Care Data Programme
The ‘Care.Data’ Programme
The NHS in England is commissioning a new, modern data service from the Health and Social Care Information Centre (HSCIC) on behalf of the entire health and social care system. Known as ‘care.data’, the programme will eventually cover all care settings in England, including hospitals and GP practices.
Under the Health and Social Care Act 2012, NHS England has directed the HSCIC to collect information from all providers of NHS care including Townhead Surgery. This will start to happen in the autumn and initially will cover the period from April 2013 onwards.
Any data that is uploaded will not include your name but it will include your date of birth, gender, NHS number and your postcode. The data is pooled anonymously and we are assured that individual patients cannot be identified.
Sharing information can help improve understanding, locally and nationally, of the most important health needs and the quality of the treatment and care provided by local health services. It may also help researchers by supporting studies that identify patterns in diseases, responses to different treatments and potential solutions.
You have the right to prevent confidential information about you from being shared or used for any purpose other than providing your care, (except in special circumstances). If you do not want information about you to be shared as part of the care.data Programme, ask your GP or another member of the Practice Team to make a note of this in your records. Your choice will not affect the care you receive.
A leaflet about the Programme can be collected from the Surgery waiting rooms and further information about the care.data Programme including a copy of the leaflet and a frequently asked questions document is available via the links below:
Not all patients need to see a GP and can often, following Care Navigation from our reception team, be offered a more appropriate appointment or service to meet their needs. We now offer a wider range of services here in the practice, including Physiotherapist assessment appointments daily, a Practice Pharmacist, Social Prescriber as well as Nursing team care and support.
In order for our team to be able to direct you to the most appropriate health professional, we have asked our Receptionist to ask you for more information when booking appointments/telephone calls. This is called Care Navigation. This is really useful in assisting us to direct you to the correct person/team and will allow GPs to triage and prioritise telephone calls throughout the day. This will also allow the GP to refer you to an alternative service if deemed more appropriate and that service will always have access to GPs if needed for ongoing care.
Our Receptionist will not offer clinical advice, but by asking a few questions they can triage appointments and if they can offer a more appropriate service, this will then free up the GPs’ time and appointments so they can deal with patients who can only be treated by a GP.
You can read more about Care Navigation under Patient Information and Helpful Links tab on the home page.
For further information please follow this link:
NHS Digital is the Controller for most of our processing of personal data and is registered as required by Data Protection legislation.
Our Data Protection Officer is Daljeet Sharry-Khan, whose duties include monitoring internal compliance and advising the organisation on its data protection obligations, and can be contacted via firstname.lastname@example.org.
All data is retained and erased in accordance with our Records Management Policy. Specific retention periods are identified within each processing purpose listed below. If a specific purpose requires a different retention period outside of our policy this will be explained.
Data Sharing Privacy Notice Townhead Surgeries
Data Provision Notice: Opt out of NHS Digital’s Mass Extraction
Patients will be given until 25 August to opt out of NHS Digital’s mass extraction of GP data, by contacting their GP practice.
Patients can opt out of NHS Digital’s GP data extraction by filling in a type-1 opt-out form and sending it to their GP practice via post or email by the deadline.
Patients can also register a less stringent opt-out, called a ‘national data opt-out’. This means NHS Digital can extract the information but not share it with any other organisations, except for the purpose of the patient’s own care.
Data Provision Notice to require the submission of general practice data in connection with the national Cardiovascular Disease Prevention Audit (CVDPREVENT Audit).
NHS England has directed NHS Digital to collect and analyse data in connection with Cardiovascular Disease Prevention Audit (referred hereafter to as “CVDPREVENT Audit”).
The NHS Long Term Plan identifies cardiovascular disease (CVD) as a clinical priority and the single biggest condition where lives can be saved by the NHS over the next 10 years. CVD causes a quarter of all deaths in the UK and is the largest cause of premature mortality in deprived areas.
The CVDPREVENT Audit is a new national primary care audit being commissioned by NHS England to support the implementation of the NHS Long Term Plan, the annually negotiated General Medical Services contract and the national CVD Prevention programme.
For further information: https://digital.nhs.uk/about-nhs-digital/corporate-information-and-documents/directions-and-data-provision-notices/data-provision-notices-dpns/cardiovascular-disease-prevention-audit?_cldee=YXNobGV5LmRhdmllczVAbmhzLm5ldA==&recipientid=lead-dbbef85c270deb11a812000d3a86b23d-c6fa04ea3f87434084156922608f6553&esid=6e5380d6-c004-eb11-a813-000d3a86d6fd
(COVID-19) Pandemic and Your Information
The ICO recognises the unprecedented challenges the NHS and other health professionals are facing during the COVID-19 pandemic.
The ICO also recognise that ‘Public bodies may require additional collection and sharing of personal data to protect against serious threats to public health.’
The Government have also taken action in respect of this and on 20th March 2020 the Secretary of State for Health and Social Care issued a notice under Regulation 3(4) of the Health Service (Control of Patient Information) Regulations 2002 requiring organisations such as GP Practices to use your information to help GP Practices and other healthcare organisations to respond to and deal with the COVID-19 pandemic.
Please note that this notice has now been revised and extended by a further notice from 10 September 2021 until 31st March 2022
In order to look after your healthcare needs during this difficult time, we may urgently need to share your personal information, including medical records, with clinical and non clinical staff who belong to organisations that are permitted to use your information and need to use it to help deal with the COVID-19 pandemic. This could (amongst other measures) consist of either treating you or a member of your family and enable us and other healthcare organisations to monitor the disease, assess risk and manage the spread of the disease. Additionally, the use of your information is now required to support NHS Test and Trace.
Please be assured that we will only share information and health data that is necessary to meet yours and public healthcare needs. The Secretary of State for Health and Social Care has also stated that these measures are temporary and will expire on 31st March 2022 unless a further extension is required. Any further extension will be will be provided in writing and we will communicate the same to you.
Please also note that the data protection and electronic communication laws do not stop us from sending public health messages to you, either by phone, text or email as these messages are not direct marketing.
It may also be necessary, where the latest technology allows us to do so, to use your information and health data to facilitate digital consultations and diagnoses and we will always do this with your security in mind.
If you are concerned about how your information is being used, please contact our DPO using the contact details provided in this Privacy Notice.
Primary Care Network
We are a member of the Bradford Primary Care Network (PCN). This means we will be working closely with a number of other Practices and health care organisations to provide healthcare services to you.
During the course of our work we may share your information with these Practices and health organisations/professionals. We will only share information where it relates to your direct healthcare needs.
When we do this we will always ensure that appropriate agreements are in place to protect your information and keep it safe and secure. This is also what the Law requires us to do.
If you would like to see the information the PCN holds about you please contact the Data Protection Officer:
Data Protection Officer
Scorex House West
1 Bolton Road
01/06/2020 Approved by CCG’s eDSM group
- The information we hold about you
- Why do we [and other organisations] need access to your personal data?
- What do we mean by ‘Direct Care’?
- How we share your personal data [our practice default]
- Your choice
- Available audits
- Legal basis for holding and processing personal data
- Contact details for our data protection officer
- Data retention periods
- Data subject rights
- Further Information
This document is to explain to you the types of personal data we hold about you and how we may use this information for the benefit of your health and wellbeing. The document advises you on how we allow [or do not allow] your electronic health record to be made available to other organisations, across a variety of healthcare settings. This is subject to your permission, being made on the computer system SystmOne. It informs you of your options should you wish to take further control of your SystmOne record. The information should be carefully considered and any concerns you have about the data we hold, and how we use it, should be raised with us.
2.The information We Hold About You
As your registered GP practice we hold your electronic health record. This contains sensitive information about you, your health and your wellbeing. The following list provides an example of the type of information (both past and present) that can be held within your record:
- Demographic and contact details (name, date of birth, address, telephone number, email address, gender, sex, religion, marital status etc.)
- Appointments and consultations
- Diagnoses (including physical disabilities and mental health conditions)
- Medication, vaccinations, pathology results (e.g. blood tests) and allergies
- Hospital correspondence and correspondence from other health and social care settings (including x-rays, discharge letters and referrals)
- Relationships/next of kin
3.Why do We [and Other Organisations] Need Access to Your Personal Data?
This information means we can provide you with high quality direct care in a safe and effective manner. Being able to see your detailed record allows for an overall picture of your health and wellbeing to be assessed. This then helps us to diagnose and prescribe appropriate courses of treatment to you. This means that the most safe and efficient care is provided to you.
We do not want you to have to repeat your medical history and remember every detail, which may or may not be relevant, to every health professional involved in your care. Lack of access to your information may lead to misdiagnosis, inappropriate prescribing of medication or tests and/or ineffective treatment.
We recognise that you will benefit from other health providers that care for you (either currently or in the future) having access to your electronic health record. This is because they can then make fully informed decisions about the care you require. The reasons for access to the detailed record, mentioned above, apply across the health profession. A shared record ensures that care providers always have the most accurate, up to date information.
In a case where patient data is required for research purposes, we do not provide patient identifiable information. Any data we provide is anonymised or pseudonymised, unless you have given explicit consent.
Anonymised data, is data about you but from which you cannot be personally identified. Anonymised data is any personal data which has been processed so that all identifiers (such as name or NHS number) are removed, minimising the likelihood that the data will identify individuals.
Pseudonymised data is any personal data which has been processed so that all identifiers such as name, address, date of birth and NHS number is removed and replaced with a code which makes it anonymous to those who should not see your identifiable data, but would allow others such as those responsible for providing care to identify an individual.
Personal identifiable data, is data which relates to a living individual who:
- can be identified either from that data; or
- from that data in conjunction with other information within the possession of the data controller
4. National Data Opt Out
The information collected about you when you use a health or care service can also be used and provided to other organisations for purposes beyond your individual care, for instance to help with:
- improving the quality and standards of care provided
- research into the development of new treatments
- preventing illness and diseases
- monitoring safety
- planning services
This may only take place when there is a clear legal basis to use this information. All these uses help to provide better health and care for you, your family and future generations. Confidential patient information about your health and care is only used like this where allowed by law.
Most of the time anonymised data is used for research and planning so that you cannot be identified in which case your confidential patient information isn’t needed.
You have a choice about whether you want your confidential patient information to be used in this way. If you are happy with this use of information, you do not need to do anything. If you do choose to opt out, your confidential patient information will still be used to support your individual care.
To find out more or to register your choice to opt out, please visit https://www.nhs.uk/your-nhs-data-matters. On this web page you will:
- See what is meant by confidential patient information
- Find example of when confidential patient information is used for individual care and examples of when it is used for purposes beyond individual care
- Find out more about the benefits of sharing data
- Understand more about who uses the data
- Find out how your data is protected
- Be able to access the system to view, set or change your opt out setting
- Find the contact number if you want to know any more or to set/change your opt out by phone
- See the situations where the opt out will not apply
You can also find out more about how patient information is used at:
https://www.hra.nhs.uk/information-about-patients which covers health and care research, and https://understandingpatientdata.org.uk/what-you-need-know which covers how and why patient information is used, the safeguards and how decisions are made.
You can change your mind about your choice at any time.
Data being used or shared for purposes beyond individual care does not include your data being shared with insurance companies or used for marketing purposes and data would only be used in this way with your specific agreement.
5. Type 1 Opt Out
This practice is supporting vital health and care planning and research by sharing your data with NHS Digital. For more information about this see the GP Practice Privacy Notice for General Practice Data for Planning and Research.
6. What do We Mean by ‘Direct Care’?
The term ‘Direct Care’ means a clinical health activity concerned with the prevention and investigation and treatment of illness. It includes supporting your ability to function and improve your participation in life and society. It also includes the assurance of safe and high quality care and treatment undertaken by one or more registered and regulated health professionals and their team with whom you have a legitimate relationship for your care purposes.
It does not include access to information for purposes such as insurance, advertising or marketing.
7. How we Share Your Personal Data [Our Practice Default]
As your GP practice we have set the following practice settings for all our registered patients whose detailed electronic health record is in our possession and within the clinical computer system, SystmOne. However, we recognise that each of our patients have differing health care needs and you may wish to control yourself how your personal data is shared. This can be done via ‘Your Choice’ stated below.
A. Implied consent to make your record available to all organisations (without verification/security process) for direct care purposes
We assume that you are happy to share your detailed electronic health record to those that care for you. We therefore, make your record available to all NHS commissioned services using the clinical record computer system, SystmOne.
This allows for anyone at these organisations who have the appropriate controls to retrieve your electronic record once you are registered for care. However, these individuals should only legitimately access your record to provide you with care services. They must also record your permission to view your record.
B. Explicit consent to make your record available to all organisations (without verification/security code process) for direct care purposes
We will obtain your explicit consent (permission) to share your detailed electronic health record to those that care for you. By providing your permission, we make your record available to all NHS commissioned services using the clinical record computer system, SystmOne. This allows for anyone at these organisations who have the appropriate controls to retrieve your electronic record, once you are registered for care. However, these individuals should only legitimately access your record to provide you with care services. They must also record your permission to view your record.
Your individual sharing preference will overwrite our organisation’s default sharing setting.
Example of Services Who Might Need to View Your Record
The types of organisation who could be involved in your direct care and therefore need access to your electronic record are:
- All GP practices
- Referral triage and Out of Hours call centres (services determining which organisations should care for you)
- Child HealthUrgent Care (for example A&E, Minor Injury Units and Out of Hours services)
- Palliative Care
- Prisons and custody suites or offender health
- Substance misuse service
- All NHS hospitals – acute and community
- Bradford Teaching Hospitals Foundation Trust
- Bradford District Care Trust services
- NHS Mental Health Services
- Community pharmacies
The full list of organisations can be seen and updated in your patient online record.
To find out more about these types of organisations please go to the following webpage:
http://www.tpp-uk.com/products/systmone/modules or talk to a member of your GP practice.
If at any point in the future you are not happy to share your electronic record in this way, please let us know as soon as possible.
8. Your Choice
You may not agree with the health and social care organisations we have chosen to have access to your detailed electronic health record (the practice default). You can therefore control this yourself.Your choice will override our settings. You have the following options:
- No organisations require you to provide a security code (Allowed List) – You can give your permission to allow all NHS commissioned services and local authorities providing health services, using the clinical record computer system, SystmOne, to access your record.
- This allows for any individual at these organisations (who have the appropriate access controls) to retrieve your electronic record, only after you are registered with them for care. These individuals should only legitimately access your record to provide you with care services and they should always request and gain your consent before doing so.
- All organisations require you to provide a security code (Verification List) – You can require that all health organisations must ask you for a PIN number on your first visit to that service. This allows you to verify/confirm that each individual organisation should have access to your record, as they are legitimately involved in your care. You will require access to either a mobile phone or email account, as a PIN will be sent to you. Alternatively, you will need access to SystmOnline to accept or reject a share request sent to your account by the organisation wishing to view your record. Please contact your GP if you are not enabled for SystmOnline.
- Custom lists – You can put together your own custom lists for access, adding organisations to each of 3 lists i.e. does not require a security code (allowed list), requires a security code (verification list) and cannot access (prohibited list). The functionality for each list will act as described above, but it is you who can determine the level of access, which applies to them. This should be done in conjunction with your GP to ensure you understand the full implications of your decisions.
- Dissent/Refusal of your permission – You can refuse your permission for your record to become available to all NHS commissioned services and local authorities providing health services, using the clinical record computer system, SystmOne, which prevents us sharing your clinical record to any other organisation involved in your care. Please carefully consider the benefits of sharing your record before choosing this option.
- Marking items as private – If you have had a consultation about a particularly sensitive matter, you can ask for this section of your record to be marked as private. That way, even if you consent for another service to see your record, that consultation will not be shown outside the organisation that recorded it.
You can make changes to the above* at any time by contacting us or by logging onto your SystmOnline account. (*you cannot add an organisation to the prohibited list yourself, you must speak with your GP first if you wish to do this.)
9. Available Audits
Audits are useful for your understanding about the types of organisation and individual(s) who are viewing your record. They allow you to raise any concerns about potential illegitimate or unnecessary access of your personal data with the relevant person or organisation. The ability to audit record access is a significant benefit of electronic records over paper records as it allows for a visible trail to be available to you in the following ways:
Alerts – You can opt to receive an alert via SMS or email every time an individual at any health and social care organisation attempts to record your consent to view your record. This means that you can be confident that the appropriate people are viewing your record and you can raise concerns with any organisation where you feel this is not the case.
SystmOnline Record Audit – You can view which organisations have accessed your electronic health record within SystmOnline. Ability to access this audit in SystmOnline is controlled by your GP. Any concerns about access can be raised with the relevant organisation.
Record Sharing List – You can ask your GP practice to show you a list of all health and social care organisations currently caring for you and whether they have recorded your consent or dissent to view your record. If you disagree with the consent options recorded then you, or your GP, should contact those organisations and ask them to amend the setting.
10. Legal basis for holding and processing personal data
- Necessary for the purposes of preventative or occupational medicine, for assessing the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or management of health or social care systems and services on the basis of Union or Member state law or a contract with a health professional. (Article 9(2)h of GDPR)
- Processing is necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health or ensuring high standards of quality and safety of health care and of medicinal products or medical devices, on the basis of Union or Member State law which provides for suitable and specific measures to safeguard the rights and freedoms of the data subject, in particular professional secrecy. (Article 9(2)i of GDPR)
11. Data retention periods
The Data Protection Act 1998 (DPA) requires that we retain personal data no longer than is necessary for the purpose we obtained it for. Ensuring personal data is disposed of when no longer needed will reduce the risk that it will become inaccurate, out of date or irrelevant. The Act does not set out any specific minimum or maximum periods for retaining personal data. Instead, it says that personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes.
It means that we will need to:
- review the length of time we keep personal data
- consider the purpose or purposes we hold the information for in deciding whether (and for how long) to retain it
- securely delete information that is no longer needed for this purpose or these purposes
- update archive or securely delete information if it goes out of date
Personal data will need to be retained for longer in some cases than in others. How long we retain different categories of personal data should be based on individual business needs. A judgement must be made about:
- the current and future value of the information
- the costs, risks and liabilities associated with retaining the information
- the ease or difficulty of making sure it remains accurate and up to date
The appropriate retention period is also surrounding circumstances, any legal or regulatory requirements or agreed industry practice. At the end of the retention period, or the life of a particular record, it should be reviewed and deleted, unless there is some special reason for keeping it.
12. Data Subject Rights
You (the patient) are the data subject in this context.
- The Right to Data Portability
- This allows individuals to obtain and reuse their personal data for their own purposes across different services. It allows them to move copy or transfer personal data easily from one IT environment to another in a safe and secure way, without hindrance to usability. Some organisations in the UK already offer data portability through the ‘midata’ and similar initiatives which allow individuals to view access and use their personal consumption and transaction data in a way that is portable and safe. It enables consumers to take advantage of applications and services which can use this data to find them a better deal, or help them understand their spending habits.
- Right of Erasure
- The right to erasure is also known as ‘the right to be forgotten’. The broad principle underpinning this right is to enable an individual to request the deletion or removal of personal data whether there is no compelling reason for its continued processing. GP practices and other healthcare providers are EXEMPT from this.
- Right of Rectification
- Individuals are entitled to have personal data rectified if it is inaccurate or incomplete. If you have disclosed the personal data in question to third parties, you must inform them of the rectification where possible. You must also inform the individuals about the third parties to whom the data has been disclosed where appropriate.
- Right of Access
- Under the General Data Protection Regulation (GDPR), individuals will have the right to obtain: confirmation that their data is being processed; access to their personal data; and other supplementary information. These are similar to existing subject access rights under the DPA. The GDPR clarifies that the reason for allowing individuals to access their personal data is so that they are aware of and can verify the lawfulness of the processing.
- Right to Restrict Processing
- Under the DPA, individuals have a right to ‘block’ or suppress processing of personal data. The restriction of processing under the GDPR is similar. When processing is restricted, you are permitted to store the personal data, but not further process it. You can retain just enough information about the individual to ensure that the restriction is respected in future.
- Right to be Informed
- The right to be informed encompasses your obligation to provide ‘fair processing information’, typically through a privacy notice. It emphasises the need for transparency over how you use personal data.
- Right to Object
- Individuals have the right to object to: processing based on legitimate interests or the performance of a task in the public interest/exercise of official authority (including profiling); direct marketing (including profiling); and processing for purposes of scientific/historical research and statistics.
- Rights Related to Automated Decision Making and Profiling
- The GDPR provides safeguards for individuals against the risk that a potentially damaging decision is taken without human intervention. These rights work in a similar way to existing rights under the DPA. Identify whether any of your processing operations constitute automated decision making and consider whether you need to update your procedures to deal with the requirements of the GDPR.
13. Further Information is Available From:
Please see the Information Document tab for the TPP Data Sharing Document.
Additional Privacy Notice Information:
All GP practices are required to declare the mean earnings for GPs working to deliver NHS Services to patients at each practice.
The average pay for GPs’ working in Townhead Surgeries in the last financial year was £46,316 before tax and National Insurance. This is for full time GPs, 10 part time GPs who worked in the practice for more than six months.
Legal Basis for Processing
As an executive non-departmental body reporting to the Department of Health and Social Care most of our processing activity is directed by the Secretary of State for Health and Social Care. These directions create a legal obligation for our processing. Where we have a different legal basis to support a processing purpose this will be explained.
From 1st April 2015 under the terms and conditions of the General Medical Services Contract, the Practice is required to allocate a named accountable GP to all registered patients.
If you wish to know who your allocated GP is, please contact Reception. These new arrangements do not prevent you making an appointment or seeing any GP at the Practice as patients have always been able to do.
Privacy Information Leaflet for Children
What is a Privacy Notice ?
A privacy notice helps your doctor’s surgery tell you how it uses information it has about you, like your name, address, date of birth and all of the notes the doctor or nurse makes about you in your healthcare record.
Why do We Need One ?
Your doctor’s surgery needs a privacy notice to make sure it meets the legal requirements which are written in a new document called the General Data Protection Regulation (or GDPR for short).
What is the GDPR ?
The GDPR is a document that helps your doctor’s surgery keep the information about you secure. It was introduced on the 25th May 2018 and makes sure that your doctor, nurse and any other staff at the practice follow the rules and keep your information safe.
How do You know About Your Privacy Notice ?
At your surgery we have posters in our waiting room and leaflets to give to children and adults and we also have lots of information about privacy on our website telling you how we use the information we have about you.
What Information do We Collect About You ?
Don’t worry; we only collect the information we need to help us keep you healthy such as your name, address, information about your parents or guardians, records of appointments, visits, telephone calls, your health record, treatment and medicines, test results, X-rays and any other information to enable us to care for you.
How do We Use Your Information ?
Your information is taken to help us provide your care. But we might need to share this information with other medical teams such as hospitals, if you need to been seen by a special doctor or sent for an X-ray. Your doctor’s surgery may be asked to help with exciting medical research but don’t worry, we will always ask you or your parents or adults with parental responsibility if it’s okay to share your information.
How do We Keep Your Information Private ?
Well, your doctor’s surgery knows that it is very important to protect the information we have about you. We make sure we follow the rules that are written in the GDPR and other important rule books.
What if I’ve Got a Long Term Medical Problem ?
If you have a long-term medical problem then we know it is important to make sure your information is shared with other healthcare workers to help them help you making sure you get the care you need when you need it!
Don’t want to share ?
All of our patients, no matter what their age, can say that they don’t want to share their information. If you’re under 16 this may be something which your parents or adults with parental responsibility will have to decide. They can get more information from a member of staff at the surgery who can also explain what this means to you.
How do I Access my Records ?
Remember we told you about the GDPR? Well, if you want to see what is written about you, you have a right to access the information we hold about you but you will need to complete a Subject Access Request (SAR). Your parents or adults with parental responsibility will do this on your behalf if you’re under 16. But if you are over 12 you may be classed as being competent and you may be able to do this yourself.
What do I do if I Have Questions ?
If you have any questions ask a member of the surgery team or your parents or adults with parental responsibility. You can:
1. Write to the surgery at the address on the front of this leaflet (GP practices are data controllers for
the data they hold about their patients).
2. Ask to speak to the Practice Manager Catherine Redford , or Assistant Practice Manager – Caroline Jolliffe
What to do if Your not Happy About How we Manage Your Information
We really want to make sure you’re happy but we understand that sometimes things can go wrong. If you or your parents or adults with parental responsibility are unhappy with any part of our data-processing methods you can complain. For more information visit htpps://ico.org.uk and select ‘Raising a concern’.
We always make sure the information we give you is up to date. Any updates will be published on our website.
Requesting a Copy of Your Information
Typically, we collect information from health and care organisations providing your care and would advise contacting them directly for a more complete record of your care or treatment. We do not hold your whole medical or care record.
Where we store and use personal data collected from care and treatment records, it is mostly held as codes rather than words. We will provide a list of codes used to help you understand the information we give you. If you would like to request a copy of your personal data that NHS Digital is processing then you will need to complete a Subject Access Request Form and email or post it to the contact details on the form.
Following your request, we may write back to you within the 30-day timeframe to request you to narrow or modify your requirements. This may also result in an extension of a further 60 days whilst we examine your request.
There are very strict rules about who can access the personal data we process, and what it can be used for. When information is shared with other organisations, these organisations have to go through our Data Access Request Service to make sure they will store it safely and legally, and they have a good reason for using it that will benefit health and care. Information is never passed to marketing or insurance companies without consent. We publish all of our data releases on our data release register
Subject Access Request
What is subject access?
Individuals have the right to request and receive a copy of the information that is held about them. This is known as a subject access request. This right of subject access means that patients can make a request under the Data Protection Act and GDPR to any organisation processing their personal data. The Act calls these organisations ‘data controllers’. Individuals can ask the organisation that is holding, using or sharing the personal information to supply them with copies of both paper and computer records and related information held about them. This is a ‘subject access request’ (SAR).
What happens when the Practice receives a request?
SARs can be written, either letter or email and also be made verbally. Whether a request is written or verbal the Practice will need to check that the requestor is the person they say they are, appropriate security questions will be asked to ensure this.
The Practice will provide the individual a response within 1 calendar month (or 28 days) from the date the request is received. The Practice can ask the individual for more specific information about what they would like, this is to narrow down what data is required to satisfy their request. The Practice will clearly document this within the patient record as, if the patient asks for subsequent information about the same subject then this could become chargeable.
All patient requests are to be authorised by a GP. If it is likely to cause the patient serious harm when providing the information the request may be declined.
Giving the patient the information they have asked for
A SAR applies to all the information the Practice holds about the patient, electronic and paper, this includes Lloyd George envelopes. If the Practice receives a SAR verbally then we will ask the patient what information they require, if any date ranges apply and how they would like to access the information. A task will be sent to the Doctor advising them of the request. If the Practice receives a letter or email request then this request will be scanned into the patient record and assigned to the SAR administrator.
Responding to SARS – the options.
1. The Practice can agree. If the Practice agrees to a SAR the Practice must respond within 1 month and include all the data held on the data subject plus whichever of the information requested that applies. Providing all the data the Practice holds is regarded as the norm.
2. The Practice can decline. The Practice can decline to provide a SAR or, as the GDPR states, ‘not take action’. However, the Practice will have to justify why within the universal 1 month deadline and explain how the data subject can complain against the Practice decision. One obvious reason for declining is if the data has not changed since a previous request.
3. The Practice can request more time. The Practice can inform a patient that extra time is required where it has been decided that it will take longer than a month to collate and supply the data. In this case the Practice must tell them this within the usual 1 month deadline and the Practice will then have up to an additional two months to provide the information.
4. The Practice can negotiate. A SAR was defined under the Data Protection Act as the entire contents of the patient record and under GDPR that is the same basic default assumption but, it has now been recognised that over 20 years on the Practice holds masses of data on registered patients so a new option has been introduced. The Practice can supply less than the entire record by mutual agreement.
This means the Practice can agree with the patient (within the 1 month period) to narrow down the data required to satisfy their request provided they agree voluntarily and freely. The Practice must not coerce people into asking for less than they want or need. In these circumstances clearly document what is agreed within a first SAR – e.g. only the records of a hip operation. Subsequent SARs could then be chargeable although the Practice should take a reasonable approach. If the patient asks for one additional letter it would be unreasonable to charge a fee but if they ask for hundreds more pages then a charge would be reasonable.
When could the Practice negotiate?
The Practice may feel a negotiated SAR is going to be more difficult and time consuming than just handing over the lot but, remember, GDPR applies to all data formats including the paper in Lloyd George envelopes. So a sensible negotiated SAR might be everything stored relating to the patient in electronic form.
In most circumstances the patient is unlikely to want copies of the irrelevant historical paper records. Another option is to take everything from a certain date. It is the Practice’s responsibility to protect any other data subjects mentioned in the requestors records so the Practice must redact any information on non-medical third parties.
What if the request is about a child?
Even if a child is too young to understand about a SAR their personal data does not belong to anyone else.
Before responding the Practice will consider whether the child is mature enough to understand their rights. If the Practice is confident that the child can understand then the Practice must respond to the child rather than a parent or guardian. The Practice should consider:
- The child’s level of maturity and ability to make decisions
- Nature of the personal data
- Any court orders
- Duty of confidence owed to the child
- The consequences of providing a parent or guardian with this information
- The detriment if a SAR is not provided
- Views of the child for disclosing information to a parent or guardian
Can a SAR be made on behalf of others?
If the Practice is satisfied that the third party making a request is entitled to act on behalf of the individual then yes. Evidence for proof of entitlement might be a written authority to make the request or it could be a more general power of attorney.
A 3rd party including legal representatives can ask for a patient record on behalf of the patient and the Practice cannot charge for this, however, the Practice must ensure that appropriate consent is in place before releasing the information.
- Solicitors are not permitted to seek a SAR to support an application that should be made under the Access to Medical Reports Act (AMRA), i.e. reports for employment and insurance purposes. This covers accident claims and insured negligence as well as mortgages and life insurance – anything covered by an insurance contract that requires a medical report. If a solicitor’s letter does not make the precise purpose of the request and report clear then ask them if the report is being requested under GDPR or AMRA. If the report is to support an actual or potential insured claim then AMRA applies. The Practice can charge and no additional information is needed.
- The same applies to employers so, if the report is in connection with proposed or actual employment, it’s not classed as a SAR meaning the Practice can charge and no additional information is needed.
What if insurers get patients to make SARs?
In the DPA 2018 it is a criminal offence, in certain circumstances and in relation to certain information, to require an individual to make a subject access request. The ICO will provide further guidance on this offence in due course.
How much is the fee?
In the past the Practice has been able to charge patients for SARs the Practice has asked for:
- £10.00 for print out of the electronic record and dealing with the request
- Up to £50.00 for combination of manual and electronic record
The Practice is no longer allowed to charge for a SAR under the GDPR. The Practice charges for Non NHS services document has been updated and is available on our webpages.
For a repeat request the Practice can only charge a fee to cover administrative costs. So, the fee might involve the cost of professional time to redact records for example. If the Practice invokes the unfounded or excessive clause the Practice will justify any reasons to the patient.
What information is an individual entitled to?
Subject access is most often used by individuals who want to see a copy of the information an organisation holds about them. However, subject access goes further than this and an individual is entitled to be:
- Told whether any personal data is being processed (including where there is no information held)
- Given a description of the personal data, the reasons it is being processed and whether it will be given to any other organisations or people
- Given a copy of the personal data
- Given details of the source of the data (where available).
What happens if the requestor dies before a response is provided?
If the requestor dies after a SAR is received then the response must be provided to the individual’s personal representative. As a matter of good customer service the Practice must check with the personal representative(s) that they still want to receive the information before anything is sent to them.
What if the information has someone else’s information within it?
The Practice does not have to comply with a SAR if doing so would disclose information about another individual who is identifiable unless:
- The individual has consented to the disclosure
- It would be reasonable in all circumstances to comply with a request without consent.
Step 1 – Does the request require the disclosure of information that identifies a third party?
Step 2 – Has the third party individual consented?
Step 3 – Would it be reasonable in all the circumstances to disclose without consent?
What additional data must the Practice supply?
The additional information that must be supplied along with the original personal data concerning the patient (data subject) comprises an explanation of:
The purpose(s) of the processing
The categories of personal data being processed
The recipients or categories of recipients
How long the patients information will be held
The rights of rectification, restriction, objection and, where applicable, erasure
The right to complain to the Information Commissioners Office
The patients right to be told more about the source of their data received from other organisations
The existence of and logic behind and consequences of any automated processing.
This information or an easily accessible link to it has to be provided as well as the actual data relating to the patient.
Is any information exempt from subject access?
Some types of personal data are exempt from the right of subject access and so cannot be obtained by making a SAR. Information may be exempt because of its nature or because of the effect its disclosure is likely to have.
Beyond the ‘excessive or unfounded’ clause, the Practice can also refuse to provide data where the patient already has the information. Other relevant exceptions include where:
- It would involve a disproportionate effort (e.g. letters from the 1960s that are no longer relevant)
- It would disclose comments about a third party to the patient (except for others involved in their care)
- It could result in harm to the patient or anyone else
- The information is subject to a court order or is privileged or subject to fertilisation or adoption legislation.
Exemptions and restrictions – general
The Data Protection Act 2018 (DPA) and the General Data Protection Regulations (GDPR) recognises that, in some circumstances, the Practice might have a legitimate reason for not complying with a subject access request (SAR) so it provides a number of exemptions from the duty to do so. Where an exemption applies to the facts of a particular request the Practice may refuse to provide all or some of the information requested depending on the circumstances. It is a matter for the Practice to decide whether or not to use an exemption – the DPA/GDPR does not oblige the Practice to do so, so, the Practice is free to comply with a SAR even if the Practice could use an exemption.
If challenged, the Practice will be prepared to defend to the Information Commissioners Office or a court, the Practice decision to apply an exemption. It is, therefore, good practice to ensure that such a decision is taken at a suitable senior level within the organisation and that the Practice document the reasons for it.
From time to time the Practice may give or receive references about an individual, e.g. in connection with their employment or for educational purposes. Such references are often given ‘in confidence’ but that fact alone does not mean the personal data included in the reference is exempt from subject access.
The DPA/GDPR distinguishes between references the Practice provides and references the Practice receives.
References the Practice provides are exempt from subject access if the Practice provide them in confidence and for the purposes of an individual’s education, training or employment or the provision of a service by them.
There is no such exemption for references the Practice receives from a third party. If the Practice receives a SAR relating to such a reference the Practice must apply the usual principles about subject access to decide whether to provide some or all of the information contained in the reference.
Relevant considerations are likely to include:
- Any clearly stated assurance of confidentiality given to the referee
- Any reasons the referee gives for withholding consent
- The likely impact of the reference on the requester
- The requesters interest in being able to satisfy himself or herself that the reference is truthful and accurate
- Any risk that disclosure may pose to the referee
Publicly available information
If an enactment requires an organisation to make information available to the public, any personal data included in it is exempt from the right of subject access.
The exemption only applies to the information that the organisation is required to publish. If it holds additional personal data about an individual the additional data is not exempt from the exemption to justify denying subject access to whole categories of personal data if, for some individuals, the crime and taxation purposes are unlikely to be prejudiced.
Personal data that:
- Is processed for the purpose of discharging statutory functions
- Consists of information obtained for this purpose from someone who held it for any of the crime and taxation purposes described above is also exempt from the right of subject access to the extent that providing subject access to the personal data would be likely to prejudice any of the crime and taxation purposes. This prevents the right applying to personal data that is passed to statutory review bodies by law-enforcement agencies and ensures that the exemption is not lost when the information is disclosed during a review.
A further exemption applies to personal data that is processed for management forecasting or management planning. Such data is exempt from the right of subject access to the extent that complying with a SAR would be likely to prejudice the business or other activity of the organisation.
Negotiations with the requester
Personal data that consists of a record of your intentions in negotiations with an individual is exempt from the right of subject access to the extent that complying with a SAR would be likely to prejudice the negotiations.
Social work records
Special rules apply where providing subject access to information about social services and related activities would be likely to prejudice the carrying out of social work by causing serious harm to the physical or mental health or condition of the requester or any other person. These rules are set out in the Data Protection (Subject Access Modification) (Social Work) Order 2000 (SI 2000/415). Their effect is to exempt personal data processed for these purposes from subject access to the extent that its disclosure would be likely to cause such harm.
A further exemption from subject access to social work records applies when a SAR is made by a third party who has a right to make the request on behalf of the individual such as the parent of a child or someone appointed to manage the affairs of an individual who lacks capacity. In these circumstances personal data is exempt from subject access if the individual has made clear they do not want it disclosed to that third party.
The DPA/GDPR contains additional exemptions that may be relevant when dealing with a SAR. For more information about exemptions see the ICO Guide to Data Protection.
An organisation that makes appropriate use of the exemptions in the DPA/GDPR might have the following indicators of good practice:
- Withholding or redacting information
If information is withheld in reliance on an exemption the response explains, to the extent it can do so, the fact that information has been withheld and the reasons why. The explanation is given in plain English and does more than simply specify that a particular exemption applies.
Information to be redacted is approved before source material is copied in a redacted form. It is then subject to at least one quality review by a manager to confirm that all data has been excluded appropriately. A copy of the disclosure bundle showing the redactions and the reasons behind them is retained for reference.
Once approved, redaction is either carried out manually using black marker which is then photocopied or electronically using bespoke redaction software.
- Ensuring consistency
Advice in applying the exemptions most likely to be relevant to the organisations activities is included in SAR guidance for staff. Quality assessments are carried out to ensure that exemptions are applied consistently.
Transparency Notice: How we Use Your Personal Data
This page sets out how we use personal data, in line with the General Data Protection Regulation (GDPR). It includes a register of processing activities, and your rights if information about you is included.
NHS Digital is the name we operate under. Our official name is the Health and Social Care Information Centre, which was created by the Health and Social Care Act 2012 as an executive non-departmental public body reporting to the Department of Health and Social Care.
Our legal duties include collecting, analysing and publishing health and care data, providing national technology infrastructure, producing information standards and providing advice and support on information and cyber security. Read more about NHS Digital.
This transparency notice provides information on our data processing activity.
You can also read more about other choices you have, including the national data opt out, which are provided over and above the rights that Data Protection Legislation gives you, giving you more control and confidence over how we use your data.
Data protection laws in the UK give people a number of rights concerning their personal data. Not all rights apply equally to all our processing activity as certain rights are not available depending on the lawful basis for the processing.
When you view an entry in our register of processing activities, we have highlighted which rights apply and which may not. To help understand why some may not apply the following should help.
Examples of where rights may not apply – where our lawful basis is:
- Public Interest (Task) then rights of erasure, portability do not apply.
- Legal Obligation then rights of erasure, portability, objection, automated decision making and profiling do not apply
If you require further detail each link below will take you to the Information Commissioner’s Office’s website where further detail is provided in section ‘When does the right apply’.
These rights are:
We want you to feel confident that we look after everyone’s personal data in line with the law. If you have any questions about your rights, you can get in touch with us at email@example.com.