GDPR, Patient information leaflet
NHS England has commissioned a service from the Health & Social Care Information Centre (HSCIC) for the sharing of patient information from all the different places patients receive care; i.e. GP, hospitals, community services etc. This information is important as it will be used to plan and improve services for all patients.
Information about you and the care you receive is shared, in a secure system, by healthcare staff to support your treatment and care.
It is important that we, the NHS, can use this information to plan and improve services for all patients. We would like to link information from all the different places where you receive care, such as your GP, hospital and community service, to help us provide a full picture. This will allow us to compare the care you received in one area against the care you received in another, so we can see what has worked best.
Information such as your postcode and NHS number, but not your name, will be used to link your records in a secure system, so your identity is protected. Information which does not reveal your identity can then be used by others, such as researchers and those planning health services, to make sure we provide the best care possible for everyone.
How your information is used and shared is controlled by law and strict rules are in place to protect your privacy.
We need to make sure that you know this is happening and the choices you have.
Benefits of sharing information
Sharing information can help improve understanding, locally and nationally, of the most important health needs and the quality of the treatment and care provided by local health services. It may also help researchers by supporting studies that identify patterns in diseases, responses to different treatments and potential solutions.
Information will also help to:
• find more effective ways of preventing, treating and managing illnesses;
• guide local decisions about changes that are needed to respond to the needs of local patients;
• support public health by anticipating risks of particular diseases and conditions, and help us to take action to prevent problems;
• improve the public’s understanding of the outcomes of care, giving them confidence in health and care services; and
• guide decisions about how to manage NHS resources fairly so that they can best support the treatment and
What will we do with the information?
We will only use the minimum amount of information we need to help us improve patient care and the services we provide.
We have developed a thorough process that must be followed before any information can be shared. We sometimes release information to approved researchers, if this is allowed under the strict rules in place to protect your privacy. We are very careful with the information and we follow strict rules about how it is stored and used.
We will make sure that the way we use information is in line with the law, national guidance and best practice. Reports that we publish will never identify a particular person.
Do I have a choice?
Yes. You have the right to prevent confidential information about you from being shared or used for any purpose other than providing your care, except in special circumstances. If you do not want information that identifies you to be shared outside your GP practice, ask your practice to make a note of this in your medical record. This will prevent your confidential information being used other than where necessary by law, (for example, if there is a public health emergency).
You will also be able to restrict the use of information held by other places you receive care, such as hospitals and community services. You should let your GP know if you want to restrict the use of this information.
Your choice will not affect the care you receive.
Do I need to do anything?
If you are happy for your information to be shared you do not need to do anything. There is no form to fill in and nothing to sign and you can change your mind at any time.
If you have concerns or are not happy for your information to be shared, speak to your GP practice.
Where can I get more information?
Leaflets in other languages and formats are available from our website.
For more information, including a list of frequently asked questions (FAQs), please go to the website at www.nhs.uk/caredata.
You can also get further information from the website at www.hscic.gov.uk.
Or you can speak to staff at your GP practice.
How information about you helps us provide better care
Frequently asked questions for patients
1. Why do I need to read the leaflet ‘how information about you helps us provide better care’?
It is important that you read the leaflet so that you understand how information in medical records is used. Your records are already used by healthcare staff to provide your care. You also need to know how your information can be used to improve the way the NHS delivers care to all patients.
If you are happy for your information to be used to improve health services then you do not need to do anything. However, it is important that you know this is happening and what to do if you have any questions or concerns (See FAQ 14).
2. Why is information collected?
It is important that the people who plan and manage the NHS have access to a full picture of the care being provided to patients so that they can make sure that the NHS is providing the best possible services to all of its patients. They can only do this by using information, for example to compare the care received in one area to the care received in another area to see what worked better.
Information in health records is also valuable for carrying out research into the treatments offered for different diseases and illnesses.
3. What is changing?
Patient information is already used extensively by the NHS but we need to improve how we use the information. This improvement and modernisation is happening in a number of ways.
A modern information system has been developed by the NHS in England, which will make increased use of information from medical records with the intention of improving health services. You may have heard this system referred to as care.data.
One of the main aims of the new system is to allow the NHS to make better use of the routine information collected when you visit your doctor. The system complies with strict confidentiality rules and the law.
This service will provide joined-up information about the care received from all of the different parts of the health service, including hospitals and GP practices. The Health and Social Care Information Centre (HSCIC) (see FAQ 6) is working with NHS England to deliver the care.data service.
Separate to care.data, information that does not identify you may be made available to approved researchers in a secure system called the "Clinical Practice Research Datalink" or CPRD. This system is not new but it is important you understand that this happens.
4. Why are these changes needed?
It is important that the NHS has a complete picture of what is happening across the health and social care service. This information will allow those who plan services to see what is working best. To give you an example: a group of patients could have the same operation but receive different aftercare. Those planning and designing health services can look at which type of aftercare worked best so that all patients can then benefit from those experiences. They do not need to have information that identifies you but will need the HSCIC to link the data as described in FAQ 7. The care.data system will allow for the collecting, analysing and sharing of data while protecting patients’ privacy and confidentiality. The NHS will also provide information that will enable the public to hold the NHS to account and ensure that any unacceptable standards of care are identified as quickly as possible.
5. When will these changes occur?
Information from GP practices will begin to be extracted and sent to the HSCIC in the autumn. The first use of the system will be to help the NHS plan local health services. GP data will be linked with the hospital data already held by the HSCIC.
6. What is the "secure environment" mentioned in the leaflet?
The secure environment is called the Health and Social Care Information Centre (HSCIC); a public body based in Leeds. The HSCIC is the central source of health and social care information in England. The role of the HSCIC is to ensure that high quality data are used appropriately to improve patient care. The HSCIC has legal powers to collect and analyse data from all providers of NHS care. The HSCIC is committed, and legally bound, to the very highest standards of privacy and confidentiality to ensure that your confidential information is protected at all times. Access to information is strictly controlled. Further information about the HSCIC is available at www.hscic.gov.uk
7. Will my whole GP record be used?
No. The care.data service does not need to extract your whole GP record. Only the minimum amount of information required will be used. Your date of birth, postcode, NHS number, and gender (but not your name) will be used to link your records in a secure environment before being deleted. Once this information has been linked, a new record will be created (see FAQ 8). This new record will not contain any information that identifies you.
When your GP enters information into a health record he/she uses a combination of free text and codes.
• Free text might be something you tell your doctor such as your symptoms, your occupation, how you are feeling. Free text information will not be sent to the HSCIC secure environment.
• Codes are a combination of letters and numbers that indicate a piece of clinical information such as a diagnosis, a test result or a prescription. You can see a list of the types of codes that will be used for care.data here. The list includes codes about NHS prescriptions, referrals and other clinical information. Using a computer, your GP can search through these codes to find all the patients in the practice with the same code and invite those patients to a specialist clinic for that condition.
To summarise, the information extracted into the HSCIC will be coded information plus your NHS number, postcode, date of birth and gender. Note that your name and your address will not be extracted. This is to help protect your identity.
8. Will the people in the secure environment see information that identifies me?
When information leaves your GP practice, it will be sent to the HSCIC (see FAQ 6). The computer systems at the HSCIC will link information from your GP record with information from your record in other places where you have received NHS care, such as your hospital record, if you have one. The linked information will be used to create a new record. Once this has been done, all of the information that directly identifies you (such as your NHS number, postcode, and date of birth) will be replaced with a code that does not reveal who you are.
The process to create this linked record is automated. Occasionally, in a small number of cases, it is necessary for an HSCIC member of staff to check the data. However, this is only done following strict rules and processes that protect the confidentiality of the individual. Only the linked data record, which does not identify an individual, will be used by those planning health services.
Separately, there are limited circumstances when the law allows the HSCIC to pass on information that may identify you where there is special approval (see FAQ 9). You can object to this sharing of your information too (see FAQ 15).
Finally, the HSCIC also has special legal approval to link information for CPRD (see FAQ 3).
9. What research will be carried out on data that identifies me?
In most cases, researchers can carry out their studies using information that does not identify you. Occasionally, however, medical researchers need to use information that does identify you. Only researchers who have obtained your permission or who have been granted special approval are allowed to access your identifiable data. This special approval is granted following advice from an independent panel called the Confidentiality Advisory Group (CAG). This group grants approval to a small number of research projects each year, which it considers to be in the public interest and for the benefit of the health service. The CAG approves requests where it is not possible to use information that does not identify you and it is not possible to ask you. There are a variety of reasons why it might not be possible to ask people; for example, where there are extremely large numbers of patients. Access to the information is restricted to the specific information necessary for the research.
Examples of projects approved by the CAG include a national study into people who have had a heart attack, and a study of the time people had to wait for treatment for cancer and the effect of these waiting times on survival. More examples can be found here.
10.Will information that identifies me be used by marketing or drug companies?
Marketing and drug companies will not have access to information that identifies you unless you give your specific permission, such as if you have been contacted by your GP practice and you agreed that researchers could contact you about a clinical trial.
While there are some limited circumstances when the NHS needs to carry out medical research using information that identifies you, this type of research requires
special approval (see FAQ 9). You will not be contacted by a third party unless you have specifically agreed to this.
11.Will my information be shared with insurance companies or solicitors?
The HSCIC will not share information about you with insurance companies or solicitors. If an insurance company or solicitor wanted information about you they would approach your GP practice directly and you would need to give your explicit consent before any of your information could be shared with them. If you do not agree to their specific request for your information then it will not be shared with them.
12.Will you sell data?
No. The HSCIC does not charge for data. Sometimes, the HSCIC may charge an administrative fee (for example, to link the data) but there is no commercial sale of NHS data.
13.Why do you need to extract data that identifies me?
We need to be able to link information from the different places where you receive NHS care, such as your GP practice and hospital. The people who plan and monitor the quality of NHS services need this type of joined-up information to get a full picture of the care being provided by the NHS. Your NHS number, postcode, gender and date of birth are needed to join up this information from the different places where you received care. Your name and address are not used in this process.
14.What should I do if I have concerns?
If you have concerns, you can talk to staff at your GP practice or ask the practice for a copy of the leaflet "How information about you helps us to provide better care".
If you do not want information that identifies you to be shared outside your GP practice, you can ask your practice to make a note of this in your medical record. This is called an objection. An objection will prevent your confidential information being used other than where there are exceptional circumstances or where the law allows your information to be shared.
Remember, if you are happy for your information to be used for planning health services and for research then you do not need to do anything.
15.What kinds of information sharing can I object to?
There are two types of information sharing you can object to:
• You can object to information containing data that identifies you from leaving your GP practice. This type of objection will prevent the identifiable information held in your GP record from being sent to the HSCIC secure environment. It will also prevent those who have gained special legal approval form using your health information for research.
• You can also object to any information containing data that identifies you from leaving the HSCIC secure environment. This includes information from all places you receive NHS care, such as hospitals. If you do not object, information that identifies you will only leave the HSCIC in limited circumstances where there is special legal approval, for example for medical research (see FAQ 9). If you object, confidential information will not leave the HSCIC and be used in this way, except in very rare circumstances for example in the event of a civil emergency.
16. If I object will this stop all data about me leaving the practice?
No. The law requires doctors to provide some very limited information about certain things. The law says, for example, that doctors must provide information to local authorities about some infectious diseases, such as if you had food poisoning. Very rarely, doctors may be required to disclose information in order to detect a serious crime. Likewise, a court order can require doctors to disclose certain information during a court case.
17. If I object to both data leaving the GP practice and the HSCIC, how will the HSCIC identify me to implement my objection about data flowing from the HSCIC?
If both objection codes are applied to your record then it is necessary for your GP practice to send your NHS number to the HSCIC so that your objection can be implemented. The HSCIC needs your NHS number so that they can apply your objection to information they hold. No other information that identifies you will be sent to the HSCIC by your practice.
18. I have opted out of the Summary Care Record (SCR) so do I need to talk to my GP practice if I have any concerns?
Yes, you should still talk to your GP practice. There are important differences between allowing the NHS to use your information for planning and research and the Summary Care Record (SCR). The SCR may be used by any health professional in the country to provide you with care. It would be wrong for us to assume that because you have chosen not to have a SCR that this automatically means you also wish to stop the use of your information being used to improve health services.
19. Can I stop data that identifies me leaving other places where I receive care (for example, a hospital)?
No. Currently, some information which may identify you, for example by including your NHS number, will flow from hospitals and other places where you receive care and treatment to the HSCIC, where this is allowed by law. At the moment, you can only object to data containing information that identifies you from leaving your GP practice.
However, you can object to any information containing data that identifies you from leaving the HSCIC secure environment. This includes information from all places you receive care (for example, hospitals). In the future, it should be possible for you to stop information that identifies you from going to the HSCIC from wherever you receive NHS care or treatment. But at the moment, the systems we use in the NHS do not currently allow this. The note of your objection in your GP record cannot be seen by other places where you receive care, such as hospitals.
20.When my data leaves the practice to go to the HSCIC, who is the data controller?
The HSCIC will be the data controller for the data for the purposes for which they are processing and will be obliged to comply with the law.
21. Can I stop data that does not identify me being used?
No. Information that does not identify you is not confidential. Since this information is neither personal nor private, the law says that it can be used much more freely. As this information can be so helpful to the NHS and does not identify you, there are good reasons for making the best possible use of it.
22. Can I change my mind?
Yes, you can change your mind at any time and as many times as you wish. For example, if you object and then change your mind (i.e. you decide you are happy for your information to be used) then you will need to speak to your GP practice to ensure this happens. Likewise, if you do not object now but then later decide you wish to object, then this is also possible. Just speak to your GP practice and ask them to record your wishes.
23. Can I change my mind and decide I no longer want information that identifies me to be used even if it has already gone to the HSCIC?
Yes. You should notify your GP of your objection. The HSCIC will then ensure that any information they have from your GP practice that identifies you is removed.
24. Can I have a greater number of choices and allow data to be used for some but not other research projects?
No. Currently you have the right to say yes or no to your information leaving the GP practice or being shared by the HSCIC, for example for research. The system does not let you say yes or no to your information being used for all the different types of research projects that come to the HSCIC. However, if a researcher is working directly with your GP practice for their study then, unless there is special approval (see FAQ 9), your GP will check with you first if you are happy to share your information and be part of the study. This will be done for each individual research project that works directly with your GP Practice where you would be a potential participant.
25. Do I need to do anything if I am happy for my information to be used?
No. If you are happy for your information to be shared to help improve health services, then you do not need to do anything. Your information will continue to be used for that purpose and to benefit all patients.
26. I am a carer for someone who lacks capacity to decide whether to allow their information to be shared – can I decide on their behalf?
If you have a Lasting Power of Attorney for health and welfare then you can object on behalf of the patient who lacks capacity. If you are a carer or relative who does not hold a Lasting Power of Attorney then you can raise your specific concerns with the patient’s GP. The GP will make a decision based on an assessment of the patient’s best interests, taking your views into account.
27. I am a parent/guardian of a child can I make the decision on their behalf?
If you have parental responsibility and your child is not able to make an informed decision for themselves, then you can make a decision about information sharing on behalf of your child. If your child is competent then this must be their decision.
28.What happens if my confidentiality is breached?
The HSCIC is committed, and legally bound, to the very highest standards of privacy and confidentiality to ensure that confidential information is protected at all times. Information in health records can only be shared beyond those caring for you where: (i) the law allows it (ii) there is a court order (iii) there is a sufficiently strong public interest justification or (iv) you have given your permission (See FAQ 16).
The Information Commissioner’s Office has powers to impose heavy fines in the event of any breach of the Data Protection Act 1998 (which is the law that governs how your information is used by organisations, businesses and the government). If the HSCIC is found to be in breach of the DPA, it would be subject to a fine. The ICO
Here at Station Surgery we utilise an electronic system for transferring patient records to and from other GP surgeries called GP2GP.
GP2GP enables patients' electronic health records to be transferred directly and securely between GP practices. It improves patient care as GPs will usually have full and detailed medical records available to them for a new patient's first consultation.
Why it’s needed
GP2GP is the project that enables patients' electronic health records (EHRs) to be transferred directly from one practice to another.
GP2GP starts when a practice accepts a patient onto their list of patients for primary health care and ends when the EHR is transferred from the previous practice into the new GP clinical system.
GP2GP electronic transfers will be more accurate and secure - and much faster than the current paper-based approach, which can take weeks to complete.
Background to GP2GP
There are some 9,000 GP practices in England. They each currently deal with an average 500 patient record transfers each year. Inner city and university practices deal with far more.
The process involves:
- Printing out the details of the patient health record held on the GP clinical system and then putting that print-out into the patient's 'Lloyd George' envelope, together with any historical paper records, laboratory forms, hospital referral letters and the letters that result from that referral.
- These documents are then transferred to the new practice via the local medical records transfer process.
- Upon receipt of the Lloyd George, the new practice reviews the information received, summarises the record and enters any appropriate information into their GP clinical system.
The time it takes to receive a patient record from the time it is requested can be anything from a few weeks to a few months. As a result, the new practice often does not have the benefit of the old record when the patient attends for the first consultation. Once received, it can be very time-consuming for the new practice to key in the summary of the record into its own clinical system.
GP2GP, on the other hand, enables an almost instantaneous transfer of a patient's EHR. As a result, GPs and their teams will be able to provide patients with a safer and more efficient service. Read more about the benefits of GP2GP.
WHAT IS GP2GP? GP2GP enables patients' electronic health records to be transferred directly and securely between GP practices. It improves patient care as GPs will usually have full detailed medical records available to them for a new patient's first consultation.
What are the benefits of using GP2GP?
GP2GP delivers a range of benefits, including:
Improved quality and continuity of care
- Full patient Electronic Health Record (EHR) available for the patient's first appointment, which results in a more focused and informed consultation.
- Past medical history available and information about medication, allergies, adverse reaction.
- Immunisations and vaccinations.
- Fewer transcribing errors and omissions, the need to key in information from paper records will be greatly reduced.
- Allergies and adverse drug reactions are flagged for review for new patients, resulting in safer prescribing.
Clinical time savings
- The EHR contains information such as lab results and letters from specialists, which helps in the clinical decision making process. This also means there are fewer request for unnecessary duplicate lab tests.
Administrative time savings
- The need to key information from paper records is greatly reduced. This results in quicker summarisation of new patient records.
- Attachments are received electronically, which results in time saved not having to re-scan items into patient's EHR.