How do I validate an NHS number?

NHS numbers use a Modulus 11 checksum. Multiply each of the first 9 digits by weights 10 down to 2, sum the products, subtract the remainder from 11 — the result must equal the 10th digit.

Do I Need to Redact NHS Numbers in Documents?

Q: Do I need to redact NHS numbers?

Yes, in the vast majority of cases. An NHS number is personal data — and typically special category data — under UK GDPR and must be redacted before sharing documents with third parties who have no lawful basis to see it.

April 2026 5 min read NHS · UK GDPR · Healthcare

If you work in healthcare, HR, social care, legal, or any role that involves handling patient or client documents, you have almost certainly encountered NHS numbers in correspondence, referral letters, and case files. The question of whether those numbers need to be redacted before sharing documents is surprisingly nuanced — and getting it wrong can result in a serious data breach.

The short answer

Yes — in the vast majority of cases, NHS numbers must be redacted before sharing documents with third parties who do not have a lawful need to see them.

An NHS number is personal data under Article 4(1) of the UK GDPR. Because it is also linked to health records, it is typically treated as special category data — the most sensitive tier of personal data, requiring the highest level of protection.

What is an NHS number?

An NHS number is a 10-digit identifier assigned to every person registered with the NHS in England, Wales, and the Isle of Man (Scotland uses a CHI number; Northern Ireland uses an H&C number — both require equivalent protection). It appears in the format XXX XXX XXXX or XXX-XXX-XXXX.

The number is unique to one individual and is used across all NHS systems to link health records. This is precisely what makes it sensitive: knowledge of someone's NHS number, combined with access to NHS systems, could allow lookup of their health records.

Why it almost always needs to be redacted

Even if you are not sharing the document with someone who has access to NHS systems, the NHS number itself:

Is directly linked to health records — processing it constitutes processing health data (special category)
Can be used to identify an individual uniquely across NHS systems
Is considered more sensitive than a name in most healthcare governance frameworks
Is specifically flagged by NHS Digital and the ICO as requiring strict access controls

NHS Digital guidance states that the NHS number should only be shared with organisations that have a lawful basis and legitimate need. For most document disclosures — including DSAR responses and court bundles — redaction is the appropriate approach.

When you do NOT need to redact

There are legitimate scenarios where sharing the NHS number is appropriate:

Direct care — sharing between NHS organisations involved in a patient's treatment
Referrals — when referring a patient to another care provider who needs it to link records
The individual themselves — disclosing their own records to the data subject
Legitimate research — under an approved data sharing agreement with appropriate safeguards

In each case, there must be a documented lawful basis under both Article 6 (general) and Article 9 (special category) of the UK GDPR.

Validating NHS numbers before redacting

A common problem during document review is false positives — 10-digit numbers that look like NHS numbers but aren't. Account numbers, reference numbers, and other identifiers can match the format. Using checksum validation helps confirm whether a number is genuinely an NHS number before redacting.

Free Tool

NHS Number Validator

Paste any 10-digit number to instantly verify whether it is a valid NHS number using the official Modulus 11 checksum algorithm. Entirely client-side — nothing is sent to any server.

Open NHS Number Validator

How to redact NHS numbers correctly

Redaction must be permanent and irreversible. Common mistakes that are not proper redaction:

Highlighting in black using a word processor — underlying text remains in the file
Placing a white or black rectangle over text in a PDF viewer — text layer still present
Printing and scanning — may work for scanned images, but creates accessibility issues and the original file still exists

Proper redaction requires software that removes the text content from the file entirely and strips associated metadata. The exported document should have no recoverable version of the redacted content.

Data breach risk: In 2023–2025, the ICO investigated several cases where organisations sent documents with NHS numbers "redacted" using PDF annotation tools. Recipients were able to copy the text from beneath the black boxes. This constitutes a personal data breach and must be reported under Article 33 of the UK GDPR within 72 hours.

NHS number formats to watch for

NHS numbers appear in several formats in documents. Ensure your redaction process catches all of them:

485 777 3322 — spaced format (most common in clinical correspondence)
485-777-3322 — hyphenated format
4857773322 — unspaced, appearing in some database exports
Sometimes prefixed with "NHS No:" or "NHS Number:" in letters

DesktopRedact detects NHS numbers in all formats — with checksum validation — and permanently redacts them from PDFs and DOCX files. Locally on your machine.

Join Waitlist

Scotland and Northern Ireland

In Scotland, the equivalent is the CHI number (Community Health Index number) — a 10-digit identifier in the format DDMMYYNNNC where the first 6 digits are the date of birth. In Northern Ireland, it is the Health and Care Number (H&C). Both carry equivalent legal protections to NHS numbers and should be treated the same way for redaction purposes.

Summary: when to redact

DSAR responses — always redact NHS numbers of third parties
Court bundles and disclosure — redact unless the court order specifies otherwise
Third-party sharing (insurers, legal firms) — redact unless explicit lawful basis exists
Research publications — redact unless under an approved data sharing agreement
Direct care referrals — retain where the recipient is another care provider involved in treatment