The United Kingdom General Data Protection Regulation (UK–GDPR) is the UK’s data privacy law that governs the processing of personal data from individuals inside the UK.
Under data protection law we must tell you about how we use your personal information. This includes the personal information that we share with other organisations and why we do so. This additional privacy notice provides details about the personal information that we are sharing with NHS Digital for its General Practice Data for Planning and Research data collection
Data Protection – Your Personal Data is Safe
We are aware that recent events highlighted in the media concerning sharing your personal data may have left you confused and worried.
This has led to a rise in the number of queries asking us who we actually share your personal data with, do we have the rights to and can we trust these external organisations to look after your personal data.
We would like to assure you that as a practice we take your personal data very seriously and we have certain processes in place to make sure your personal data is in safe hands at all times.
As a practice we must adhere to UK Data Protection laws, the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018, both pieces of legislation are around to make sure we look after your data. Where we do not follow any part of the Data Protection laws we are at risk of being investigated by the Information Commissioner’s Officer (ICO) on your behalf, and possibly being issued with a fine or warning. The ICO is an independent advisory body who report directly to Parliament and make sure your rights around your personal data are protected.
To help us keep on track and make sure we abide by these laws we complete something called the Data Security and Protection Toolkit (DSPT) that incorporates the laws. It helps us measure how we are doing and keeps us in line with the law and we are required to complete this annually.
There will be times when we have to share your personal data with external organisations / companies in order to provide you with the care you need. However, we only do this where we need to, where we have a legal reason to do so and when we are happy they will continue to safeguard your personal data. An example would be the Clinical IT system we use that holds your medical records, this is supplied by an IT company who will host your personal data to enable us to use the system.
In any event where we share your personal data we will conduct the necessary Data Protection checks with the external organisation. Like us, they are required by data protection law to provide us with relevant assurances that any personal data we share with them will remain secure. Under the UK GDPR they are required to provide us with documents to assure us and this will include contracts which must include UK GDPR clauses. If an organisation does not process your personal data in line with law they too will be investigated by the ICO.
We cannot share your personal data without a legal basis, which means we cannot give your personal data to anyone ‘just because’ they want it. The UK GDPR sets out 6 legal bases we can use, the most common one you would have heard of is ‘consent.’ Consent is not often used in healthcare and where we are using your personal data for direct care, it just would not work and the UK GDPR recognise this so we apply a legal basis called ‘public tasks.’ Public tasks covers the use of personal data where it relates to either being in the interest of the patients care or the public interest. This means that we do not need to ask for your consent, although we are obliged to be open and transparent with your personal data which we do via our Privacy Notice (insert link).
We certainly will not sell your personal data to anyone.
When we share your personal data we need to abide by the UK GDPR principles, one of which is called ‘data minimisation’ – this means we can legally only share what is relevant and necessary for the task.
Finally along with completing the DSPT (as mentioned above) where we have any data protection concerns or need advice we have a dedicated Information Governance team who are on hand to guide us through the do’s and don’ts.
I hope this information has provided you with assurance that we take the necessary steps to make sure your personal data is safe when in our care and that where we share your personal data we do so only if the law allows us to.
The NHS needs data about the patients it treats in order to plan and deliver its services and to ensure that care and treatment provided is safe and effective. The General Practice Data for Planning and Research data collection will help the NHS to improve health and care services for everyone by collecting patient data that can be used to do this. For example patient data can help the NHS to:
GP practices already share patient data for these purposes, but this new data collection will be more efficient and effective.
We have agreed to share the patient data we look after in our practice with NHS Digital who will securely store, analyse, publish and share this patient data to improve health and care services for everyone. This includes:
This means that we can get on with looking after our patients and NHS Digital can provide controlled access to patient data to the NHS and other organisations who need to use it to improve health and care for everyone.
Contributing to research projects will benefit us all as better and safer treatments are introduced more quickly and effectively without compromising your privacy and confidentiality.
NHS Digital has engaged with the British Medical Association (BMA), Royal College of GPs (RCGP) and the National Data Guardian (NDG) to ensure relevant safeguards are in place for patients and GP practices.
To view further information please click here to navigate to the NHS Digital Webpage which provides up to date information on the Data Collection.
Opting out of NHS Digital collecting your data (Type 1 Opt-out)
If you do not want your identifiable patient data to be shared outside of your GP practice for purposes except for your own care, you can register an opt-out with your GP practice. This is known as a Type 1 Opt-out.
Type 1 Opt-outs were introduced in 2013 for data sharing from GP practices, but may be discontinued in the future as a new opt-out has since been introduced to cover the broader health and care system, called the National Data Opt-out. If this happens people who have registered a Type 1 Opt-out will be informed. More about National Data Opt-outs is in the section Who we share patient data with.
NHS Digital will not collect any patient data for patients who have already registered a Type 1 Opt-out in line with current policy. If this changes patients who have registered a Type 1 Opt-out will be informed.
If you do not want your patient data shared with NHS Digital, you can register a Type 1 Opt-out with your GP practice. You can register a Type 1 Opt-out at any time. You can also change your mind at any time and withdraw a Type 1 Opt-out.
A start date for the Data sharing with NHS Digital will be announced.
If you have already registered a Type 1 Opt-out with your GP practice your data will not be shared with NHS Digital.
If you wish to register a Type 1 Opt-out with your GP practice before data sharing starts with NHS Digital, this should be done by returning this form to your GP practice as soon as possible to allow time for processing it. If you have previously registered a Type 1 Opt-out and you would like to withdraw this, you can also use the form to do this. You can send the form by post or email to your GP practice or call 0300 3035678 for a form to be sent out to you.
If you register a Type 1 Opt-out after your patient data has already been shared with NHS Digital, no more of your data will be shared with NHS Digital. NHS Digital will however still hold the patient data which was shared with us before you registered the Type 1 Opt-out.
If you do not want NHS Digital to share your identifiable patient data (personally identifiable data in the diagram above) with anyone else for purposes beyond your own care, then you can also register a National Data Opt-out. There is more about National Data Opt-outs and when they apply in the National Data Opt-out section below.
National Data Opt-out (opting out of NHS Digital sharing your data)
This applies to identifiable patient data about your health (personally identifiable data in the diagram above), which is called confidential patient information. If you don’t want your confidential patient information to be shared by NHS Digital for purposes except your own care – GP data, you can register a National Data Opt-out.
If you have registered a National Data Opt-out, NHS Digital won’t share any confidential patient information about you with other organisations unless there is an exemption to this, such as where there is a legal requirement or where it is in the public interest to do so, such as helping to manage contagious diseases like coronavirus. You can find out more about exemptions on the NHS website