General Data Protection Regulation

Practice Privacy Notice

Access to Records

In accordance with the Data Protection Act 1998, Access to Health Records Act and current GDPR legislation, patients may request to see their medical records. This is known as a Subject Access Request. Such requests should be made through the practice manager by email: admin.millroadsurgery@nhs.net by letter or telephone or in person.  No information will be released without the patient consent unless we are legally obliged to do so.  We are legally obliged to provide this information within one calendar month unless there are mitigating circumstances. There may be charges for access requests from third parties, such as insurance companies or solicitors.  A form has been provided below but this is not obligatory.

Mill Road SAR Policy

Subject Access Request Form

Subject Access Request on behalf of an individual

The Practice is compliant with Data Protection and is registered with the ICO.

ICO (Information Commissioner's Office) Reference No: Z9940707

General Practice Data and Planning for Research (GDPR)

NHS Digital's daily collection of GP data will support vital health and care planning and research.

Why NHS Digital collects general practice data

NHS Digital is the national custodian for health and care data in England and has responsibility for standardising, collecting, analysing, publishing and sharing data and information from across the health and social care system, including general practice.

NHS Digital collected patient data from general practices using a service called the General Practice Extraction Service (GPES), which has operated for over 10 years and now needs to be replaced.

NHS Digital has engaged with doctors, patients, data and governance experts to design a new approach to collect data from general practice that:

  • reduces burden on GP practices
  • explains clearly how data is used 
  • supports processes that manage and enable lawful access to patient data to improve health and social care

What the data will be used for

Patient data collected from general practice is needed to support a wide variety of research and analysis to help run and improve health and care services. Whilst the data collected in other care settings such as hospitals is valuable in understanding and improving specific services, it is the patient data in general practice that helps us to understand whether the health and care system as a whole is working for patients.

In addition to replacing what GPES already does, the General Practice Data for Planning and Research service will also help to support the planning and commissioning of health and care services, the development of health and care policy, public health monitoring and interventions (including coronavirus (COVID-19) and enable many different areas of research, for example:

1. Research the long-term impact of coronavirus on the population

There is a lot about coronavirus that we do not know, including the long-term health impacts. Patient data from GP medical records will be very important in the coming months and years, as scientists analyse and understand the impact of the virus on human health.

2. Analyse healthcare inequalities

For example, to understand how people of different ethnicities access healthcare and how the outcomes of particular groups compare to the rest of the population. This will help the NHS to assess healthcare inequalities and make any necessary changes to its services.

3. Research and develop cures for serious illnesses

For example, patient data is being used by the University of Oxford RECOVERY trial, which has found ways to improve the treatment for people with coronavirus.

Researchers have previously used patient data from GP medical records to show that there was no association between the measles, mumps and rubella vaccine and the development of autism; to confirm the safety of the meningococcal group B vaccine; and to investigate whether certain medications increase the risk of cancer.


What data is shared

This data will be shared from 1 September 2021. Data may be shared from the GP medical records about:

  • any living patient registered at a GP practice in England when the collection started - this includes children and adults
  • any patient who died after 1 September 2021, and was previously registered at a GP practice in England when the data collection started

NHS Digital will not collect patients’ names or addresses. Any other data that could directly identify patients (such as NHS Number, date of birth, full postcode) is replaced with unique codes which are produced by de-identification software before the data is shared with NHS Digital.

This process is called pseudonymisation and means that patients will not be identified directly in the data. NHS Digital will be able to use the software to convert the unique codes back to data that could directly identify patients in certain circumstances, and where there is a valid legal reason.

We will collect structured and coded data from patient medical records.

NHS Digital will collect:
  • data about diagnoses, symptoms, observations, test results, medications, allergies, immunisations, referrals, recalls and appointments, including information about physical, mental and sexual health
  • data on sex, ethnicity and sexual orientation
  • data about staff who have treated patients
NHS Digital does not collect:
  • name and address (except for postcode, protected in a unique coded form)
  • written notes (free text), such as the details of conversations with doctors and nurses
  • images, letters and documents  
  • coded data that is not needed due to its age - for example medication, referral and appointment data that is over 10 years old
  • coded data that GPs are not permitted to share by law - for example certain codes about IVF treatment, and certain information about gender re-assignment

What is structured and coded data?

Structured patient data is information that is recorded and stored within medical record systems by organising it into different kinds of data, for example appointments or dates. This often restricts the data to a particular format or value from a list. Examples include:

  • appointment date - which must be a date
  • the type of healthcare professional that you saw - picked from a list of possible healthcare professionals such as ‘Practice Nurse’ or ‘Counsellor’

Coded patient data is information that is recorded and stored within medical record systems by using codes from a special list, that contains clinical vocabulary used by GPs. Examples include codes for weight, blood pressure, a prescribed medication or a specific diagnosis.


Opting out

If you don’t want your identifiable patient data to be shared for purposes except for your own care, you can opt-out by registering a Type 1 Opt-out or a National Data Opt-out, or both. These opt-outs are different and they are explained in more detail below. Your individual care will not be affected if you opt-out using either option.

Type 1 Opt-out (opting out of NHS Digital collecting your data)

We will not collect data from GP practices about patients who have registered a Type 1 Opt-out with their practice. More information about Type 1 Opt-outs is in our GP Data for Planning and Research Transparency Notice, including a form that you can complete and send to your GP practice.

This collection will start on 1 September 2021 so if you do not want your data to be shared with NHS Digital please register your Type 1 Opt-out with your GP practice.

If you register a Type 1 Opt-out after this collection has started, no more of your data will be shared with us. We will however still hold the patient data which was shared with us before you registered the Type 1 Opt-out.

If you do not want NHS Digital to share your identifiable patient data with anyone else for purposes beyond your own care, then you can also register a National Data Opt-out.

National Data Opt-out (opting out of NHS Digital sharing your data)

We will collect data from GP medical records about patients who have registered a National Data Opt-out. The National Data Opt-out applies to identifiable patient data about your health, which is called confidential patient information.

NHS Digital won’t share any confidential patient information about you - this includes GP data, or other data we hold, such as hospital data - with other organisations, unless there is an exemption to this.

To find out more information and how to register a National Data Opt-Out, please read our GP Data for Planning and Research Transparency Notice.


How we make data available

NHS Digital collects, analyses, publishes and shares health and care data safely, securely and appropriately as part of our statutory functions.

Data which is shared by NHS Digital is subject to robust rules relating to privacy, security and confidentiality. Organisations using this data must have a clear legal basis to do so for health and care purposes and only the minimum amount of data needed to meet the specific purpose will be made available.

Data will only be made available in response to appropriate requests from organisations which are approved following independent scrutiny by our Independent Group Advising on the Release of Data.

More information about how and why NHS Digital will share data from GP practices is available in our General Practice Data for Planning and Research Transparency Notice. We also publish information about the data that we share in our data release register.


Additional information for patients and the public

More information for patients and the public about how NHS Digital is processing GP data to support health and care, including our legal basis and your choices can be found in NHS Digital's GP Data for Planning and Research Transparency Notice




 
Call 111 when you need medical help fast but it’s not a 999 emergencyNHS ChoicesThis site is brought to you by My Surgery Website