Patient data

Are you aware that your personal medical information that you share with your GP or other healthcare professional is about to be extracted and stored on a computer outside of the control of this practice where the practice will have no say on who has access to that information?

There are changes occurring in how we protect the confidential and personal information that we record in your medical records. The changes make it a legal obligation for us to share your information (see below).

The proposed benefits of sharing identifiable data are to help you plan and monitor effective patient services, especially where patients receive care from several different organisations.

What we record at our practice

Healthcare professionals in our practice record information about the care we provide.

The type of information that is recorded includes the following;

  • Demographics, e.g. address, telephone number, e-mail, date of birth, gender, etc.
  • What you tell us when you see us in consultations e.g. about your physical and psychological health and social circumstances.
  • Diagnoses, investigations, treatments, referrals, family background.
  • Social information e.g. housing status, alcohol, smoking data.
  • Third party sources e.g. hospital letters, A&E attendances, relatives, carers, insurance companies, solicitors.

What we already share about you

We share different types of information about our patients. These include:

  • Personal information about you and your illness, when needed for your direct care, e.g. referral to hospital consultants, district nurses, health visitors, midwives, counsellors, the summary care record.
  • Patient identifiable information to public health, in order to arrange programs for childhood immunisations, communicable diseases, cervical smears and retinal screening.
  • With explicit consent, personal information to other organisations outside the NHS e.g. insurance companies, benefits agencies.
  • Limited information about you, if relevant, to protect you and others, e.g. to social services child protection investigations.
  • Under certain acts of parliament to protect you and others e.g. court order.
  • Summary information which is anonymised (can not identify you) e.g. quality and outcome frameworks (QoF), medical research and clinical audit.

It is also important to understand that currently a limited amount of patient information or data is used mostly at local level to help design health services or undertake clinical audit.

Some information is used at a national level. Information from lots of individual patients allows the NHS to build a picture of what is happening to the nation’s health. The majority of this information is anonymised before it leaves the healthcare professional, in other words no one can identify who the information relates to.

How we protect your personal information

Currently, your GP is responsible for protecting your information and to do this they comply with the Data Protection Act 1998 (DPA). As part of the DPA, all healthcare professionals have an obligation to only share information on a need to know basis.

For further information on the DPA, please view the Data Protection Act 2018 page on the website.

So what is changing?

Under the Health and Social Care Act 2012 the Health & Social Care Information Centre (HSCIC) on behalf of NHS England (the body responsible for commisioning health services across England) will be able to extract personal and identifiable information about all patients in England.

The programme, called, is administered by the HSCIC using software and services provided by a private sector company. Once your identifiable information has been taken from different health organisations (GP practice, hospitals, mental health trusts) it will then be linked together to produce a complete record about you. This information will be stored on national secure servers and will be managed by HSCIC.

Although access to information will be strictly controlled, the HSCIC is planning to share this information with other organisations both NHS and private. The HSCIC will decide what information they will share and who they then share this information with.

Your GP will not be able to object to this information being released to HSCIC and will no longer be able to protect your information under the DPA as stated above.

Effectively, where the HSCIC is concerned the health and social care act over rules the DPA with regard to disclosure of personal information.

What you need to do

  • If you are happy for NHS England to direct the HSCIC to extract, store and manage/use your personal information then you need to do nothing as the information will be automatically taken from your GP’s computer systems.
  • If you don’t wish your information to be extracted then you MUST complete the document below, which will block the uploading of your identifiable and personal information to the HSCIC.
  • If you are happy for your information to be extracted and used by the HSCIC for anonymised reports but not shared by the HSCIC with other agencies or companies in identifiable format, you can ask your GP practice to add a code to your record which will alert the HSCIC not to use your information in this way.
  • It should be emphasised that your access to health care and the care that you receive will not be affected by either decision.