Data Protection Act

Your personal information in someone else’s hands

Are you aware that your personal medical information that you share with your GP or other healthcare professional is about to be extracted and stored on a computer outside of this practice where the practice will have no say on who has access to that information?

Purpose of this leaflet:

There are changes occurring in how we protect the confidential and personal information that we record in your medical records.  The changes make it a legal obligation for us to share your information (see below).  We feel it is vital that you as our patient are made aware of these changes.

The majority of patients come to their GP Practice when they have something wrong with them. Problems discussed are usually of a personal nature and patients expect that the information they are sharing will remain confidential. This confidentiality is central to the trust between healthcare professionals and you as our patient. Without confidentiality, you may be reluctant to disclose information of a personal nature that we may need to help provide you with the best possible healthcare.

What we record at Our Practice

Healthcare professionals in our practice record information about the care we provide.

The type of information that is recorded includes the following;

  • Demographics, e.g. address, telephone number, e-mail, date of birth, gender, etc.
  • What you tell us when you see us in consultations e.g. about your physical and  psychological health and social circumstances
  • Diagnoses, investigations, treatments, referrals, family background
  • Social information e.g. housing status, alcohol, smoking data
  • Third party sources e.g. hospital letters, A&E attendances, relatives, carers, insurance companies, solicitors.

What we already share about you:

We share different types of information about our patients. These include;

  • Personal information about you and your illness, e.g. referral to hospital consultants, district nurses, health visitors, midwives, counsellors.
  • With explicit consent personal information to other third parties’ e.g. insurance companies, benefits agencies.
  • Social information about you if relevant, e.g. to social services, to insurance companies.
  • Patient identifiable information to public health (childhood immunisations, communicable diseases, cervical smears and retinal screening) and under certain acts of parliament to protect you and others e.g. court order.
  • Summary information which is anonymised (can not identify you) e.g. quality and outcome frameworks (QoF), medical research and clinical audit.

How we protect your personal information:

Currently, your GP is responsible for protecting your information and to do this they comply with the Data Protection Act 1998 (DPA). As part of the DPA all healthcare professionals have an obligation to only share information on a need to know basis. For further information on the DPA please follow this link; (

The physical storage of information is on secure servers which are protected by firewalls.  Access to the information is by strong authenticated password.  The number of people who have access to your information is limited to members of the practice team and in a few instances some pre agreed data is shared with other health care professional e.g. District Nurses but on a need to know basis.

So what is changing?

Under the Health and Social Care Act 2012 the Health & Social Care Information Centre (HSCIC) on behalf of NHS England (the body responsible for commissioning primary care health services across England) will be able to extract personal and identifiable information about all patients in England.  The extraction process will be carried out by a private, third party organisation.  This information will be stored on national secure servers and will be managed by NHS England.  NHS England will decide what information they will share and who they then share this information with.

Your GP will not be able to object to this information being released to HSCIC and will no longer be able to protect your information under the DPA as stated above.  Effectively, where the HSCIC is concerned this Act trumps the DPA.

What you need to do:

  • If you are happy for NHS England to extract, store and manage/use your personal information then you need do nothing as the information will be automatically taken from your GP’s computer systems.
  • If you don’t wish your information to be extracted then you MUST inform your GP practice who will then block the uploading of your identifiable and personal information to the HSCIC.
  • It should be emphasised that your access to health care and the care that you receive will not be affected by either decision.

Further information:

If you have any questions or concerns regarding what you read in this leaflet, please contact reception at the surgery.  There are also two documents available to read hear:

Fair Processing (Privacy) notice for GP website

Making your local health record work better for you