as a Data Controller

3. Legal Basis for Processing

NHS Forms supports multiple legal bases for data processing:

3.1 Consent

  • Users provide explicit, informed consent to data processing
  • Consent forms are pre-populated with transparent information
  • Users can withdraw consent at any time

3.2 Contract

  • Processing necessary to perform a contract with the data subject
  • Data processing is essential to provide the requested service

3.3 Legal Obligation

  • Processing required by UK healthcare law (NHS Act 2006, Health and Social Care Act 2008)
  • Compliance with Care Quality Commission (CQC) requirements
  • NHS financial and operational regulations

3.4 Vital Interests

  • Processing necessary to protect the vital interests of data subjects in healthcare contexts
  • Limited to situations where data subject is incapable of consent

3.5 Public Task

  • Processing necessary for the performance of a task carried out in the public interest
  • NHS organizations perform tasks in the public interest by providing healthcare

4. Data Subject Rights

We respect all GDPR rights of data subjects. If you receive a request for any of the following, please contact us at privacy@nhs-forms.com:

4.1 Right of Access

Data subjects can request a copy of their personal data we hold. We will provide this within 30 days of request.

4.2 Right to Rectification

Data subjects can request corrections to inaccurate personal data. We will make corrections within 30 days.

4.3 Right to Erasure (Right to be Forgotten)

Data subjects can request deletion of their personal data under certain conditions, except where we have a legal obligation to retain it.

4.4 Right to Restrict Processing

Data subjects can request that we limit how we use their personal data while a dispute is resolved.

4.5 Right to Data Portability

Data subjects can request their data in a structured, commonly used, machine-readable format for transfer to another organization.

4.6 Right to Object

Data subjects can object to processing for marketing, profiling, or other purposes.

4.7 Rights Related to Automated Decision Making

Data subjects have rights regarding automated decision-making and profiling. NHS Forms does not use automated decision-making.

5. Data Processing Agreements

All organizations using NHS Forms should have a Data Processing Agreement (DPA) in place. Our standard DPA includes:

  • Scope of processing activities
  • Nature and purpose of processing
  • Types of personal data processed
  • Categories of data subjects
  • Duration of processing
  • Responsibilities of controller and processor
  • Sub-processor information
  • Security measures implemented
  • Breach notification procedures
  • Data subject rights support
  • Audit and compliance verification procedures

6. Data Protection Impact Assessment (DPIA)

Organizations processing large amounts of personal data or sensitive health information should conduct a DPIA. NHS Forms provides:

  • Documentation of data flows
  • Description of security measures
  • Risk assessment templates
  • Mitigation strategies for identified risks
  • Support for DPIA documentation

7. Data Security and Protection

7.1 Encryption

  • End-to-end encryption using AES-256 for data at rest
  • TLS 1.3 for data in transit
  • Encryption keys managed separately from data

7.2 Access Controls

  • Role-based access control (RBAC)
  • Multi-factor authentication (MFA) for admin access
  • Principle of least privilege
  • Regular access reviews and audits

7.3 Data Residency

  • All personal data stored in UK data centers
  • No data transfers outside UK/EU without explicit consent
  • Compliance with UK GDPR post-Brexit requirements

7.4 Audit Logging

  • Comprehensive logging of all data access
  • Logs retained for minimum 7 years for NHS compliance
  • Real-time alerts for suspicious activity
  • Regular audit log reviews

8. Data Breach Notification

In the event of a personal data breach, NHS Forms will:

  • Notify you without undue delay and no later than 72 hours
  • Provide details of affected data subjects and data types
  • Describe the likely consequences of the breach
  • Outline measures taken to mitigate harm
  • Provide contact information for further details
  • Support your notification to the ICO and affected individuals if required

9. Sub-Processors

NHS Forms uses the following sub-processors for data processing:

  • Cloudflare: Content delivery and DDoS protection (UK data centers only)
  • AWS UK: Backup and disaster recovery (UK region only)
  • Monitoring Services: Security and performance monitoring

Organizations are notified of sub-processor changes and can object to new sub-processors.

10. International Data Transfers

NHS Forms does not transfer personal data outside the United Kingdom. All data remains within UK data centers compliant with UK GDPR requirements. We do not rely on Standard Contractual Clauses (SCCs) or other transfer mechanisms as data is not transferred internationally.

11. Consent Management

If your forms require explicit consent, NHS Forms provides:

  • Pre-populated consent statements
  • Clear, accessible language about data use
  • Granular consent options for different purposes
  • Records of when and how consent was obtained
  • Easy consent withdrawal mechanisms
  • Audit trail of consent changes

12. Children's Data Protection

If your forms collect data from children (under 18 in UK), NHS Forms ensures:

  • Parental consent is obtained for users under 13
  • Age verification mechanisms are in place
  • Privacy notices are provided in child-friendly language
  • Data is protected with enhanced security measures

13. Compliance Support

NHS Forms provides organizations with support for GDPR compliance including:

  • Data Processing Agreement templates
  • Privacy impact assessment support
  • Audit logs and compliance reporting
  • Training materials for staff
  • Regular compliance updates
  • Direct support from our Privacy Team

14. Contact Information

For GDPR compliance questions, please contact:

  • Email: gdpr@nhs-forms.com
  • Privacy Team: privacy@nhs-forms.com
  • Support: support@nhs-forms.com

15. Regulatory Authority

If you have concerns about how NHS Forms handles your data, you can lodge a complaint with the Information Commissioner's Office (ICO):

  • Website: www.ico.org.uk
  • Phone: 0303 123 1113
  • Address: Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF
← Back to Home