ICO News

Long-term follow up of military service from 2001 onwards – GOV.UK

This privacy notice applies to your personal data processed by in relation to the long-term follow up of military service longitudinal study. This study includes all those who served in the UK Armed Forces since 2001, covering combat operations in Iraq and Afghanistan.

The Ministry of Defence is the data controller and can be contacted at:

MOD Main Building




The Data Protection Officer is Mr. Ian Henderson and he can be contacted at:

MOD Data Protection Officer

Ground floor, zone D

Main Building




Email address: cio-dpa@mod.gov.uk

Personal data collection and processing

The following is to explain your rights and to give you information you are entitled to under the Data Protection Act 2018.

Please note this refers to your personal data (your name; address and anything that could be used to identify you personally).

Your personal data is being collected as part of:

  1. A mortality study monitoring the causes of death, including suicide, amongst all personnel who have served in the UK Armed Forces since 2001.

  2. The monitoring of cancer registrations amongst this cohort, to understand the long-term impact of service.

In line with the Data Protection Act 2018, Part 3, Chapter 2, Section 37, the third data protection principle, we have limited the data we receive and process to only what is necessary for the purpose of this study.

The personal data MOD will be processing for living members of this study are: NHS number, name, sex, and date of birth. MOD already holds name, sex, and date of birth as part of service records, and process these as part of the flagging process and to calculate age and standardised rates. MOD receives NHS number from NHS Digital and NRS to enable continued monitoring when individuals move between England and Wales, and Scotland.

For deceased members of the study MOD receives cause of death, place of birth, place of death, and address of deceased. This is to enable further investigations and monitoring of deaths amongst the cohort of service personnel who have been in service since 2001.

The MOD is seeking Section 251 approval under the NHS Act 2006: Part 13, from the Health Research Authority Confidential Advisory Group. Section 251 provides the statutory power to ensure that NHS patient identifiable information needed to support essential NHS activity can be used without the consent of patients. The power can be used only to support medical purposes that are in the interests of patients or the wider public, where consent is not a practicable alternative and where anonymised information will not suffice.

The MOD is also currently seeking approval from the Public Benefit and Privacy Panel for Health and Social Care (PBPP). The PBPP is a governance structure of NHS Scotland, established with delegated authority from NHS Scotland Chief Executive Officers and the Registrar General. Its remit is to carry out information governance (IG) scrutiny of requests for access to health data for purposes of health and social care administration, research and other well-defined and bona fide purposes, on behalf of individual data controllers.

The Data Protection Act 2018 Part 2, Chapter 2, Section 8 states that, as a government department, the MOD may process personal data as necessary for the effective performance of a task carried out in the exercise of its function (under Article 6(1)e of the GDPR).

The Data Protection Act 2018 also says that for the purpose of research and statistics the MOD may process special categories of personal data (DPA 2018 Part 2, Chapter 2, Section 10(e), under Article 9(1) of the GDPR).

With whom we will be sharing your personal data

Your personal data will be shared with:

  • NHS Digital (formerly Health and Social Care Information Centre (HSCIC))
  • National Records of Scotland (NRS, formerly General Register Office for Scotland)

The purpose of sharing your personal data with NHS Digital and NRS is to enable them to identify and attach a cohort marker to patients registered with GPs in England, Wales and Scotland.

Following receipt of this data, Defence Statistics undertake a pseudonymisation process. This process replaces identifiable information (e.g. name and date of birth) with artificial identifiers, or pseudonyms so patient information can be processed without being identified.

Individuals in this cohort registered with GPs outside of these countries will not be flagged and will be reported as ‘emigrated’ or ‘lost to follow up’.

For how long we will keep the personal data, or criteria used to determine the retention period

Your data will be retained for the duration of the study. It will then be archived for 15 years as a record in line with the government archiving guidance.

After the retention period has elapsed, all data will be destroyed securely in line with MOD data destruction policy.

Your rights

Under Data Protection legislation you have the following individual rights with regards to your personal data:

  • The right to be informed about the collection and use of your personal data
  • The right of access to your personal data and supplementary information
  • The right to have inaccurate personal data rectified, or completed if it is incomplete
  • The right to restrict processing in certain circumstances
  • The right to object to processing in certain circumstances
  • The right to withdraw consent
  • Right to complain to the information Commissioner

Further information can be found on the ICO’s ‘Individual rights’ webpage

Transfer of personal data to other countries

This data will not be sent overseas.

Automated decision making

This data will not be used for any automated decision making.

How we store personal data

This data will be stored in a secure government Information Technology system. Appropriate security measures are in place to prevent your personal information from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. In addition, access is limited to specific MOD personnel on a business need to know basis.

Procedures are also in place to deal with any suspected security breach and will notify you and the Information Commissioner’s Office (ICO) of a suspected breach where we are legally required to do so.

Third parties will only process your personal information on our instructions and where they have agreed to treat the information confidentially and to keep it secure, in a contractual arrangement. As mentioned above your data will be shared with NHS Digital and NRS for flagging.

NHS Digital store data within their Data Management Service (DMS). Access to the DMS is limited and anyone who has access must agree to only using data for their intended purposes. More information can be found in the NHS Digital privacy notice.

NRS match data against the National Health Service Central Register (NHSCR). The Register is a confidential database, accessible only to a list of bodies approved by the Scottish Parliament. Any information provided to third parties is the minimum necessary for them to do their work. More information can be found on the NHSCR website.

How to complain if you are not happy

If you are unhappy with how any aspect of this privacy notice, or how your personal information is being processed, please contact:

MOD Information Rights Team

Ground floor, zone D

Main Building


London SW1A 2HB

Email: cio-dpa@mod.gov.uk

We will acknowledge your complaint within 5 working days and send you a full response within 20 working days. If we can’t respond fully in this time, we will write and let you know why and tell you when you should get a full response.

If you are still not happy, you have the right to lodge a complaint with the Information Commissioner’s Office (ICO):

Information Commissioner’s Office

Wycliffe House

Water Lane




Tel: 0303 123 1113

Email: casework@ico.org.uk

ICO website


Leave a Reply

This website uses cookies. By continuing to use this site, you accept our use of cookies.