We currently share your personal health data for your own health and social care needs – ‘direct care purposes’. This is of course vital when we want to refer you, order an investigation, send a prescription to a pharmacy, liaise with others involved in providing care to you etc. In fact we cannot provide safe care without letting other authorised people involved in your care have this essential information (for instance about important medical conditions, previous operations, allergies, medication, contact details etc). We enter into legally binding Sharing Agreements with organisations involved in your care to ensure good governance.
We also share some of your personal data for Research and Planning purposes and for Public Health (eg in the present pandemic) and there are various legal requirements and safeguards for us to do this. Most of it is used anonymously but it can be made individually identifiable where there is a valid and necessary reason. This is data extraction and use permitted under the Health & Care Act 2012 and we also have to comply with the Data Protection Act 2018, GDPR and a number of other legal frameworks and much guidance.
We outline in this website (Medical Records & Confidentiality section) the data we already provide. It has made major contributions to medical research (by universities, research bodies, pharmaceutical companies etc) and has helped the NHS plan and commission services, map the spread of infectious diseases and so on. In other words, the data is essential for the advancement of medicine and building and administering a better NHS.
The different mechanisms for extracting this data from our GP record system are now going to be brought into one new system, the GPDPR ‘GP Data for Planning & Research’ and it will operate slightly differently.
As Data Controllers, we are responsible for protecting your data and have to abide by all the stringent legal and procedural requirements and monitor the processes to ensure compliance. We also have a duty to inform all of our patients how their data will be used and their right to opt out.
Our Privacy Notice explains what personal data we hold and with whom and why we might share these data. It also explains your right to withhold consent from sharing these data for Research and Planning purposes (you cannot withdraw your consent for sharing for Direct Care purposes as we would not be able to safely care for you).
Under the GPDPR, once the data has been extracted from our system, NHS Digital will become the Data Controller and will be responsible for granting access and for disseminating these data. They assure us the data will never be used for marketing or insurance purposes and will not be sold. An independent body scrutinising proper use of the data, IGARD (Independent Group Advising on the Release of Data), will include representatives from the GP community, BMA etc. This video outlines briefly how NHS Digital handles your data. GPDPR is explained more fully in this NHSD link.
The first extract for data from GP systems will take place on July 1st.
Your name and address will NOT be collected. The data will be in pseudonymised form, meaning that some of the identifiers such as DoB, NHS number and postcodes will be replaced by unique codes which will require special decoding software keys to read them. If there are valid and necessary reasons, the codes may be broken to allow authorised bodies access to trace the data back to individuals.
The data extracted will be coded information about any medical conditions, symptoms, medication, tests, allergies etc and details of any staff treating you. It will also include your gender, ethnicity and sexual orientation.
Many items will NOT be extracted from your record. These include free-text comments and notes (a large part of our medical records), correspondence, documents, photos, unnecessary data over 10 years old, certain legally embargoed information such as gender reassignment and IVF treatment.
Withdrawing your consent to sharing
To withdraw your consent for your personal data to be shared for Research and Planning you need to opt out. There are two types of Opt-out.
- • Type 1 Opt-out prevents NHS Digital from extracting and sharing any of your personal information.
- • National Data Opt-out allows NHS Digital to extract your data but prevents them sharing anything that could be linked with you personally.
For more information on the use of your data and these Opt-outs read the NHS Digital Transparency Notice
To apply a Type 1 Opt-out you need to complete this form and send it to us. We enter a code into your computer record to activate this. You can do this any time but best before the first extraction on July 1st.
To apply a National Data Opt-out you need to complete this web-form or downloading and completing this form which is sent back to the NHS Digital (not to the practice). Your decision is recorded on the national system. You can do this any time.
There are some legal over-rides to your choices, for instance by court order, where there is an over-riding public interest (eg during the Covid-19 pandemic), when any information that could link you to your information is removed and where there are some specific exclusions
Full details on data sharing is in the NHS Digital Transparency Notice