Privacy

As data controllers, GPs have fair processing responsibilities under the Data Protection Act 2018 and the General Data Protection Regulation (GDPR). This means ensuring that your personal confidential data (PCD) is handled in ways that are safe, transparent and what you would reasonably expect. Please find documents and links below.

Version:Review date:Edited by:Approved by:Comments:
V206/11/2025Heather WhitehouseJoanne HowardAnnual review

1 Introduction

1.1 Policy statement

This policy outlines how Malling Health will provide information to patients regarding how patient data is processed for the provision of direct care, research, audit and screening programmes.

This policy is to be read in conjunction with the organisation’s UK General Data Protection Regulation (UK GDPR) Policy.

UK General Data Protection Regulation (UK GDPR) and GDPR – The Perfect Practice eLearning courses are available in the HUB.

1.2 Status

The organisation aims to design and implement policies and procedures that meet the diverse needs of our service and workforce, ensuring that none are placed at a disadvantage over others, in accordance with the Equality Act 2010. Consideration has been given to the impact this policy might have regarding the individual protected characteristics of those to whom it applies.

This document and any procedures contained within it are non-contractual and may be modified or withdrawn at any time. For the avoidance of doubt, it does not form part of your contract of employment. Furthermore, this document applies to all employees of the organisation and other individuals performing functions in relation to the practice such as agency workers, locums and contractors.

2 Compliance with regulations

2.1 UK GDPR

This organisation will ensure that any personal data is processed in accordance with Article 5 of the UK GDPR and information about how this is done will be provided to patients in a format that is compliant with Article 12 of the UK GDPR.

2.2 Communicating privacy information

The BMA advises that this organisation must provide information to patients about how their data is processed in the form of a practice privacy notice. This organisation will display a privacy notice in the waiting room and on its website. A privacy notice template is available at Annex A. Note the template was sourced from the BMA.

2.3 What data will be collected?

The following data will be collected:

  • Patient details (name, date of birth, NHS number)
  • Address and next of kin information
  • Medical notes (paper and electronic)
  • Details of treatment and care, including medications
  • Results of tests (pathology, X-ray, etc.)
  • Any other pertinent information

2.4 National data opt-out programme

NHS Digital explains that the national data opt-out allows patients to choose if they do not want their confidential patient information to be used for purposes beyond their individual care and treatment.

NHS Digital provides detailed guidance for opt-outs, including those patients in secure settings. Additional information for patients is available from NHS England, Make a choice about sharing data from your health records.

This organisation will ensure patients are compliant with the national data opt-out policy by following this guidance.

3 General practice data for planning and research data collection

3.1 Overview

NHS Digital advises that the General Practice Data for Planning and Research (GPDPR) programme has been designed to help the NHS:

  • Monitor the long-term safety and effectiveness of care
  • Plan how to deliver better health and care services
  • Prevent the spread of infectious diseases
  • Identify new treatments and medicines through health research

NHS Digital’s About the GPDPR programme and Looking after your data provides additional information on data sharing.

Further information is available within the National data opt-out guidance.

4 Further information

4.1 Available resources

The following resources are available for staff at this organisation:

4.2 Notifications for patients

Annex B – Social media/website information update
Annex C – Text messaging and telephone message information
Annex D – Staff opt-out guidance.

Annex A – Practice privacy notice

Malling Health has a legal duty to explain how we use any personal information we collect about you at the organisation. We collect records about your health and the treatment you receive in both electronic and paper format.

Why do we have to provide this privacy notice?

We are required to provide you with this privacy notice by law. It provides information about how we use the personal and healthcare information we collect, store and hold about you. If you have any questions about this privacy notice or are unclear about how we process or use your personal information or have any other issue regarding your personal and healthcare information, then please contact our Data Protection Officer Heather Whitehouse at information.governance@malling.health or by telephone on 07436 153 411.

The main things the law says we must tell you about what we do with your personal data are:

  • We must let you know why we collect personal and healthcare information about you
  • We must let you know how we use any personal and/or healthcare information we hold about you
  • We need to inform you in respect of what we do with it
  • We need to tell you about who we share it with or pass it on to and why
  • We need to let you know how long we can keep it for.

Using your information

We will use your information so that we can check and review the quality of care we provide. This helps us improve our services to you.

  • We will share relevant information from your medical record with other health or social care staff or organisations when they provide you with care. For example, your GP will share information when they refer you to a specialist in a hospital or your GP will send details about your prescription to your chosen pharmacy.
  • More information on how we share your information with organisations who are directly involved in your care can be found here: https://digital.nhs.uk/your-data
  • Healthcare staff working in A&E and out of hours care will also have access to your information. For example, it is important that staff who are treating you in an emergency know if you have any allergic reactions. This will involve the use of your Summary Care Record For more information see: NHS Digital’s Summary Care Record or alternatively speak to this organisation.

You have the right to object to information being shared for your own care. Please speak to this organisation if you wish to object. You also have the right to have any mistakes or errors corrected.

Registering for NHS care

  • All patients who receive NHS care are registered on a national database (NHS Spine). The Spine is held and maintained by NHS Digital, a national organisation which has legal responsibilities to collect NHS data.
  • More information can be found at NHS Digital – Spine

Identifying patients who might be at risk of certain diseases

  • Your medical records will be searched by a computer programme so that we can identify patients who might be at high risk from certain diseases such as heart disease or unplanned admissions to hospital. This means we can offer patients additional care or support as early as possible.
  • This process will involve linking information from your GP record with information from other health or social care services you have used. Information which identifies you will only be seen by this organisation.

Safeguarding

  • Sometimes we need to share information so that other people, including healthcare staff, children or others with safeguarding needs, are protected from risk of harm. These circumstances are rare and we do not need your consent or agreement to do this.
  • Please ask to see our local policies for more information.

Medical research

  • This organisation shares information from medical records to support medical research when the law allows us to do so, for example to learn more about why people get ill and what treatments might work best. We will also use your medical records to carry out research within the organisation.
  • The use of information from GP medical records is very useful in developing new treatments and medicines; medical researchers use information from these records to help to answer important questions about illnesses and disease so that improvements can be made to the care and treatment patients receive.
  • You have the right to object to your identifiable information being used or shared for medical research purposes. Please speak to the organisation if you wish to object.

Checking the quality of care – national clinical audits

  • This organisation contributes to national clinical audits so that healthcare can be checked and reviewed. Information from medical records can help doctors and other healthcare workers to measure and check the quality of care that is provided to you.
  • The results of the checks or audits can show where organisations are doing well and where they need to improve. These results are also used to recommend improvements to patient care.
  • Data is sent to NHS Digital, a national body with legal responsibilities to collect data.
  • The data will include information about you, such as your NHS Number and date of birth, and information about your health which is recorded in coded form – for example the code for diabetes or high blood pressure.
  • We will only share your information for national clinical audits or checking purposes when the law allows.
  • For more information about national clinical audits see the Healthcare Quality Improvements Partnership website or telephone 020 7997 7370.
  • You have the right to object to your identifiable information being shared for national clinical audits. Please contact the organisation if you wish to object.

We are required by law to provide you with the following information about how we handle your information: 

Data ControllerMalling Health, 1st Floor, Rutherford House Warrington Road Birchwood Warrington WA3 6ZH.
Data Protection OfficerHeather Whitehouse at information.governance@malling.health or by telephone on 07436 153 411.
Purpose of the processing
  • To give direct health or social care to individual patients.
  • For example, when a patient agrees to a referral for direct care, such as to a hospital, relevant information about the patient will be shared with the other healthcare staff to enable them to give appropriate advice, investigations, treatments and/or care.
  • To check and review the quality of care. (This is called audit and clinical governance).
  • Medical research and to check the quality of care that is given to patients (this is called national clinical audit).
Lawful basis for processing

These purposes are supported under the following sections of the GDPR:

Article 6(1)(e) ‘…necessary for the performance of a task carried out in the public interest or in the exercise of official authority…’; and

Article 9(2)(h) ‘necessary for the purposes of preventative or occupational medicine for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services…”

The following sections of the GDPR mean that we can use medical records for research and to check the quality of care (national clinical audits)

Article 6(1)(e) – ‘processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller’.

For medical research: there are two possible Article 9 conditions.

Article 9(2)(a) – ‘the data subject has given explicit consent…’

OR

Article 9(2)(j) – ‘processing is necessary for… scientific or historical research purposes or statistical purposes in accordance with Article 89(1) based on Union or Member States law which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and interests of the data subject’.

Healthcare staff will also respect and comply with their obligations under the common law duty of confidence.

Recipient or categories of recipients of the processed data

 

The data will be shared with:

  • Healthcare professionals and staff at this surgery
  • Local hospitals
  • Out of hours services
  • Diagnostic and treatment centres
  • Other organisations involved in the provision of direct care to individual patients.

For national clinical audits that check the quality of care, the data will be shared with NHS Digital.

Right to object and the national data opt-out

 

You have the right to object to information being shared between those who are providing you with direct care. This may affect the care you receive – please speak to the practice.

You are not able to object to your name, address and other demographic information being sent to NHS Digital. This is necessary if you wish to be registered to receive NHS care.

You are not able to object when information is legitimately shared for safeguarding reasons. In appropriate circumstances, it is a legal and professional requirement to share information for safeguarding reasons. This is to protect people from harm. The information will be shared with the local safeguarding service.

The national data opt-out model provides an easy way for you to opt-out of information that identifies you being used or shared for medical research purposes and quality checking or audit purposes.

Please contact the practice if you wish to opt-out. Further information is available from NHS England.

Right to access and correct

You have the right to access your medical record and have any errors or mistakes corrected. Please speak to a member of staff to request a copy of our Access to Medical Records Policy.

We are not aware of any circumstances in which you will have the right to delete correct information from your medical record although you are free to obtain your own legal advice if you believe there is no lawful purpose for which we hold the information and contact us if you hold a different view.

Retention period

 

Records will be kept in line with the law and national guidance. Information about how long records are kept can be found in the Records Management Code of Practice.

Right to complain

 

You have the right to complain to the Information Commissioner’s Office. If you wish to complain, follow this link or call the helpline 0303 123 1113
Data we get from other organisationsWe receive information about your health from other organisations that are involved in providing you with health and social care. For example, if you go to hospital for treatment or an operation the hospital will send us a letter to let us know what happened. This means your GP medical record is kept up-to date when you receive care from other parts of the health service.

Annex B – Social media/website information

Using your health data for planning and research

You can decide whether you wish to have your information extracted and there are two main options available to you.

Option 1:

Type 1 opt-out applies at organisational level and means that your medical record is not extracted from the organisation for any purpose other than for direct patient care. You can opt-out at any time. Opting out will mean that no further extractions will be taken from your medical record.

For a Type 1 Opt-out, you need to contact the organisation by phone, email or post to let us know that you wish to opt-out. Further information is available here.

Option 2:

The National Data Opt-out (NDO-O) allows data to be extracted by NHS England for its lawful purposes but it cannot share this information with anyone else for research and planning purposes. You can opt-out at any time.

NDO-O – you need to inform NHS England. Unfortunately, this cannot be done by this organisation for you. You can opt in or out at any time and complete this by any of the following methods:

  • Online service – You will need to know your NHS number or your postcode as registered at this organisation via Make your choice about sharing data from your health records
  • Telephone service 0300 303 5678 which is open Monday to Friday between 0900 and 1700
  • NHS App – For use by patients aged 13 and over (95% of surgeries are now connected to the NHS App). The app can be downloaded from the App Store or Google Play
  • “Print and post” Manage your choice

o Photocopies of proof of the applicant’s name (e.g., passport, UK driving licence etc.) and address (e.g., utility bill, payslip etc.) need to be sent with the application.

It can take up to 14 days to process the form once it arrives at NHS, PO Box 884, Leeds. LS1 9TZ

Further information on NDO-O is available here.

Annex C – Patient text messaging and telephone message templates

Text message content template

You can opt-out of your health information being shared with NHS England for planning and research before the commencement date.

Visit Make your choice about sharing data from your health records for more information.

Patient information for website template

The way in which patient data gathering is done by NHS England is changing. There is currently a lot of information online and in the news about your choices and opting out of these collections. You can opt-out of your GP record being shared with NHS England for planning and research and this should be done before the commencement date.

For more information, please visit our privacy notice on our website or ask for a copy at reception, to find out more.

Email response template

Thank you for your email regarding the sharing of patient data and being able to opt-out of these collections. The NHS England GP Data extraction is a legally required activity for this practice; however, you do have a right to opt-out of the sharing of your data for research and planning purposes.

NHS England provides a detailed guide for patients on how the information it extracts is used and how you can opt-out. This can be found at General Practice Data for Planning and Research (GPDPR)

Please be aware that there are two types of opt-out:

Type 1 Opt-out – applies at organisational level and means that the patient’s medical record is not extracted from the organisation for any purpose other than for direct patient care.

If you wish to opt-out, please let us know.

National Data Opt-out (NDO-O) – allows data to be extracted by NHS England for its lawful purposes but it cannot share this information with anyone else for research and planning purposes.

If you wish to apply NDO-O, you must do this directly with NHS England. You can do this in any of the following ways:

  • Online service – Patients registering need to know their NHS number or their postcode as registered at their GP practice via Make your choice about sharing data from your health records
  • Telephone service 0300 303 5678 which is open Monday to Friday between 0900 and 1700.
  • NHS App – For use by patients aged 13 and over (95% of surgeries are now connected to the NHS App). The app can be downloaded from the App Store or Google Play.
  • “Print and post” Manage your choice

Photocopies of proof of applicant’s name (e.g., passport, UK driving licence etc.) and address (e.g., utility bill, payslip etc.) need to be sent with the application to:

National Data Opt-out
Contact Centre
NHS England
7 and 8 Wellington Place
LEEDS
LS1 4AP

Note, it can take up to 14 days to process the form.

Telephone message template

We have received numerous enquiries about patient data being extracted by NHS England to be used for research and planning. You, as a patient, have the right to opt-out of your information being used in this way.

Extensive information about this process can be found by visiting our website or, if you do not have internet access, please speak with a member of our reception team who will be very happy to explain this to you.

Annex D – Organisational staff opt-out guidance

This guidance is provided to all staff who may be required to respond to queries about the current data opt-outs available.

Who is NHS England?

  • NHS England is the national information and technology partner for the health and care system
  • It provides information and data to the health service so that it can plan effectively and monitor progress, create and maintain the technological infrastructure that keeps the health service running and links systems together to provide seamless care and develops information standards that improve the way different parts of the system communicate
  • NHS England is the national custodian for health and care data in England and has responsibility for standardising, collecting, analysing, publishing and sharing data and information from across the health and social care system, including general practice

What does it do with the data it collects?

  • Patient data collected from general practice is needed to support a wide variety of research and analysis to help run and improve health and care services.

While the data collected in other care settings such as hospitals is valuable in understanding and improving specific services, it is the patient data in general practice that helps NHS England to understand whether the health and care system as a whole is working for patients.

  • Research the long-term impact of coronavirus on the population
  • Analyse healthcare inequalities
  • Research and develop cures for serious illnesses

What type of data does NHS England extract from the organisation?

  • Diagnoses and symptoms
  • Observations
  • Test results
  • Medications
  • Allergies and immunisations
  • Referrals, recalls and appointments
  • The patient’s sex, ethnicity and sexual orientation
  • Data about staff who have treated the patient

If a patient wishes to opt-out of data sharing, there are two types of opt-out:

  • Type 1 Opt-out applies at organisational level and means that the patient’s medical record is not extracted from the organisation for any purpose other than for direct patient care.
  • National Data Opt-out (NDO-O) allows data to be extracted by NHS England for its lawful purposes but it cannot share this information with anyone else for research and planning purposes.

How does a patient opt-out?

  • Type 1 Opt-out – the patient must inform the practice of their decision and this is coded at the practice locally to their clinical record.
  • National Data Opt-out (NDO-O) – the patient must do this themselves with NHS England. Unfortunately, this cannot be done by the organisation. The patient can do this by:
    • Online service – Patients registering need to know their NHS number or their postcode as registered at their GP practice via Make your choice about sharing data from your health records
    • Telephone service 0300 303 5678 which is open Monday to Friday between 0900 and 1700.
    • NHS App – For use by patients aged 13 and over (95% of surgeries are now connected to the NHS App). The app can be downloaded from the App Store or Google play
    • “Print and post” Manage your choice

Photocopies of proof of applicant’s name (e.g., passport, UK driving licence etc.) and address (e.g., utility bill, payslip etc.) need to be sent with the application to:

National Data Opt-out
Contact Centre
NHS England
7 and 8 Wellington Place
LEEDS
LS1 4AP

Note, it can take up to 14 days to process the form.

  • Getting a healthcare professional to assist patients in prison or other secure settings to register an opt-out choice. For patients detained in such settings, guidance is available on NHS England and a proxy form is available to assist in registration.

Coding the patient record

If the patient wishes to opt-out – use code 827241000000103 Dissent from secondary use of general practitioner patient identifiable data (finding).

If the patient wishes to opt in – use code 827261000000102 Dissent withdrawn for secondary use of general practitioner.

Date published: 20th September, 2023
Date last updated: 15th November, 2024