Menu

NHS Health Check Programme privacy notice

We keep this privacy notice under regular review and it was last updated on 10 March 2026.

We respect your privacy and is committed to protecting your personal data. This privacy notice will inform you as to how we look after your personal data and tell you about your privacy rights and how the law protects you.

Who we are

We collect, use and are responsible for certain personal information about you. When we do so we are regulated under the United Kingdom General Data Protection Regulation (‘UK GDPR’) and the Data Protection Act 2018. We are responsible as ‘controller’ of that personal information. Our Data Protection Officer is Benjamin Watts.

Under the Health and Social Care Act 2012 Section 12(c), we have a statutory responsibility for public health including NHS Health Checks (NHSHC).

Under Regulation 4.1 of The Local Authorities (Public Health Functions and Entry to Premises by Local Healthwatch Representatives) Regulations 2013, Local Authorities have a statutory obligation to offer an NHSHC to all eligible residents, every 5 years.

As part of its response to this duty, we commission:

  • NHS Health Check Programme: Kent GPs invite their eligible patients to an NHS Health Check every 5-years. The health check may be carried out by the GP Surgery or by the local community pharmacy depending on local arrangements
  • NHS Health Check Outreach Service: we commission Randox Health to provide opportunistic NHS Health Checks to eligible residents in community settings and workplaces
  • NHS Health Check System: we commission Health Diagnostics to provide an end-to-end digital system that can identify which patients are eligible for an NHS Health Check, send invitations, record results of the check and ensure that these results are transferred back to the patients GP.

Personal information we collect and use

Information collected by us

The NHS Health Check System has access to select information contained in your patient record at your GP Practice. It uses this information to identify eligible residents and invite them for an NHS Health Check. As part of this process, we may use:

  • personal information, for example, your:
    • name
    • address
    • age
    • date of birth
    • sex
    • NHS Number.
  • contact information, for example, your:
    • telephone number
    • postal address.

The following ‘special category data’ (personal data which is more sensitive and is treated with care and protection) can also be collected as part of this process. We can collect:

  • health and wellbeing information, for example, information on health conditions that may prevent you being eligible for an NHS Health Check
  • equality monitoring information, such as ethnic origin, gender identity or sexual orientation.

Our services also keep records of professionals involved with the services, for example, for mailing lists or training and administration purposes.

We do not receive or process any personally identifiable patient information, this is done by your provider to the extent described in this notice. Our contractual arrangements with our service providers ensure that the grounds on which they may collect, and process data are clear, and there are appropriate arrangements for data security (including a process for dealing with any data breaches) and for the deletion of data when it is no longer required.

Even if we do not receive personally identifiable details about you from our providers, we are a data controller as we determine the manner and processing of the data on behalf of the providers. In some cases, such as with the NHS Health Check Programme, the provider is also a data controller for the patient records, while we control only the records relating to management of the service.

Please refer to the privacy notice of your local GP practice or pharmacy, or contact them if you would like to know more.

The privacy notices for Health Diagnostics and Randox Health can be accessed via the links below:

Read the Health Diagnostics privacy notice.

Read the Randox Health privacy notice.

How we use your personal information

Our provider Health Diagnostics use data from your GP patient record, such as your age and diagnosed health conditions, to determine if you are eligible for an NHS Health Check. Health Diagnostics then send each GP Practice a list of their eligible patients, and GPs decide how many patients to invite for their health check. If you are selected for invite then either your name and address will be shared with a sub-contractor of Health Diagnostics (DocMail) to send you a letter invitation, or your name and mobile phone number will be shared with iPlato to send you an SMS invitation.

This data is processed for health and social care purposes and therefore does not need your consent (see ‘Reasons we can collect and use your personal data’ for more information). However, if you do not want your data to be shared outside of your GP Practice for any reason, including for the benefit of your health, please speak to your GP Practice to find out more.

When you attend an NHS Health Check at a GP Practice, pharmacy or other community venue, the Health Check Advisor will ask you for information regarding your lifestyle and health, and will carry out some medical tests such as a cholesterol test. This data will be recorded and stored securely in the digital system provided by Health Diagnostics.

Data sharing

If your NHS Health Check is undertaken by a provider other than your GP Practice, such as your local Pharmacy or the Outreach Service, then the results of your check will be shared with your GP Practice so that they can be included in your patient record and your GP can follow up where necessary. You will have an opportunity during your appointment to state if you do not wish this to happen.

Depending on the results of your health check, you may be offered referral to other specialist services such as smoking cessation, healthy lifestyle or drug and alcohol services. If you accept this referral, then some personal information, such as your name and contact details, will be shared with the specialist service in order to complete the referral. No information will be shared in this scenario without your consent.

Following your health check, some anonymised information will be shared with us. This allows us to monitor the effectiveness of the programme and to carry out our mandatory reporting requirements by reporting to the Office for Health Improvement and Disparities (OHID) on the number of NHSHC invitations we have sent and then the number of NHSHC’s that have been carried out. It also allows us to pay the Provider for completing you NHSHC. We do not need your consent for this as the information is completely anonymous and no personal data is shared.

This anonymised data is used within the local authority, and the Office for Health Improvement and Disparities (OHID) to:

  • monitor how effective NHS Health Checks are
  • monitor contractual performance of the commissioned services
  • plan and develop services that best meet local needs.

Any information that is submitted for national analysis and publication is anonymous and no personal information is shared.

NHS and Care Services

We have processes in place for considering requests for data disclosures for purposes beyond direct care which is consistent with the national data opt-out policy. Our organisation is compliant with the national data opt-out policy.

To find out more about the NHS’ wider use of confidential personal information and to register your choice to opt out if you do not want your data to be used in this way, visit the NHS website. If you do choose to opt out, you can still consent to your data being used for specific purposes.

Reasons we can collect and use your personal data

When we collect your personal data, we rely on the following legal bases:

  • Article 6(1)(c) – processing is necessary for compliance with a legal obligation to which the controller is subject.
  • Article 6(1)(e) - processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.

When we collect your ‘special categories of personal data’ (such as health and wellbeing), we rely on the following legal bases:

  • Article 9(2)(h) - processing is necessary for the provision of health or social care or treatment or the management of health or social care systems and services
  • Article 9(2)(i) – processing is necessary for reasons of public interest in the area of public health.

We rely on the health or social care purposes and public health conditions from Schedule 1 of the Data Protection Act 2018 when relying on Article 9(2)(h) or (i) to process your special category data.

We take the following appropriate safeguards in respect of your special category data when relying on the conditions above:

  • We maintain a record of our processing in our ‘Record of Processing Activities’ and record in it any reasons for deviating from the periods in our retention schedule.

How long your personal data will be kept

Our data processor, Health Diagnostics, will hold your personal information for 3 months following the end date of their contract with us. Once this period has passed, they are required to provide a certificate of destruction to evidence that they are no longer retaining any personal data relating to the contract.

Data that is transferred back to and stored in your GP patient record is subject to the NHS standard data retention requirements which are currently 10 years following a patient’s death.

We do not hold any of your personal information relating to NHS Health Checks.

We will share personal information with law enforcement or other authorities if required by applicable law or in connection with legal proceedings.

We will share personal information with our legal and professional advisers in the event of a dispute, complaint or claim. We rely on Article 9(2)(f) where the processing of special category data is necessary for the establishment, exercise or defence of legal claims or whenever courts are acting in their judicial capacity.

Your rights

Under the UK GDPR you have rights which you can exercise free of charge which allow you to:

  • know what we are doing with your information and why we are doing it
  • ask to see what information we hold about you (subject access request)
  • ask us to correct any mistakes in the information we hold about you
  • object to direct marketing
  • make a complaint to the Information Commissioners Office
  • withdraw consent at any time (if applicable).

Depending on our reason for using your information you may also be entitled to:

  • ask us to delete information we hold about you
  • have your information transferred electronically to yourself or to another organisation
  • object to decisions being made that significantly affect you
  • object to how we are using your information
  • stop us using your information in certain ways.

We will always seek to comply with your request however we may be required to hold or use your information to comply with legal duties. Please note, your request may delay or prevent us delivering a service to you.

For further information about your rights, including the circumstances in which they apply, see the guidance from the UK Information Commissioner’s Office (ICO) on individuals’ rights under the United Kingdom General Data Protection Regulation.

If you would like to exercise a right, contact the Information Resilience and Transparency Team at data.protection@kent.gov.uk .

Keeping your personal information secure

We have appropriate security measures in place to prevent personal information from being accidentally lost, or used or accessed in an unauthorised way. We limit access to your personal information to those who have a genuine business need to know it. Those processing your information will do so only in an authorised manner and are subject to a duty of confidentiality.

We also have procedures in place to deal with any suspected data security breach. We will notify you and any applicable regulator of a suspected data security breach where we are legally required to do so.

Who to contact

Contact the Information Resilience and Transparency Team at data.protection@kent.gov.uk to exercise any of your rights, or if you have a complaint about why your information has been collected, how it has been used or how long we have kept it for.

You can contact our Data Protection Officer, Benjamin Watts, at dpo@kent.gov.uk.

UK GDPR also gives you right to lodge a complaint with Information Commissioner, who may be contacted via the Information Commissioner's website or call 03031 231113.

Read our corporate privacy statement.