How we keep data safe

The NHS is moving towards modern, cloud-based systems because they are more reliable, faster, and allow different parts of the health and care system to share information safely when needed. This means your care can be better coordinated; reducing delays and improving services.

We follow national NHS security requirements, including:

• Zero Trust Architecture – a modern approach that assumes nothing is safe by default and checks every access request.
• NHS Data Security and Protection Toolkit (DSPT) – the NHS benchmark for data security.
• National Cyber Security Centre (NCSC) guidance – the UK’s gold standard for cyber protection.

Your data is scrambled using advanced encryption so it can’t be read by anyone who shouldn’t see it:

• In transit – when your data moves between systems, it’s protected using secure connections.
• At rest – when stored in the cloud, it’s encrypted using AES-256, the same level of security used by banks.

Only the right people can see your data. We use:

• hardware security keys, and for the most sensitive accounts we use physical security tokens.
• role-based access, which means staff only see what they need for their job.
• Multi-Factor Authentication (MFA). Even if a password is compromised, extra checks keep accounts safe.

Your personal information (like your name and address) is stored separately from your health data. This means:

• If one part of the system was ever compromised, it wouldn’t reveal your full record.
• We also use pseudonymisation (replacing personal information with random code) and anonymisation wherever possible to ensure that it’s not possible to identify you from the data.

We continue to monitor and test our security systems using:

• automatic updates – security patches are applied quickly to keep systems safe.
• 24/7 monitoring – our systems are constantly checked for unusual activity.
• automated and ad-hoc regular vulnerability scans and penetration tests, including by independent experts.

Our cloud environment is built with multiple layers of defence:

• No public endpoints – services are hidden from the outside world unless absolutely necessary.
• Firewalls and network segregation – to block unauthorised access
• Private connections – most data flows through secure NHS networks (HSCN), not the public internet

We know that in the past, NHS data-sharing projects have raised concerns about privacy and transparency. We’ve learned from those experiences. That’s why:

• we are open about how your data is used and give you clear ways to find out more.
• we only share data when it’s necessary for your care or when the law allows it.
• every use of data is reviewed and approved through strict governance processes.

If something does go wrong, we have a clear process to respond quickly, investigate, and learn from any incident.

A local Integrated Care System (ICS) is a collaboration of local health and care organisations working together to improve the health, wellbeing and care of people living in the area. NHS Norfolk and Waveney Integrated Care Board (ICB) commissioned many of these services. Norfolk and Waveney ICB closed on 31/03/2026 with the creation of NHS Norfolk and Suffolk ICB. The Data Hub and its processing is now run and managed by Norfolk and Suffolk ICB and has expanded geographical area to include Suffolk and will be onboarding Suffolk organisations which form part of the Norfolk and Suffolk Integrated Care System.

Our partnership includes local GP practices, hospitals, community care providers, social services, urgent and emergency care teams, and mental health care providers.

This includes:

• Hospitals
• Community Healthcare Organisations
• Emergency Services
• General Practitioners
• Mental Health Trusts
• County Councils
• Integrated Care Board

ICB web pages hold a full list of organisations who are signed up.

Secondary use data is any use of information that is not related to the direct care of in individual such as making a referral for treatment.

One of our aims is to make better use of data and digital technology to help us manage the local health and social care system. As this use of data is not for your direct care, e.g., an appointment with a doctor, this is called the secondary use of data.

Examples of this include Population Health Management and Risk Stratification (identifying groups or individual patients and planning their care and services). This use allows us to provide the services that are needed, in the right areas, helping to promote good health and social care.

As part of providing the services that are needed, decisions are made by systems alone (automated decision making), human health and care professionals are involved in decisions made.

This Privacy Notice tells you about the data we collect and hold about you, what we do with it, how we look after it and our intentions on sharing your data to support your health and social care.

This notice is focused on how our local health and care system uses data collectively within Norfolk and Suffolk. Specific details of how each organisation uses data can be found in their Privacy Notices, which can be found on their websites.

UK data protection legislation grants individual’s certain information rights, designed to enable citizens to be informed about how their data will be used, and provide an opportunity to object, restrict, remove, or rectify any personal data about them.

This Notice describes how the Norfolk and Suffolk integrated Care System (NSICS) intend to use your information, and provide assurance that your information willbe:

• Processed lawfully
• Restricted to only the health and social care data that our partner organisations hold about you
• Stored in a secure environment
• Restricted to authorised health and social care staff
• Only be used to inform care and how we manage our local health and social care system

If you would like more information about how a specific organisation within this
partnership processes your personal data, including how you can exercise your privacy rights, please refer to Privacy Notices on their website.

Across the NSICS, our aim is to manage the secure transfer of the data it collects, processes and stores in an effective and efficient way that will be used to support the care we provide.

NSICS has developed a centralised data store called the Norfolk and Suffolk Data Hub which will enable us to consolidate data in a single secure environment. Wecan then link data from an individual’s interactions with health and care professionals and create a single record that can be used for management of our health and social care system.

The Data Hub is a cloud-based information system, hosted by Norfolk and Suffolk ICB. It enables carefully authorised health and social care staff to securely access, process and store your data. The Data Hub does not create new information about you; it is a store to collate existing information created by individual health and social care providers.

The data will be used to support the Health and Care System, to: –

• understand the needs of the population
• Ensure evidenced based improvements
• Enhance service design
• Discover better treatment options/pathways

This is done by analysis of how services are used, give insights such as where there is demand or delays and how systems can be improved, informing the development of services to meet the needs of the local population use.

This is integral to enable the local health and care services to be developed and delivered to support the needs of the local population.

Data will also be used to look at information that can identify circumstances where you might be a risk and would benefit from health or care interventions. For further details about uses please see our Use Case library.

Participating organisations within the NSICS will securely transfer the following personal data into the Data Hub. The personal data will be the information which you have provided to these organisations along with any reports or reviews you have made following that information.

• Demographic information such as: name, address, phone number
• NHS number
• Medical conditions
• Treatment provided and contact the individual has had with theorganisation
• Care plans
• Emergency department treatment
• Discharge summaries
• Medication reviews
• Physical and mental health reports
• Care and support plans, and reviews
• Social care records
• Results of investigations, such as x-rays, scans, and laboratory tests

Please note that this list is not exhaustive, and the data provided will vary between organisations depending upon the services they provide.

To better manage local health and social care services, the Data Hub helps us bring together data from all our member organisations into one place. Every request to use your data will require approval from an NSICS governance body. To ensure that we use this data responsibly, it will only be used with the following principles:

• Anonymisation First. Where possible, data will be anonymised before it is used. We do not always need to identify you when using data to plan services. We need to know about the prevalence of health and social care needs – not who specifically needs it.
• Pseudonymised Second. If we cannot use anonymised data, we will use data where a known reference number replaces your identifiable data. This reference number, and who it relates to, is only known by key members of staff. The advantage of pseudonymised data is that we can reidentify people when or if it is clinically necessary to do so. Where this happens, only staff involved in your care will be told of this.
• Identifiable Last. In specific circumstances, we may use your data for direct care purposes, subject to review and approval. This may be when you have been identified as at risk and would benefit for being offered some care or support to prevent or detect potentials risks to you health.

Please note that Section 171 of the Data Protection Act 2018 states: It is an offence for a person knowingly or recklessly to re-identify information that is de-identified personal data without the consent of the controller responsible for de-identifying the personal data.

The NSICS will use the following GDPR (UK Data Protection) Articles as the lawful reasons for processing your personal data:

• 6(1)(d) – processing is necessary to protect the vital interests of the data subject or of another natural person
• 6(1)(e) – Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller
• 9(2)(h) – …the provision of health or social care or treatment or the management of health or social care systems and services
• 9(2)(i) – processing is necessary for reasons of public interest in the area of public health

In addition to these lawful reasons, the NHS Act 2006 sets out the legal requirements of organisations delivering services under an NHS Standard Contract.

The Data Hub will be hosted on Microsoft Azure data centres located in London and Cardiff. Your personal data will not be transferred outside of the UK.

Your personal data is kept securely and in line with the Records Management Code of Practice for Health and Social Care 2021.

The National Data Opt-Out was introduced on 25 May 2018, enabling people to opt out from the use of their data for research or planning purposes, in line with recommendations of the National Data Guardian in their Review of Data Security, Consent and Opt-Outs.

You can view or change your National Data Opt-Out choice at any time by using the online service at https://www.nhs.uk/your-nhs-data-matters/ or by clicking on ‘Your Health’ in the NHS App and selecting “Choose if data from your health records is shared for research and planning”.

As your opt-out choice is recorded against your NHS Number, we can ensure that your choice is respected. The NSICS will not use your data where you have indicated that you do not want your data used for planning and research purposes.

If you prefer, you can opt out locally to the Norfolk and Suffolk ICB Data Hub. To do this, contact The Data Hub directly using the Norfolk and Suffolk ICB’s contact details. A member of staff can explain what this means for your care and record your choice.

If you change your mind later, you can also opt back in.

To find out more information about your information rights, please:

• Contact the Data Protection Officer for our member organisations. [email protected]
• Email the NWHCP Information Governance Service Team [email protected]
• To make a complaint about how we process your data, please contact us [email protected]. If you are unhappy with our response or how we have used your data, you can make a complaint to the ICO.
• Contact the Information Commissioner’s Office Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF Tel: 01625 545 740 http://www.ico.gov.uk/