NHS service standard - 9. Respect and protect users’ confidentiality and privacy

Evaluate what data and information your service will be collecting, storing and providing.

Identify and address security threats, legal responsibilities, confidentiality and privacy issues and risks associated with the service. Consult experts where you need to.

Why it's important

The NHS handles some of the most sensitive personal data. It has a legal duty to protect this information. Failing to do so would undermine public trust in the health service.

What you should do

Your team should be able to show that you:

  • collect and process users' personal information in a way that's secure and respects their privacy
  • have appropriate processes in place to protect the public and NHS staff, for example, if you manage user generated content
  • comply with the General Data Protection Regulation (GDPR)
  • have an appropriate privacy policy in place when you launch your service
  • if appropriate, undertake and publish a data protection impact assessment (DPIA)
  • are aware of and, if appropriate, comply with NHS specific guidance on data security and information governance
  • actively identify security and privacy threats to the service and have a robust, proportionate approach to securing information and managing fraud risks
  • have a plan and budget that lets you manage security during the life of the service (for example, by responding to new threats, putting controls in place and applying security patches to software)
  • use the NHS login and NHS identity programme, if your service needs identity assurance and authentication
  • work with business and information risk teams (for example, senior information risk owners and information asset owners) to make sure the service meets security requirements and regulations without putting delivery at risk
  • carry out appropriate vulnerability and penetration testing


GOV.UK resources

Read more about this

Help us improve this guidance

Share insights or feedback and take part in the discussion. We use GitHub as a collaboration space. All the information on it is open to the public.

If you've gone through a service assessment or peer review, we're especially interested to hear from you.

Read more about how to feedback or share insights.

If you have any questions, get in touch with the service manual team.

Updated: July 2021