Privacy and cookies

NHS Resolution is the operational name of NHS Litigation Authority (NHS LA) – we were established as a Special Health Authority by the National Health Service Litigation Authority (Establishment and Constitution) Order 1995. It is a not-for-profit part of the NHS, providing indemnity cover and sharing lessons from claims and other legal and professional services.

Primary Care Appeals (formerly Family Health Services Appeal Unit, FHSAU) and Practitioner Performance Advice (formerly National Clinical Assessment Service, NCAS) are operating divisions of NHS Resolution. The statutory functions of the NHS Resolution are set out in various pieces of legislation.

In carrying out these functions, we collect, use and share information about people. We do so in the following principal areas of our work:

  • managing claims against the NHS on behalf of the members of our risk-pooling schemes;
  • dealing with disputes arising from dentists, GPs, pharmacists and opticians about decisions made by commissioners of healthcare which affect their contracts with the NHS;
  • helping to resolve concerns about the professional practice of doctors, dentists and pharmacists in the UK; and
  • sharing lessons from claims with NHS care providers to help improve safety.

We may share personal information across NHS Resolution where this is necessary for the performance of the statutory functions or where it is in the overriding public interest.

In processing personal information, we will:

  • collect only the appropriate amount of personal information required for us to fulfil the statutory functions effectively;
  • consider the privacy risks when we are planning to use or hold personal information in new ways, such as when introducing new systems;
  • not keep personal information for longer than is necessary;
  • protect personal information and restrict access to it within the NHS Resolution on a ‘need to know’ basis;
  • provide training to staff who handle personal information, and respond appropriately if personal information is not used or protected properly; and
  • share personal information with third parties only where this is appropriate and it is lawful to do so.

We contract with third parties to provide services and/or to carry out certain activities for us. Where we provide them with personal information to enable them to carry out work for us, we ensure that they are supplied with only the appropriate amount of personal information, that it is used only in accordance with our instructions, and that there are suitable security arrangements in place.

The purpose of this privacy notice is to explain how we collect, use and, where applicable, share your personal information depending on your relationship to NHS Resolution.

Find out how the different areas of our organisation processes uses data here.

Data sharing with the Getting It Right First Time Programme (GIRFT) at NHS Improvement

NHS Resolution has been asked to share data from claims reported to us with the Getting it Right First Time Programme which is hosted by NHS Improvement. The Getting It Right First Time (GIRFT) programme is helping to improve the quality of care within the NHS by reducing unwarranted variations.

The information that will be shared is as follows:

Patient age at incident
NHS Resolution Claim Reference and Claim ID
Description of medical negligence claim including dates of incident, date of case creation (notification), case status and outcome, damages paid, case costs, causes and injury sustained.
The Secretary of State for Health through the Confidential Advisory Group (CAG) has approved the application by NHS Improvement on behalf of GIRFT to access this information and NHS Resolution has carried out its own analysis to determine whether it is lawful to share the information.

If you do not wish to have your claims information included in the programme or have any concerns about the data sharing proposal please contact the Data Protection Officer at NHS Resolution at or by phone on 0207 811 2806.  You may also contact NHS Improvement at

Processing data outside of the European Economic Area

In some cases we process your personal data outside the European Economic Area (EEA) where countries may not have laws which protect your personal data to the same extent as in EEA.
We are obliged to ensure that your personal data is processed securely and is protected against unauthorised access, loss or destruction, unlawful processing and any processing which is inconsistent with the purposes set out in this privacy notice.
If we transfer your personal data outside the EEA we review and risk assess the data transfer and third party organisation that will be processing your personal data to ensure adequate measures are in place to keep your personal data secure, this includes having appropriate contractual clauses and ensuring that we only work with organisations that are registered on the Privacy Shield.
We will update this privacy notice from time to time to reflect any changes to our ways of working. Please contact our Data Protection Officer if you would like more information about the safeguards we have in place.

Your rights

By law you have a number of rights when it comes to your personal data, however, some rights are only triggered where we are relying on a particular lawful basis when processing your data.

This is shown in the table below. Please be aware that, as stated above, we only rely on the public task condition when processing personal data.

The table below outlines what right you have, what these rights mean and whether the right applies to this processing. More information about your rights is available on the Information Commissioner’s website.

How we protect your data

We have implemented and maintain appropriate technical and organisational security measures, policies and procedures designed to reduce the risk of accidental destruction or loss, or the unauthorised disclosure or access to such information as appropriate to the nature of the information concerned.
We have in place a framework of policies and procedures that includes all legal, physical and technical controls involved in our information risk management processes – to demonstrate this we are ISO 27001 certified. In addition, we do have a Cyber Essentials Plus certificate, verifying that our IT is suitably secure.
Furthermore, we are required to annually complete and publish the Data Security and Protection Toolkit (previously known as the Information Governance (IG) Toolkit).
The Data Security and Protection Toolkit is an online self-assessment tool that allows organisations to measure their performance against the National Data Guardian’s 10 data security standards.
All organisations that have access to NHS patient data and systems must use the Data Security and Protection Toolkit to provide assurance that they are practising good data security and that personal information is handled correctly.

What data breach procedures we have in place?

We follow the Department of Health and Social Care guidance for reporting, managing and investigating IG and Cyber incidents, and we report incident and near misses on the Data Security and Protection Toolkit.
It is important that the relevant authorities and individuals are made aware at the earliest opportunity should a serious incident occur – the NHS has an established culture of informing the Information Commissioner’s Office of all data breaches that meet specific requirements.

The right to lodge a complaint with your local supervisory authority

You have the right to lodge a complaint about the way we handle or process your personal data with a supervisory authority.
We ask that you please attempt to resolve any issues with us first, although you have a right to contact your supervisory authority at any time.
The supervisory authority for the UK is the Information Commissioner.

Subject access requests

We are legally required to act on requests and provide information free of charge with the exception of requests that are manifestly unfounded, excessive or repetitive.

If we determine this to be the case we may charge a reasonable fee or refuse to act on the request.  We will respond to acknowledge your request within 3 working days and provide the information within one month of receiving your request.  Please send your request to: 

Please note that information subject to legal professional privilege is exempt from disclosure in response to a subject access request by virtue of paragraph 19 of Schedule 2 to the Data Protection Act 2018, and so given the nature of the work undertaken in relation to our claims management function we may be limited in the information we can provide.

Our data protection officer contact details

For any questions or queries about how we are handling your data, the Data Protection Officer for NHS Resolution is Tinku Mitra, contact details which are shown below:
Telephone: 0207 811 2806

Changes to our privacy notice

Any changes we may make to our privacy notice in the future will be posted on our website. Please check back frequently to see any updates.

Page last updated on: