Patient confidentiality and privacy

General Practice Data for Planning and Research (GPDPR) – NHS Digital

  • The data held in the GP medical records of patients is used every day to support health and care planning and research in England, helping to find better treatments and improve patient outcomes for everyone. NHS Digital has developed a new way to collect this data, called the General Practice Data for Planning and Research data collection.

The new data collection reduces burden on GP practices, allowing doctors and other staff to focus on patient care.

  • NHS Digital is the national custodian for health and care data in England and has responsibility for standardising, collecting, analysing, publishing and sharing data and information from across the health and social care system, including general practice.

NHS Digital collected patient data from general practices using a service called the General Practice Extraction Service (GPES), which has operated for over 10 years and now needs to be replaced.

NHS Digital has engaged with doctors, patients, data and governance experts to design a new approach to collect data from general practice that:

  • reduces burden on GP practices
  • explains clearly how data is used
  • supports processes that manage and enable lawful access to patient data to improve health and social care

  • Patient data collected from general practice is needed to support a wide variety of research and analysis to help run and improve health and care services. Whilst the data collected in other care settings such as hospitals is valuable in understanding and improving specific services, it is the patient data in general practice that helps us to understand whether the health and care system as a whole is working for patients.
  • In addition to replacing what GPES already does, the General Practice Data for Planning and Research service will also help to support the planning and commissioning of health and care services, the development of health and care policy, public health monitoring and interventions (including coronavirus (COVID-19) and enable many different areas of research, for example:

1. Research the long-term impact of coronavirus on the population

There is a lot about coronavirus that we do not know, including the long-term health impacts. Patient data from GP medical records will be very important in the coming months and years, as scientists analyse and understand the impact of the virus on human health.

2. Analyse healthcare inequalities

For example, to understand how people of different ethnicities access healthcare and how the outcomes of particular groups compare to the rest of the population. This will help the NHS to assess healthcare inequalities and make any necessary changes to its services.

3. Research and develop cures for serious illnesses

For example, patient data is being used by the University of Oxford RECOVERY trial, which has found ways to improve the treatment for people with coronavirus.

Researchers have previously used patient data from GP medical records to show that there was no association between the measles, mumps and rubella vaccine and the development of autism; to confirm the safety of the meningococcal group B vaccine; and to investigate whether certain medications increase the risk of cancer.

What data is shared

This data will be shared from 1 July 2021. Data may be shared from the GP medical records about:

  • any living patient registered at a GP practice in England when the collection started – this includes children and adults
  • any patient who died after 1 July 2021, and was previously registered at a GP practice in England when the data collection started

NHS Digital will not collect patients’ names or addresses. Any other data that could directly identify patients (such as NHS Number, date of birth, full postcode) is replaced with unique codes which are produced by de-identification software before the data is shared with NHS Digital.

This process is called pseudonymisation and means that patients will not be identified directly in the data. NHS Digital will be able to use the software to convert the unique codes back to data that could directly identify patients in certain circumstances, and where there is a valid legal reason.

We will collect structured and coded data from patient medical records.

NHS Digital will collect:

  • data about diagnoses, symptoms, observations, test results, medications, allergies, immunisations, referrals, recalls and appointments, including information about physical, mental and sexual health
  • data on sex, ethnicity and sexual orientation
  • data about staff who have treated patients

NHS Digital does not collect:

  • name and address (except for postcode, protected in a unique coded form)
  • written notes (free text), such as the details of conversations with doctors and nurses
  • images, letters and documents
  • coded data that is not needed due to its age – for example medication, referral and appointment data that is over 10 years old
  • coded data that GPs are not permitted to share by law – for example certain codes about IVF treatment, and certain information about gender re-assignment

Opting out

If you don’t want your identifiable patient data to be shared for purposes except for your own care, you can opt-out by registering a Type 1 Opt-out or a National Data Opt-out, or both. These opt-outs are different and they are explained in more detail below. Your individual care will not be affected if you opt-out using either option.

Type 1 Opt-out (opting out of NHS Digital collecting your data)

We will not collect data from GP practices about patients who have registered a Type 1 Opt-out with their practice. More information about Type 1 Opt-outs is in our GP Data for Planning and Research Transparency Notice, including a form that you can complete and send to your GP practice.

This collection will start on 1 July 2021 so if you do not want your data to be shared with NHS Digital please register your Type 1 Opt-out with your GP practice by 23 June 2021.

If you register a Type 1 Opt-out after this collection has started, no more of your data will be shared with us. We will however still hold the patient data which was shared with us before you registered the Type 1 Opt-out.

If you do not want NHS Digital to share your identifiable patient data with anyone else for purposes beyond your own care, then you can also register a National Data Opt-out.

National Data Opt-out (opting out of NHS Digital sharing your data)

We will collect data from GP medical records about patients who have registered a National Data Opt-out. The National Data Opt-out applies to identifiable patient data about your health, which is called confidential patient information.

NHS Digital won’t share any confidential patient information about you – this includes GP data, or other data we hold, such as hospital data – with other organisations, unless there is an exemption to this.

To find out more information and how to register a National Data Opt-Out, please read our GP Data for Planning and Research Transparency Notice.

  • NHS Digital collects, analyses, publishes and shares health and care data safely, securely and appropriately as part of our statutory functions.
  • Data which is shared by NHS Digital is subject to robust rules relating to privacy, security and confidentiality. Organisations using this data must have a clear legal basis to do so for health and care purposes and only the minimum amount of data needed to meet the specific purpose will be made available.
  • Data will only be made available in response to appropriate requests from organisations which are approved following independent scrutiny by our Independent Group Advising on the Release of Data.
  • More information about how and why NHS Digital will share data from GP practices is available in our General Practice Data for Planning and Research Transparency Notice. We also publish information about the data that we share in our data release register.

More information for patients and the public about how NHS Digital is processing GP data to support health and care, including our legal basis and your choices can be found in NHS Digital’s GP Data for Planning and Research Transparency Notice.

Additional information for GP practices

Register your participation

GP practices should comply with the Data Provision Notice by registering your participation on your GP medical record system. This only has to be done once – your GP system supplier can provide further guidance.

Update your patient privacy information

GP practices have a legal duty to be transparent and to provide patients with information under the UK General Data Protection Regulation (GDPR) about the data they are sharing with others.

To help GP practices provide information about the General Practice Data for Planning and Research data collection, NHS Digital has produced a GP Practice Privacy Notice which GPs can add as a link to their current privacy notice by publishing the following statement and link on your website:

“This practice is supporting vital health and care planning and research by sharing your data with NHS Digital. For more information about this see the GP Practice Privacy Notice for General Practice Data for Planning and Research.”

GP practices may also wish to include information about this collection in regular communications to inform patients about the new data collections including newsletters, Facebook groups and waiting room screens. We have created a helpful animation for patients that explains what data is being collected and why which you can also link to. You can also access a downloadable poster.

Data collection

Data will only be provided to NHS Digital by your GP system suppliers after you have confirmed to your system supplier that you have complied with the Data Provision Notice.  The earliest this data will be provided to us by your system supplier is 1 July 2021.

Registering Type 1 Opt-outs

You will need to register Type 1 Opt-outs (or a withdrawal of the Type 1 Opt-out) in your system before the 30 June 2021. The codes you need to use to register or withdraw the Type 1 Opt-out are:

Code type Code
Opt-out – Dissent code 9Nu0 (827241000000103 |Dissent from secondary use of general practitioner patient identifiable data (finding)|) 
Opt-in – Dissent withdrawal code 9Nu1 (827261000000102 |Dissent withdrawn for secondary use of general practitioner patient identifiable data (finding)|)]

Other GP data flows

NHS Digital will work with other organisations to enable transition from existing data flows to the new NHS Digital General Practice for Planning and Research Service in order to reduce the number of GP data flows currently in existence.

In the meantime, GP practices should continue to support existing data flows and can accept new requests to participate in existing data collections where they consider it safe, legal and beneficial to the health and care of patients. Requests for new data collections for planning and research should be directed to NHS Digital from 1 September 2021.

Locally across Cheshire and Merseyside, data is being shared securely with a data processor called System C for the purposes of protecting public health, providing healthcare services to the public, planning health care services and monitoring and managing Covid 19 outbreaks. No data that identifies a person will be used for purposes other than direct care. If you have previously opted out of data sharing your data will not be used. The overarching purpose for data sharing is to support a set of Population Health analytics for population level planning and improvement of outcomes and also the targeting of direct care to vulnerable populations in need

Further information

internalCollecting GP data – advice for the public


NHS Digital’s improved collection of GP data will support vital health and care planning and research. Here we explain how and why your data is being used, and what to do if you don’t want your data shared.

internalHow NHS Digital makes decisions about data access


We have a strict and well-established process for providing access to data for external organisations such as charities, academic institutions, and medical research companies.

internalGeneral Practice Data for Planning and Research: GP Practice Privacy Notice


For patients at participating GP practices, helping you to understand how your medical records are used to improve everyone’s health and care.

internalGeneral Practice Data for Planning and Research: NHS Digital Transparency Notice


How and why NHS Digital collects, analyses, publishes and shares data collected from GP practices for planning and research.


SNOMED CT(external link, opens in a new tab)


For information on SNOMED CT, which is a structured clinical vocabulary for use in an electronic health record.


The NHS Digital SNOMED CT Browser(external link, opens in a new tab)


For information on the NHS Digital SNOMED CT Browser, which provides ways to browse and search the SNOMED CT UK edition.


Legally restricted code lists for fertility, embryology and gender recognition(external link, opens in a new tab)


For information about all coded record elements identified as being legally restricted under fertility, embryology and gender recognition legislation.


NHS Digital Sensitive Code List (sexually transmitted infections)(external link, opens in a new tab)


For information about the NHS Digital Sensitive Code List of SNOMED CT codes collected and related reference sets.


Covid-19 and your information – Updated on 22nd April 2020

Supplementary privacy note on Covid-19 for Patients

This notice describes how we may use your information to protect you and others during the Covid-19 outbreak. It supplements our main Privacy Notice which is available on the practice website.

 The health and social care system is facing significant pressures due to the Covid-19 outbreak. Health and care information is essential to deliver care to individuals, to support health and social care services and to protect public health. Information will also be vital in researching, monitoring, tracking and managing the outbreak. In the current emergency it has become even more important to share health and care information across relevant organisations.

Existing law which allows confidential patient information to be used and shared appropriately and lawfully in a public health emergency is being used during this outbreak. Using this law the Secretary of State has required NHS Digital; NHS England and Improvement; Arms Length Bodies (such as Public Health England); local authorities; health organisations and GPs to share confidential patient information to respond to the Covid-19 outbreak. Any information used or shared during the Covid-19 outbreak will be limited to the period of the outbreak unless there is another legal basis to use the data. Further information is available on here and some FAQs on this law are available here.

During this period of emergency, opt-outs will not generally apply to the data used to support the Covid-19 outbreak, due to the public interest in sharing information. This includes National Data Opt-outs. However in relation to the Summary Care Record, existing choices will be respected. Where data is used and shared under these laws your right to have personal data erased will also not apply. It may also take us longer to respond to Subject Access requests, Freedom of Information requests and new opt-out requests whilst we focus our efforts on responding to the outbreak.

In order to look after your health and care needs we may share your confidential patient information including health and care records with clinical and non clinical staff in other health and care providers, for example neighbouring GP practices, hospitals and NHS 111. We may also use the details we have to send public health messages to you, either by phone, text or email.

During this period of emergency we may offer you a consultation via telephone or video-conferencing. By accepting the invitation and entering the consultation you are consenting to this. Your personal/confidential patient information will be safeguarded in the same way it would with any other consultation.

We will also be required to share personal/confidential patient information with health and care organisations and other bodies engaged in disease surveillance for the purposes of

protecting public health, providing healthcare services to the public and monitoring and

managing the outbreak. Further information about how health and care data is being used and shared by other NHS and social care organisations in a variety of ways to support the Covid-19 response is here.

NHS England and Improvement and NHSX have developed a single, secure store to gather data from across the health and care system to inform the Covid-19 response. This includes data already collected by NHS England, NHS Improvement, Public Health England and NHS Digital. New data will include 999 call data, data about hospital occupancy and A&E capacity data as well as data provided by patients themselves. All the data held in the platform is subject to strict controls that meet the requirements of data protection legislation.

In such circumstances where you tell us you’re experiencing Covid-19 symptoms we may need to collect specific health data about you. Where we need to do so, we will not collect more information than we require and we will ensure that any information collected is treated with the appropriate safeguards.

We may amend this privacy notice at any time so please review it frequently. The date at the top of this page will be amended each time this notice is updated.

Patient Privacy Notice – Updated Sept 2020

This Privacy Notice explains what information we collect about you, how we store this information, how long we retain it and with whom and for which legal purpose we may share it.

Folly Lane Medical Centre also publishes a number of specific notices which are available at the bottom of this page.

To find out more about our Privacy Notice, please select the relevant hyperlink below:

 Who we are?

Why we collect personal information about you?

What is our legal basis for processing your personal information?

What personal information do we need to collect about you and how do we obtain it?

What do we do with your personal information and what we may do with your personal information?

Who do we share your personal information with and why?

What are your rights?

How we maintain your records?

How long do we keep your information?

How to contact the Information Commissioners Office

Who is the Data Protection Officer?


Who We Are

Folly Lane Medical Centre employs more than 26 members of staff and runs at Folly Lane, Warrington, Cheshire WA5 0LU

Our Practice is registered with the Information Commissioner’s Office (ICO) to process personal and special categories of information under the Data Protection Act 2018 and our registration number is Z6471975

Why we collect personal information about you?

The healthcare professionals employed by the Practice require personal information in order to provide healthcare services; this includes but is not limited to details related to your living situation and anything that may have an impact on your health. Details that allow for the proper maintenance of contact details are also required.

These details will typically be used for direct care but may be utilised to improve healthcare services. This information needs to be collected, held and maintained as accurately as possible in order to provide you with the best care possible.

This personal information may be held in a variety of formats, including paper records, electronically, on computer systems or within video and audio files.

In some cases the information may be collected for other reasons, you will be informed if this is the case.

Personal information about you is collected in a number of ways. This can be referral details from our staff, other 3rd parties or hospitals, directly from you or your authorised representative.

We will likely hold the following basic personal information about you: your name, address (including correspondence), telephone numbers, date of birth, next of kin contacts, etc. We might also hold your email address, marital status, occupation, overseas status, place of birth and preferred name or maiden name.

What Our Legal Basis Is For Processing Personal Information

We adhere to the legal bases for processing as laid out by the General Data Protection Regulations 2016. There are different legal bases that are employed depending on the circumstances and the data processed however we most commonly rely on the following:

For personal data:Article 6.1(e) Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.

For personal data including special category (health) data:Article 9.2(h) Processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care systems and services on the basis of Union or Member State law or pursuant to contract with a health professional and subject to the conditions and safeguards referred to in paragraph 3.The relevant legislation can be found at: – GDPR – Data Protection Act 2018

What Personal Information We Collect About You and How We Obtain It

In addition to the above, we may hold sensitive personal information about you which could include:

  • Notes and reports about your health, treatment and care, including:
  • your medical conditions
  • results of investigations, such as x-rays and laboratory tests
  • future care you may need
  • personal information from people who care for and know you, such as relatives and health or social care professionals
  • other personal information such as smoking status and any learning disabilities
  • Your religion and ethnic origin
  • Whether or not you are subject to any protection orders regarding your health, wellbeing and human rights (safeguarding status).

It is important for us to have a complete picture of you as this will assist staff to deliver appropriate treatment and care plans in accordance with your needs. Details not related to this allow us to contact you about your care when appropriate.

Our Use Of Third-Party Processors

To enable the effective use and management of the Practice’s patient information we utilise approved & secure clinical system/s to process our patient information. The system that are contracted to maintain and store personal and confidential information on our behalf is: TPP.

What We Do With Your Personal Information and What We May Do With Your Personal Information

Your records are used to directly, manage and deliver healthcare to you to ensure that:

  • Staff members involved in your care have accurate and up to date information. This is in order for them to assess and advise on the most appropriate care for you.
  • Staff members have the information they need to be able to assess and improve the quality and type of care you receive.
  • Appropriate information is available if you see another healthcare professional or are referred to a specialist, social care, another part of the NHS or healthcare provider.

The personal information we collect about you may also be used to:

    • Remind you about your appointments and send you relevant correspondence.
    • Review the care we provide to ensure it is of the highest standard and quality, e.g. Through audit or service improvement.
    • Support the funding of your care, e.g. With commissioning organisations.
    • Prepare statistics on NHS performance to meet the needs of the population or for the Department of Health and other regulatory bodies.
    • Help to train and educate healthcare professionals.
    • Report and investigate complaints, claims and untoward incidents.
    • Report events to the appropriate authorities when we are required to do so by law.
    • Review your suitability for research study or clinical trials.
    • Contact you with regards to patient satisfaction surveys relating to services you have used within our hospital so as to further improve our services to patients.

    Unless a legal basis allows otherwise we will, where possible, always look to anonymise/pseudonymise your personal information so as to protect patient confidentiality. We will only use/share the minimum information necessary.

How We Maintain Your Records

Your personal information is held in both paper and electronic forms for specified periods of time as set out in the NHS Records Management Code of Practice for Health and Social Care and National Archives Requirements.

We hold and process your information in accordance with the Data Protection Act 2018 as amended by the GDPR 2016. In addition, those working for the NHS must comply with the Common Law Duty of Confidentiality this also includes various national and professional standards and requirements.

We have a duty to:

  • Maintain full and accurate records of the care we provide to you.
  • Keep records about you confidential and secure.
  • Provide information in a format that is accessible to you.

Use of Email – Some services in the Practice provide the option to communicate with patients via email.

Please be aware that the Practice cannot guarantee the security of this information whilst in transit, and by requesting this service you are accepting this risk.

How Long We Keep Your Information For

All records held by the Practice will be kept for the duration specified by national guidance from the Department of Health. Records Management Code of Practice for Health and Social Care 2016 We will keep a copy of your information in our Practice for as long as you are registered with our Practice and If you leave the practice we will ensure that a copy of anything we hold is passed on to your new GP.  Your record status will be marked as ‘inactive’ in our clinical system but it will not be deleted. Confidential information is securely destroyed in accordance with this code of practice.

What Your Rights Are

If we need to use your personal information for any reasons beyond those stated above, we will discuss this with you and ask for your explicit consent. The Data Protection Act 2018 gives you certain rights, including the right to:

  • Request access to the personal data we hold about you, e.g. in health records. The way in which you can access your own health records is further explained in our Access to Health Record Policy and Disclosure of Personal Data Procedure
  • Request the correction of inaccurate or incomplete information recorded in our health records, subject to certain safeguards. This is also explained in our “Access to Health Record Policy and Disclosure of Personal Data Procedure”.
  • Object to the use of your personal information: In certain circumstances you may also have the right to ‘object’ to the processing (i.e. sharing) of your information. Where the Practice processes personal data about you on the basis of being required to do so for the performance of a task in the public interest/exercise of official authority, you have a right to object to the processing. You must have an objection on grounds relating to your particular situation. If you raise an objection, we will no longer process the personal data unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms or the processing is for the establishment, exercise or defence of legal claims.
  • Refuse/withdraw consent to the sharing of your health records: Under the Data Protection Act 2018, we are authorised to process, i.e. share, your health records ‘for the management of healthcare systems and services’. Your consent will only be required if we intend to share your health records beyond these purposes, as explained above (e.g. research). Any consent form you will be asked to sign will give you the option to ‘refuse’ consent and will explain how you can ‘withdraw’ any given consent at a later time. The consent form will also warn you about the possible consequences of such refusal/withdrawal.
  • Request your personal information to be transferred to other providers on certain occasions.

National Data Opt-Out Programme

Folly Lane Medical Centre is one of many organisation working in the health and care system to improve care for patients and the public. The information collected about you whenever you use a health or care service can be provided to other approved organisations, where there is a legal basis, to help with planning services, improving quality and standards of care provided, monitoring safety, research into developing new treatments and preventing illness. All these uses help to provide better health care for you, your family and future generations. Confidential personal information about your health and care is only used in this way where allowed by law and would never be used for insurance or marketing purposes without your explicit consent. Most of the time, anonymised data is used for research and planning so that you cannot be identified in which case your confidential patient information isn’t needed. You have a choice about whether you want your confidential patient information to be used in this way. If you are happy with this use of information you do not need to do anything. If you do choose to opt-out your confidential patient information will still be used to support your individual care. You can find out more about the wider use of confidential personal information and to register your choice to opt out by visiting

Information Commissioner’s Office

The Information Commissioner’s Office (ICO) is the body that regulates the Practice under Data Protection and Freedom of Information legislation. If you wish to appeal a decision or make a complaint regarding our handling on data please contact them via:

Information Commissioner’s Office –
Wycliffe House
Water Lane
Tel: 0303 123 1113 (local rate) or 01625 545 745 (national rate number)Fax: 01625 524 510Email:

Practice Information Governance Lead

Please contact the Practice Information Governance Lead – Folly Lane Medical Centre, Folly Lane, Warrington, Cheshire WA 0LU

Data Protection Officer

Deputy Director of Information and Acting Data Protection Officer: Malcolm Gandy
Information Governance Team –
St Helens & Knowsley Teaching Hospitals NHS Trust
Alexandra Business Park
Court Building
Prescot Road
St Helens
WA10 3TP

Young people – What is a Privacy Notice?

A Privacy notice helps your doctor’s surgery tell you how it uses information it has about you, like your name, address, date of birth and all of the notes the doctor or nurse makes about you in your Healthcare record whenever you come to see us. It also tells you how we make sure your information is kept safe

How we protect your information?

The General Data Protection Regulation (GDPR) came into force from 25th May 2018. This new regulation has been introduced to strengthen data protection for individuals within the EU. This will sit alongside the Data Protection Act 2018

What information do we collect about you?

We collect information about you such as: your name, why you are coming to see us, your birthday and year you were born, your address, the name of the person who will generally bring you to your appointments, your family doctor (General Practitioner or GP),  the reason that you are coming to see us, any information that your family doctor or you or your family gives us, test results, X-rays and any other information to enable us to care for you.

Why we collect it?

Our main purpose at Folly Lane Medical Centre is to deliver quality healthcare to adults and children. We collect the information we need to care for you in the best way. We ask for your address so that we know where we can contact you, we ask for your date of birth as your age may be important to your care and each time you come to see us we will write down things that you tell us, things that we tell you and any medicines or treatment we give you so that way we can look back at what we have done for you to make sure we are treating you in the best way.

What do we do with it?

We keep the information we collect electronically and on paper. All of this information together is called your Health Record and anyone involved in caring for you at the practice can see what has been collected. This way we can all make the right decisions about your care with all of the information you have given us.

Who we share it with?

We may share the information we record about you with other hospitals involved in your care. We routinely share information with school nurses, but not directly with school unless it is important for them to know. If you have a social worker, we will share it with them too. That way they are kept up to date on what we are doing for you. Your parents/guardians should get a copy of any letters we send to your doctor about your care.

If you tell us something that makes us worried about your safety or the safety of someone else you know, we might have to share this with other people outside of the practice – even if you don’t want us to. This is part of our job to keep you and others safe

How do we keep your information safe?

Everyone working in our practice understands that they need to keep your information safe; this is called keeping your information confidential or protecting your privacy. They have training every year to remind them of this, we tell them that they are only allowed to look at your information if they are involved in your care or to help us run our practice and they understand that they must keep any information safe especially the information that identifies you. This might be your name or address and anything you come to see us about. We are not allowed to give any of this type of information to anyone who shouldn’t see it. This includes talking to them about it.

Checking we are doing our best

All GP Practices are checked by organisations to make sure they are treating and caring for patients and families in the best way they can. The people who inspect us may ask to see a small number of Health Records. They check that notes are written clearly and are kept safe to ensure that we are recording and storing your information safely.

How long do we keep your information for?

We will keep a copy of your information in our Practice for as long as you are registered with our Practice and if you leave the Practice, we will ensure that a copy of any information we hold about you is passed on to your new GP. Your record status will be marked as “inactive” in our clinical system but it will not be deleted.

Am I able to see the information you collect about me?

Yes! You or your family will need to ask your doctor or nurse first though as there may be things that we would need to explain to you such as abbreviations or medical words.

Can I have a copy of my records?

Yes! Your parent/ guardian will need to contact us to tell us what they want to see – it may just be part of your record, your x ray or a report. We will check they are who they say they are to make sure we are not sharing your information with anyone who shouldn’t see it. You may be able to request your health records yourself.

 If I think some of my information is wrong can I do anything about it?

Yes! You or our parent or guardian needs to contact us and Let the practice know what it is that you think is wrong.

If I’m unhappy with the way you’ve used some of my information can I do anything?

Yes! Let us know by emailing us at If you’re still not happy, you can contact the Information Commissioners office

We hope this leaflet tells you what you need to know about the information we collect about you. If you want to know anything else, please email us at

General Practice Transparency Notice for GPES Data for Pandemic Planning and Research (COVID-19) 15/5/2020

This practice is supporting vital coronavirus (COVID-19) planning and research by sharing your data with NHS Digital.

The health and social care system is facing significant pressures due to the coronavirus (COVID-19) outbreak. Health and care information is essential to deliver care to individuals, to support health, social care and other public services and to protect public health. Information will also be vital in researching, monitoring, tracking and managing the coronavirus outbreak. In the current emergency it has become even more important to share health and care information across relevant organisations. This practice is supporting vital coronavirus planning and research by sharing your data with NHS Digital, the national safe haven for health and social care data in England.

Our legal basis for sharing data with NHS Digital

NHS Digital has been legally directed to collect and analyse patient data from all GP practices in England to support the coronavirus response for the duration of the outbreak. NHS Digital will become the controller under the General Data Protection Regulation 2016 (GDPR) of the personal data collected and analysed jointly with the Secretary of State for Health and Social Care, who has directed NHS Digital to collect and analyse this data under the COVID-19 Public Health Directions 2020 (COVID-19 Direction).

All GP practices in England are legally required to share data with NHS Digital for this purpose under the Health and Social Care Act 2012 (2012 Act). More information about this requirement is contained in the data provision notice issued by NHS Digital to GP practices.

Under GDPR our legal basis for sharing this personal data with NHS Digital is Article 6(1)(c) – legal obligation. Our legal basis for sharing personal data relating to health, is Article 9(2)(g) – substantial public interest, for the purposes of NHS Digital exercising its statutory functions under the COVID-19 Direction.

The type of personal data we are sharing with NHS Digital

The data being shared with NHS Digital will include information about patients who are currently registered with a GP practice or who have a date of death on or after 1 November 2019 whose record contains coded information relevant to coronavirus planning and research. The data contains NHS Number, postcode, address, surname, forename, sex, ethnicity, date of birth and date of death for those patients. It will also include coded health data which is held in your GP record such as details of:

  • diagnoses and findings
  • medications and other prescribed items
  • investigations, tests and results
  • treatments and outcomes
  • vaccinations and immunisations

How NHS Digital will use and share your data

NHS Digital will analyse the data they collect and securely and lawfully share data with other appropriate organisations, including health and care organisations, bodies engaged in disease surveillance and research organisations for coronavirus response purposes only. These purposes include protecting public health, planning and providing health, social care and public services, identifying coronavirus trends and risks to public health, monitoring and managing the outbreak and carrying out of vital coronavirus research and clinical trials. The British Medical Association, the Royal College of General Practitioners and the National Data Guardian are all supportive of this initiative.

NHS Digital has various legal powers to share data for purposes relating to the coronavirus response. It is also required to share data in certain circumstances set out in the COVID-19 Direction and to share confidential patient information to support the response under a legal notice issued to it by the Secretary of State under the Health Service (Control of Patient Information) Regulations 2002 (COPI Regulations).

Legal notices under the COPI Regulations have also been issued to other health and social care organisations requiring those organisations to process and share confidential patient information to respond to the coronavirus outbreak. Any information used or shared during the outbreak under these legal notices or the COPI Regulations will be limited to the period of the outbreak unless there is another legal basis for organisations to continue to use the information.

Data which is shared by NHS Digital will be subject to robust rules relating to privacy, security and confidentiality and only the minimum amount of data necessary to achieve the coronavirus purpose will be shared. Organisations using your data will also need to have a clear legal basis to do so and will enter into a data sharing agreement with NHS Digital. Information about the data that NHS Digital shares, including who with and for what purpose will be published in the NHS Digital data release register.

For more information about how NHS Digital will use your data please see the NHS Digital Transparency Notice for GP Data for Pandemic Planning and Research (COVID-19).

National Data Opt-Out

The application of the National Data Opt-Out to information shared by NHS Digital will be considered on a case by case basis and may or may not apply depending on the specific purposes for which the data is to be used. This is because during this period of emergency, the National Data Opt-Out will not generally apply where data is used to support the coronavirus outbreak, due to the public interest and legal requirements to share information.

  • To read more about the health and care information NHS Digital collects, its legal basis for collecting this information and what choices and rights you have in relation to the processing by NHS Digital of your personal data, see:
Your rights over your personal data

To read more about the health and care information NHS Digital collects, its legal basis for collecting this information and what choices and rights you have in relation to the processing by NHS Digital of your personal data, see:

Accessibility tools

Return to header