As part of the NHS, we need and want to share data in various ways but we also want to protect your confidential and personal information. Data about health can be used for various reasons, both internally within the practice, and externally with various services.
The General Data Protection Regulation (GDPR) came in to effect in May 2018. The aim of GDPR is to protect all EU citizens from breaches of data or privacy. Please see our privacy notices if you'd like to find out more specifically about what information we hold on you, how we manage it, who we share it with and what we do to protect your information.
Internally we analyse our records so that we know who has diabetes, heart disease, etc. so we can arrange regular recalls etc., and who is on which drug so we can alert you if there is a health warning etc. This is normal good medical care.
Externally we share data with other NHS services, either anonymously, in aggregate form, or in a way that identifies individuals.
- Anonymous data relates to data is about an individual but all identifying data is obscured so as to make it impossible to identify them.
- Aggregate data might be information about total numbers of patients with particular conditions, receiving vaccinations, etc. No personal data is included. This data helps the NHS plan and provide appropriate services nationally and locally.
- Identifiable data is included in the letters we send to hospitals and other agencies about you.
Here we attempt to describe some of the ways data is shared with external agencies.
Sharing within the NHS
Data has been used for many years to assess health needs. Information of vaccination rates, disease prevalence (such as numbers of diabetics, heart disease patients, etc) are collected as well as data about age, sex, appointments. Currently there are various ways we share data to enable us to care for you better.
Hospital letters (Identifiable data)
Whenever we refer you to hospital or another provider, we routinely send a referral letter, which contains details of the reason for referral, together with standard information regarding your current medication, significant medical problems, allergies and other relevant information such as height, weight and contact details, (name DoB, address etc). This is essential so that the hospital is informed of your medical background and helps reduce mistakes.
QOF and Enhanced Services (Aggregate data)
As part of the mechanism for being paid the practice must provide data in order to demonstrate good care. This includes the number of patients with various diseases, (Diabetes, hypertension, asthma etc) as well as care indicators like the number of cervical smears taken or the number of patients with Blood Pressure readings under a certain level. No patient identifiable data is uploaded, just numbers. However we may, in theory, be inspected to verify these bits of information, which means an inspection team (of doctors and nurses) visits the practice to check the records of specific patients. This is not looking at you but to check we have done what we said we have done.
QResearch (Anonymous data)
The University of Nottingham, in conjunction with our clinical software supplier, have established a research database of GP records to which we contribute. This extracts the basics of your records in a completely anonymous format to a secure database in Nottingham and has been used for many ground breaking bits of research including heart and diabetes risk scores which we now use in practice.
SCR (Identifiable data)
This is a national database (Summary Care Record) that is intended to provide basic health information to all providers who need it. Your demographics (name DoB address etc) as well as basic medical information (initially drugs and allergies) are stored and made accessible to anyone needing it within the NHS - if, for example, you needed to see a doctor, or attend hospital in another part of the country. You can ask to “opt out” of the SCR if you wish by asking us to amend your records.
Sharing Agreements (Identifiable data)
Many NHS organisations across Merseyside, including hospitals and community services have access to a subset of your data. However, they cannot access this without your consent at the time.
Identifiable Information about you (such as your postcode, gender, date of birth and NHS number, but not your name) and the care you receive is shared, in a secure system, by healthcare staff.
The NHS uses this information to plan and improve services for all patients and aims to link information from all the different places where you receive care, such as your GP, hospital and community service, to help them provide a full picture. This allows the NHS to compare the care received in different areas, so they can see what has worked best.
An anonymous extract of this information, which does not reveal your identity, can then be used by others, such as researchers and those planning health services, to make sure the NHS provides the best care possible for everyone.
How your information is used and shared is controlled by law and strict rules are in place to protect your privacy.
Sharing with Other Agencies
Insurance Companies etc. (Identifiable data)
Insurance companies may ask us for reports in two formats:
A general request asking for a standard and nationally agreed set of data, (medication, allergies, medical problem list, blood results etc).
Tailored reports ask about a specific condition that you may be claiming for or that will affect their decision.
We always insist on written consent to release this information and you may see the report first if you wish. Insurance companies may also request a “medical examination” where we act on behalf of the company, to assess their risks.
Solicitors and medical claims. (Identifiable data)
We are asked by solicitors for medical information on your behalf. Increasingly this is a request for your whole notes and you need to be aware that all records will be sent. Alternatively they ask for details following a particular incident (such as a car crash) when we write specifically in response to their request and limit the information to the specific question. Both requests require your consent.
We do ask patients to be careful what information about themselves they authorise Solicitors etc. to apply for on their behalf and suggest they restrict it to being relevant to the matters in hand otherwise full details of their health records without anything omitted from birth onwards will have to be provided.
Local Authorities, Police, etc.
We may be asked to share specific data with the Local Authority (e.g. for Child Protection purposes, where the safety of the child is paramount) or with the Police. Each such request is considered on a case-by-case basis; we follow the Data Protection Act in deciding whether to share data at all and, if so, what data to share.
It is possible to “opt out” of identifiable (SCR and care.data) data sharing if you wish. You can download a form here.
What records can you have access to?
You have a right to see any records that we hold about you and which to not involve anything from third parties unless they consent (it does not apply to third parties who have provided us with information about your health as part of a consultation in Hospital etc. and their correspondence to us can be passed on to you). Please see the section on this website about how to access your own data under "Access your Records"
Covid 19 data sharing
This practice is supporting vital coronavirus (COVID-19) planning and research by sharing your data with NHS Digital. For more information about this see:
There have also been national changes to the way summary care records are shared during the pandemic period. For more information about this see: