NHS Digital

We will share structured and coded data from GP medical records that is needed for specific health and social care purposes as explained above.

Data that directly identifies you as an individual patient, including your NHS number, General Practice Local Patient Number, postcode, date of birth and if relevant date of death, is replaced with unique codes produced by de-identification software before it is sent to NHS Digital. This means that no one will be able to directly identify you in the data.

NHS Digital will collect:

• Data on your sex, ethnicity, and sexual orientation
• Clinical codes and data about diagnoses, symptoms, observations, test results, medications, allergies, immunisations, referrals and recalls and appointments including information about your physical, mental, and sexual health
•  Data about the staff who have treated you

More detailed information about the patient data collected is contained within the Data Provision Noticed issued to GP practices.

NHS Digital will not collect:

• Your name and address (except for your postcode in unique coded form)
•  Written notes (free text) such as the details of conversations with doctors and nurses
•  Images, letters and documents
•  Coded data that is not needed due to its age – for example medication, referral and appointment data that is over 10 years old
•  Coded data that GPs are not permitted to share by law – for example certain codes about IVF treatment and certain information about gender re-assignment

NHS Digital legal basis for collecting, analysing and sharing patient data

When NHS Digital collects, analyses, publishes and shares patient data, there are strict laws in place that it must follow. Under the UK General Data Protection Regulation (UK GDPR), this includes explaining to patients what legal provisions apply under UK GDPR that allows it to process patient data. The UK GDPR protects everyone's data.

NHS Digital has been directed by the Secretary of State for Health and Social Care under the General Practice Data for Planning and Research Directions 2021 to collect and analyse data from GP practices for health and social care purposes including policy, planning, commissioning, public health and research purposes. NHS Digital is the controller of the patient data collected and analysed under the GDPR jointly with the Secretary of State for Health and Social Care.

All GP practices in England are legally required to share data with NHS Digital for this purpose under the Health and Social Care Act 2012 (2012 Act). More information about this requirement is contained in the Data Provision Notice issued by NHS Digital to GP practices.

NHS Digital has various powers to publish anonymous statistical data and to share patient data under sections 260 and 261 of the 2012 Act. It also has powers to share data under other Acts, for example the Statistics and Registration Service Act 2007.

Regulation 3 of the Health Service (Control of Patient Information) Regulations 2002 (COPI) also allows confidential patient information to be used and shared appropriately and lawfully in a public health emergency. The Secretary of State has issued legal notices under COPI (COPI Notices) requiring NHS Digital, NHS England and Improvement, arm's-length bodies (such as Public Health England), local authorities, NHS trusts, clinical commissioning groups and GP practices to share confidential patient information to respond to the COVID-19 outbreak. Any information used or shared during the COVID-19 outbreak will be limited to the period of the outbreak unless there is another legal basis to use confidential patient information.

How NHS Digital uses patient data

NHS Digital will analyse and link the patient data we collect with other patient data we hold to create national data sets and for data quality purposes. NHS Digital will be able to use the de-identification software to convert the unique codes back to data that could directly identify patients in certain circumstances for these purposes, where this is necessary and where there is a valid legal reason. There are strict internal approvals which need to be in place before NHS Digital can do this and this will be subject to independent scrutiny and oversight by the Independent Group Advising on the Release of Data (IGARD).

These national data sets are analysed and used by NHS Digital to produce national statistics and management information including public dashboards about health and social care which are published. NHS Digital never publish any patient data that could identify any individual. All data they publish is anonymous statistical data.

For more information about data NHS Digital publish see Data and Information and Data Dashboards.

Who does NHS Digital share patient data with?

All data that is shared by NHS Digital is subject to robust rules relating to privacy, security and confidentiality and only the minimum amount of data necessary to achieve the relevant health and social care purpose will be shared.

All requests to access patient data from this collection, other than anonymous aggregate statistical data, will be assessed by NHS Digital’s Data Access Request Service to make sure that organisations have a legal basis to use the data and that it will be used safely, securely and appropriately.

These requests for access to patient data will also be subject to independent scrutiny and oversight by the Independent Group Advising on the Release of Data (IGARD). Organisations approved to use this data will be required to enter into a data sharing agreement with NHS Digital regulating the use of the data.

There are several organisations that are likely to need access to different elements of patient data from the General Practice Data for Planning and Research collection. These include but may not be limited to:

• The Department of Health and Social Care and its executive agencies including Public Health England and other government departments
•  NHS England and NHS Improvement
•  Primary care networks (PCNs), clinical commissioning groups (CCGs) and integrated care organisations (ICOs)
•  Local authorities
•  Research organisations including universities, charities, clinical research organisations that run clinical trials and pharmaceutical companies

If the request is approved, the data will either be made available within a secure data access environment within the NHS Digital infrastructure or, where the needs of the recipient cannot be met this way, as a direct dissemination of data. NHS Digital plan to reduce the amount of data being processed outside central, secure data environments and increase the data it makes available to be accessed via its secure data access environment.

Data will always be shared in the uniquely coded form (de-personalised data in the diagram above) unless in the circumstances of any specific request it is necessary for it to be provided in an identifiable form (personally identifiable data in the diagram above), for example, when express patient consent has been given to a researcher to link patient data from the General Practice for Planning and Research collection to data the researcher has already obtained from the patient. It is therefore possible for NHS Digital to convert the unique codes back to data that could directly identify patients in certain circumstances, and where there is a valid legal reason which permits this without breaching the common law duty of confidentiality. This would include:

• Where the data is needed by a health professional for the patient’s own care and treatment
• Where the patient has expressly consented to this, for example to participate in a clinical trial
• Where there is a legal obligation, for example where there are COPI Notices
•  Where approval has been provided by the Health Research Authority or the Secretary of State with support from the Confidentiality Advisory Group (CAG) under Regulation 5 of the Health Service (Control of Patient Information) Regulations 2002 (COPI) - this is sometimes known as a ‘section 251 approval’

This would mean that the data was personally identifiable in the diagram above. Re-identification of the data would only take place following approval of the specific request through the Data Access Request Service and subject to independent assurance by IGARD and consultation with the Professional Advisory Group which is made up of representatives from the BMA and the RCGP. If patients have registered a national data opt-out this would be applied in accordance with the national data opt-out policy before any identifiable patient data (personally identifiable data in the diagram above) about the patient was shared.

Details of who NHS Digital have shared data with, in what form and for what purposes are published on their data release register.

Where does NHS digital store patient data?

NHS Digital only stores and processes patient data for this data collection within the United Kingdom (UK). Fully anonymous data (that does not allow patients to be directly or indirectly identified), for example statistical data that is published, may be stored and processed outside of the UK.

Some of the NHS Digital processors may process patient data outside of the UK. If they do, they will always ensure that the transfer outside of the UK complies with data protection laws.

What to do if you have any questions

Should you have any questions about our privacy policy or the information we hold about you, you can:

1. Contact the organisation via email at docman.p88018@nhs.net.GP practices are data controllers for the data they hold about their patients
2. Write to the data protection officer at nhsgm.gmgpdpo@nhs.net
3. Ask to speak to the practice manager Michelle Davenport

The data protection officer (DPO) for Park View Group Practice is Ruth Quinn

Objections or complaints

In the unlikely event that you are unhappy with any element of our data-processing methods, do please contact the practice manager at Park View Group Practice, 2 Longford Road West, Reddish, Stockport, SK5 6ET in the first instance. If you feel that we have not addressed your concern appropriately, you have the right to lodge a complaint with the ICO. For further details, visit ico.gov.uk and select “Raising a concern” or telephone: 0303 123 1113.

The Information Commissioner’s Office is the regulator for the General Data Processing Regulations and offers independent advice and guidance on the law and personal data including your rights and how to access your personal information.

Changes to our privacy policy

We regularly review our privacy policy and any updates will be published on our website, in our newsletter and on posters to reflect the changes.