Skip to main content Skip to footer

Medical exemption certificate privacy notice

The NHS Business Services Authority is responsible for this service.

We will use the information your GP practice gave us to process your application.

Why we process your information

By law, we must process this information to be able to provide this service.

We will ask you for:

  • information to identify you
  • details of your medical condition(s) to process your application

We may use your information to:

  • check claims you make for help with NHS charges
  • analyse with other patients' information to understand patterns and trends that will be used to plan and make improvements to NHS services, and direct patient care

If we cannot confirm that you are entitled to help, you may be sent a Penalty Charge Notice.

Your information will be used to help plan and make improvements to NHS services and direct patient care.

Your information will not be transferred outside the UK or European Economic area.

Sharing your personal information

To support more effective planning and improvements to NHS services and patient care, we may share our understanding of patterns and trends gained from patient information with:

  • NHS Commissioners and service providers
  • Public Health England
  • NHS Digital
  • Department of Health and Social Care
  • NHS Counter Fraud Authority

To prevent, detect and investigate fraud and errors, we may share your information with:

  • NHS commissioners and service providers
  • NHS Digital
  • NHS Counter Fraud Authority
  • The Department for Work and Pensions

To help the NHS plan for the future, information about the first medical condition given on your application may be shared with:

  • Department for Health and Social Care
  • NHS England

This information is given anonymously so you won’t be identified.

Keeping your personal information

Your personal data will be deleted from our systems and files no later than 24 months after your certificate expires.

Your rights

The information you provided will be managed as required by Data Protection law.

You have the right to:

  • receive a copy of the information the NHSBSA hold about you
  • request your information be changed if you believe it was not correct at the time you provided it
  • request that your information be deleted if you believe we are keeping it for longer than necessary
  • request a review of the automated decision to issue you with a Penalty Charge Notice

Find out more about your rights and how we process information.