Use of personal health information
Health data and information are safeguarded not only by the duty of confidentiality of the medical profession, but also by data protection laws. These laws are changing and evolving so that your personal data can still be secure in the ever-advancing digital age in which we live. Most recently, General Data Protection Regulation (GDPR) came into force in the UK in May 2018, as did the 2018 update to the Data Protection Act.
Data protection laws keeping data secure
The NHS holds data on everyone who uses the service. It is obliged to maintain confidentiality and keep the data safe. It is also obliged to share that information in certain circumstances – for example, with other health professionals looking after you. It is important that this information is stored and shared securely and according to law. A number of laws and regulations help to keep data secure, including:
- General Data Protection Regulation (GDPR). This is a new EU directive which came into force in May 2018, to help keep data safe in the digital age. The basic principles of the way the NHS handles your data are unchanged by this new regulation. Information must be handled and processed in a way which is secure, accurate and lawful. GDPR adds that data breaches must be reported promptly and they lead to large penalties (fines).
- The Data Protection Act. This is the law for data protection in the UK, which sets out how GDPR is applied to the UK specifically. The 1998 Act was updated in 2018 in order to be in line with the EU regulation.
Organisations and individuals who help to keep data secure
- Data controllers. This applies to the health organisation as a whole and the GP practices, community services and hospitals, etc, who work within it. All have to handle and process data under strict guidelines.
- NHS Digital. The organisation now known as NHS Digital calls itself the national information and technology partner to the health and care system. NHS Digital collects, publishes and processes data and information from across the health and social care system in England. It has systems in place for ensuring this to-and-fro of information is secure and appropriate. Similar organisations operate in Scotland (Information and Statistics Division of the NHS in Scotland), Northern Ireland (The Health & Social Care Board, N. Ireland) and Wales (NHS Wales Informatics Service).
- The Caldicott Guardian. This is the name for the ‘National Data Guardian’ who works with the government and the NHS to provide advice to professionals on keeping healthcare information secure. In 2014, Dame Fiona Caldicott became the first such guardian. She provides guidance and challenge to the government on data issues such as patient confidentiality, information sharing and avoiding abuse of public trust in how health and care data are used The latest guidance on how to achieve data standards is called The Data Security and Protection (DSP) Toolkit.
Accessing your own data and health information
You have the right to see the information the NHS holds on you personally. You can do this via GP online systems or by asking to see or have copies of part or all of your records. You will not be charged for this, within limits.
If your child is thought to be able to understand about sharing information then they will need to give consent before you can access any information about them. This varies but is usually thought to apply to children from the age of 12 years or so.
You have no right to access health information on your ‘next of kin’ unless they request this and consent to it.
Sharing your health data and information
Some of the information the NHS holds about you is administrative – your name, gender, date of birth, address, etc. Other information is highly sensitive personal health information about you. This includes medical conditions and medications. It can be shared in a way which is identifiable, anonymous, or somewhere in between, depending on the purpose. At times, the NHS may need to share your data or health information, sometimes for your personal benefit, other times in the public interest. Other than when there is a danger to others or yourself involved, you have the option to ‘opt out’ and not to allow sharing of this information.
Some of the situations where data or information is shared are briefly explained below.
- Summary Care Record (SCR). The idea of the SCR is that basic health information about you personally is available electronically across health settings. So if you found yourself unconscious in an A&E department, for example, the doctors there would be able to see any medication, allergies or medical conditions which might be crucial to them looking after you. Only authorised staff who are directly involved in caring for you can see it. Your SCR is created automatically by your GP practice, unless you have chosen to opt out. If you choose to opt out, tell your GP or fill in an opt-out form and give it to your GP practice. (The forms are usually available on the practice website).
- Other sharing between other health professionals. Your GP will need to share basic health information about you when referring you to another NHS service – for example, a specialist hospital clinic, A&E, a district nurse, podiatrist, physiotherapist, etc. They are obliged to only share the relevant information within your records. Likewise, if you are seen in a hospital clinic, the doctor there will write back to your GP telling them the outcome.
- NHS Digital. Health and administrative information (patient data) about you is used directly for your care but is also put to another ‘secondary’ use. This includes planning the way health service resources are allocated and organised, research into new and existing treatments, and improving the way in which conditions are diagnosed. Usually the way in which this information is used is non-identifiable or anonymous, but sometimes it is used in a way which can be traced to specific people. NHS Digital, which manages this flow of information, has undertaken not to pass any information on to firms trying to sell you products or services, or to insurance companies. It is also committed to keeping that information as securely as possible. You have the choice to allow this flow of information, to help with research and NHS planning, or to ‘opt out’ if you are concerned about the security or secondary use of information about you. In May 2018, along with GDPR, the ‘National Data Opt-out’ was introduced. Adults and teenagers from the age of 13 years have the right to opt out. To read more about what patient data are used for, and how to opt out, visit NHS Digital or the NHS page about your data.
- Insurance company requests. When you apply for insurance (eg, for a mortgage or critical illness cover), the company will often want medical information from your GP. Your GP will only give this information if you have agreed (consented). However, unfortunately if you do not agree, you may not be able to get the insurance. The insurance company can only ask for relevant information, and you or your GP can object if they request your full records if this is not relevant.
The practice manages the confidentiality of your medical records in accordance with the Data Protection Act 1998. Our ICB may require some of this data for auditing and research purposes. You may request that your data is excluded from these audits and research at any time. Please speak with reception for more information.
Please click HERE and HERE for important information on how North East London ICB uses your medical records & General Data Protection Regulation (GDPR):
Your Data Matters to the NHS
Information about your health and care helps us to improve your individual care, speed up diagnosis, plan your local services and research new treatments. The NHS is committed to keeping patient information safe and always being clear about how it is used.
How your data is used
Information about your individual care such as treatment and diagnosis is collected about you whenever you use health and care services. It is also used to help us and other organisations for research and planning such as research into new treatments, deciding where to put GP clinics and planning for the number of doctors and nurses in your local hospital.
It is only used in this way when there is a clear legal basis to use the information to help improve health and care for you, your family and future generations.
Wherever possible we try to use data that does not identify you, but sometimes it is necessary to use your confidential patient information.
You have a choice
You do not need to do anything if you are happy about how your information is used. If you do not want your confidential patient information to be used for research and planning, you can choose to opt out securely online or through a telephone service. You can change your mind about your choice at any time.
Will choosing this opt-out affect your care and treatment?
No, choosing to opt out will not affect how information is used to support your care and treatment. You will still be invited for screening services, such as screenings for bowel cancer.
What do you need to do?
If you are happy for your confidential patient information to be used for research and planning, you do not need to do anything.
To find out more about the benefits of data sharing, how data is protected, or to make/change your opt-out choice visit www.nhs.uk/your-nhs-data-matters.
GPDPR – 1st September 2021
The data held in the GP medical records is used to support health and care planning and research in England, helping to find better treatments and improve patients outcomes for everyone.
You may have seen concerns expressed in the media this June 2021 about the new ways the NHS plans to collect / extract patient data; for planning purposes. The pre-1st September GP data Extraction System (GPES) ,is due to be replaced on 1st September 2021 with a new system called the General Practice Data for Planning and Research (GPDPR) under legal legislation (General Practice Data for Planning and Research (GPDPR) – NHS Digital).
The British Medical Association’s statement is a good summary of what is going on and that it is a legal obligation for general practices like WLMC to comply:
“NHS Digital issued a DPN (data provision notice) on 12 May 2021 as part of the development of GPDPR (GP data for planning and research). This is a planned replacement for the GPES (GP extraction service) to collect data for planning and research from general practices in England.
It is a legal obligation to comply with the DPN as a result of a new direction from the secretary of state for health and social care as part of the Health and Care Act 2012. Once fully established, this new collection will replace multiple other data collections from general practices. Read our full statement >
However, GPC England chair Richard Vautrey and RCGP chair Martin Marshall wrote to NHS Digital at the end of last week to express their concerns about the lack of communication with the public regarding the GPDPR programme. Read their information to the public and practices >
GPC England and the RCGP informed NHS Digital that while they are aware of the crucial role that GP data plays in research and planning to improve public health, it is important that any sharing of data is transparent and maintains public trust in how general practice and the NHS uses their information.
We have strongly lobbied NHS Digital to reconsider their timetable for implementation and called on them to run a comprehensive and significant public awareness campaign to increase communication with patients and practices.”
What Data is shared?
The extraction will take almost all the coded data from our patients record and pseudonymise (not anonymise) it for the purpose of research and planning.
The data that may be shared will be data from patients medical records about:
· Any living patient registered at a GP practice in England when the collection started- this includes adults and children
· Any patient who dies after 1st July 2021, and was previously registered at a GP practice in England when the data collection started.
The NHS does not collect patients names or addresses. Records will be “pseudonymised” – which means that the identifiers such as date of birth, NHS number and exact postcode will be replaced by a code. This process is called pseudonymisation, and means the patient will not be identified directly in the data.
What are Some Concerned About?
Some GPs and privacy campaigners are concerned about issues of data security. There is a long list of organisations outside the NHS, detailed on the NHS Digital website, including other government departments, research bodies, charities and pharmaceutical companies, with whom they might share the data.
Pseudoanonymisation can be reversed, according to NHS Digital, if there is “a valid legal reason” to do so. Concerns are that it is not clear what such a reason might be, but the fact that it is possible to re-identify the records may be a cause for concern.
Some are not confident that the tight rules and contracts proposed to prevent recipients of the data doing their own work to re-identify patients – for example, by combining bits of data with information gleaned from social media – will be 100% effective.
Most doctors and most patients are only just learning about this project, and at a time when General Practice is exceptionally busy and when time is short to give this matter consideration. (Ref Apple News – Helen Salisbury – June 1, 2021 10:40 am (Updated June 1, 2021 2:14 pm)
How Can You Opt Out?
There are two types of opting out
1- Opt out by submitting this form to your GP
2- For any data that has left the GP practice, you would also need to register your objection here: Overview – Choose if data from your health records is shared for research and planning – NHS (www.nhs.uk)
