GDPR & Privacy
National Data Opt-Out
Patients should have registered their preferences by 23 August 2021
You can choose whether your confidential patient information is used for research and planning. To find out more visit nhs.uk/your-nhs-data-matters.
You do not need to do anything if you are happy about how your confidential patient information is used. You can change your choice at any time.
Type 1 opt-out: medical records held at your GP practice
You can also tell your GP practice if you do not want your confidential patient information held in your GP medical record to be used for purposes other than your individual care. This is commonly called a type 1 opt-out. This opt-out request can only be recorded by your GP practice.
Type 2 opt-out: information held by NHS Digital
Previously you could tell your GP practice if you did not want us, NHS Digital, to share confidential patient information that we collect from across the health and care service for purposes other than your individual care. This was called a type 2 opt-out.
The type 2 opt-out was replaced by the national data opt-out. Type 2 opt-outs recorded on or before 11 October 2018 have been automatically converted to national data opt-outs.
Patients who can choose to set a national data opt-out
Anyone who has an NHS number and has registered for care or treatment with the NHS in England can set an opt out if they wish to, even if they don’t currently live in England.
Patients who can set an opt-out choice for themselves
If a patient is aged 13 or over, they can set their own opt-out choice using the online service, the telephone service, the NHS App, or 'print-and-post', completing a form by hand and sending it in.
Patients who can set an opt-out choice on behalf of someone else
Someone can set an opt-out choice on behalf of a patient, by proxy, if:
- they are the parent or legal guardian of the patient, who is a child aged 12 or under
- they have a formal legal relationship with the patient, for example they have legal power of attorney or are a court-appointed deputy
They can only do this using the 'print and post' service.
Changing an opt-out choice
An opt-out choice can be changed at any time by the patient or their proxy.
Using the online service
Patients can set their own opt-out choice by visiting www.nhs.uk/your-nhs-data-matters using any internet enabled device. So that the service can confirm their identity, they will need to provide:
- their NHS number, or their postcode (as registered with their GP practice)
- their mobile phone number or email address provided previously at a GP practice or other NHS service
The online service is available 24 hours a day, 7 days a week.
Using the NHS App
Patients who have registered for the NHS App using NHS login can set a national data opt-out using the app.
Using the telephone service
Patients can set their own opt-out choice by calling 0300 303 5678.
Calling this number should cost no more than calls to a normal landline number.
The telephone service is available 9am to 5pm, Monday to Friday, apart from on English bank or public holidays.
If a patient is unable to use the online or telephone service, or would prefer not to, they can compete a paper form and post it.
The form can be downloaded from www.nhs.uk/your-nhs-data-matters or requested by calling the telephone service on 0300 303 5678.
Patients in prison or secure settings
There are special arrangements for patients in prison or other similar secure settings, known as detained and secure estates. A health and care professional can help register a patient’s opt-out choice. See Guidance for detained and secure estates.
During the process of setting their opt-out choice, the patient can choose their preferred communication method:
- SMS text
Once the process has been completed, the patient will receive a confirmation that their national data opt-out choice has been set.
See 3. Setting an opt-out in the national data opt-out operational policy guidance for full details.
ADDENDUM To Practice Privacy Notice for Purposes of COVID-19 updated 14th January 2021
COVID-19 and your information
Supplementary privacy note on COVID-19 for patients
This notice describes how we may use your information to protect you and others during the COVID-19 outbreak. It supplements our main privacy notice which is available below.
The health and social care system is facing significant pressures due to the COVID-19 outbreak. Health and care information is essential to deliver care to individuals, to support health and social care services and to protect public health. Information will also be vital in researching, monitoring, tracking and managing the outbreak. In the current emergency it has become even more important to share health and care information across relevant organisations.
Existing law which allows confidential patient information to be used and shared appropriately and lawfully in a public health emergency is being used during this outbreak. Using this law, the Secretary of State has required NHS Digital; NHS England and Improvement; Arm’s Length Bodies (such as Public Health England); local authorities; health organisations and GPs to share confidential patient information to respond to the COVID-19 outbreak. Any information used or shared during the COVID-19 outbreak will be limited to the period of the outbreak unless there is another legal basis to use the data. Further information is available on gov.uk and some FAQs on this law are also available on the NHSX website.
During this period of emergency, opt-outs will not generally apply to the data used to support the COVID-19 outbreak, due to the public interest in sharing information. This includes National Data Opt-outs. However, in relation to the Summary Care Record, existing choices will be respected. Where data is used and shared under these laws your right to have personal data erased will also not apply. It may also take us longer to respond to Subject Access Requests, Freedom of Information requests and new opt-out requests whilst we focus our efforts on responding to the outbreak.
In order to look after your health and care needs, we may share your confidential patient information including health and care records with clinical and non-clinical staff and other health and care providers, for example neighbouring GP practices, hospitals, Paramedics and NHS 111. We may also use the details we have to send public health messages to you, either by phone, text or email.
During this period of emergency, we may offer you a consultation via telephone or video conferencing. By accepting the invitation and entering the consultation you are consenting to this. Your personal/confidential patient information will be safeguarded in the same way it would with any other consultation.
We will also be required to share personal/confidential patient information with health and care organisations and other bodies engaged in disease surveillance for the purposes of protecting public health, providing healthcare services to the public and monitoring and managing the outbreak. Further information is available about how health and care data is being used and shared by other NHS and social care organisations in a variety of ways to support the COVID-19 response.
NHS England and Improvement and NHSX have developed a single, secure store to gather data from across the health and care system to inform the COVID-19 response. This includes data already collected by NHS England, NHS Improvement, Public Health England and NHS Digital. New data will include 999 call data, data about hospital occupancy and A&E capacity data as well as data provided by patients themselves. All the data held in the platform is subject to strict controls that meet the requirements of data protection legislation.
In such circumstances where you tell us you are experiencing COVID-19 symptoms we may need to collect specific health data about you. Where we need to do so, we will not collect more information than we require, and we will ensure that any information collected is treated with the appropriate safeguards.
We may amend this privacy notice at any time so please review it frequently. The date at the top of this page will be amended each time this notice is updated.
Practice Privacy Notice
This fair processing notice explains why the practice collects information about you and how that information may be used
The health care professionals who provide you with care maintain records about your health and any treatment or care you have received previously (e.g. Hospital, GP Surgery, Walk-in clinic, etc.). These records help to provide you with the best possible healthcare.
NHS health records may be electronic, on paper or a mixture of both, and we use a combination of working practices and technology to ensure that your information is kept confidential and secure. Records which this GP Practice holds about you may include the following information;
- Details about you, such as your address, legal representative, emergency contact details
- Any contact the surgery has had with you, such as appointments, clinic visits, emergency appointments, etc.
- Notes and reports about your health
- Details about your treatment and care
- Results of investigations such as laboratory tests, x-rays etc
- Relevant information from other health professionals, relatives or those who care for you
Your records will be retained in accordance with the NHS Code of Practice for Records Management
To ensure you receive the best possible care, your records are used to facilitate the care you receive. Information held about you may be used to help protect the health of the public and to help us manage the NHS. Information may be used within the GP practice for clinical audit to monitor the quality of the service provided.
Some of this information will be held centrally and used for statistical purposes. Where we do this, we take strict measures to ensure that individual patients cannot be identified.
Sometimes your information may be requested to be used for research purposes – the surgery may advise you of such research opportunities but will never release any of your personal information for this purpose without obtaining your consent.
How do we maintain the confidentiality of your records?
We are committed to protecting your privacy and will only use information collected lawfully in accordance with:
- Data Protection Act 2018
- Human Rights Act 1998
- Common Law Duty of Confidentiality
- Health and Social Care Act 2012
- NHS Codes of Confidentiality and Information Security
- Information: To Share or Not to Share Review (click here to read further information about this)
Every member of staff who works for the Practice or another NHS organisation has a legal obligation to keep information about you confidential. All staff employed by this Practice are requested to sign a confidentiality agreement upon appointment. Any breeches of this agreement will be dealt with by means of disciplinary.
We will only ever use or pass on information about you if others involved in your care have a genuine need for it. We will not disclose your information to any 3rd party without your permission unless there are exceptional circumstances (i.e. life or death situations), or where the law requires information to be passed on for example Child/Adult Protection and Serious Criminal Activity.
Who are our partner organisations?
We may also have to share your information, subject to strict agreements on how it will be used, with the following organisations or receive information from the following organisations:-
- NHS Trusts / Foundation Trusts
- NHS Commissioning Support Units
- Independent Contractors such as dentists, opticians, pharmacists
- Private Sector Providers
- Voluntary Sector Providers
- Ambulance Trusts
- Clinical Commissioning Groups
- Social Care Services
- NHS Digital
- Local Authorities
- Education Services
- Fire and Rescue Services
- Police & Judicial Services
- GM Care Record - for futher information, please visit: https://healthinnovationmanchester.com/the-gm-care-record-privacy/
- Other ‘data processors’ which you will be informed of
You will be informed who your data will be shared with and in some cases asked for explicit consent for this happen when this is required.
We do not use external companies to process personal information or for archiving purposes.
Access to personal information
You have a right under the Data Protection Act 2018 to request access to view or to obtain copies of what information the surgery holds about you and to have it amended should it be inaccurate. In order to request this, you need to do the following:
- Your request must be made in writing to the GP - for information from the hospital you should write direct to them
- There is no charge to have a printed copy of the information held about you but we are within our rights to request that you register for online access to enable you to access this information.
- Under the Data Protection Act 2018 we may impose a charge for printed copies of the same information if these can be deemed as excessive requests.
- We are required to respond to you within 30 days
- You will need to give adequate information (for example full name, address, date of birth, NHS number and details of your request) so that your identity can be verified and your records located
Objections / Complaints
Should you have any concerns about how your information is managed by your GP Practice, please contact the Practice Manager. If you are still unhappy following a review by the GP practice, you can then complain to the Information Commissioners Office (ICO) via their website (www.ico.org.uk).
Change of Details
It is important that you tell the person treating you if any of your details such as your name or address have changed or if any of your details such as date of birth is incorrect in order for this to be amended. You have a responsibility to inform us of any changes so our records are accurate and up to date for you.
The Data Protection Act 2018 requires organisations to register a notification with the Information Commissioner to describe the purposes for which they process personal and sensitive information.
This information is publicly available on the Information Commissioners Office website www.ico.org.uk
The practice is registered with the Information Commissioners Office (ICO).
Who is the data Processor?
This is the person/people or organisation that is responsible for using and recording your information. All staff at Howard Medical Practice are individual Data Processors
Who is the Data Controller?
The Data Controller, responsible for keeping your information secure and confidential is Howard Medical Practice
Data Protection Officer (DPO)
The Data Protection Officer has overall responsibility for GDPR within this area. Our designated DPO is: Ms Jane Hill
She can be contacted by email: firstname.lastname@example.org Tel: 07951 530 417
GM Care Record
Keeping your personal data safe is central to the GM Care Record
Each health and care organisation in Greater Manchester collects information about you and keeps records about the care and services they have provided. The GM Care record pulls together the information from these different health and social care records and displays it in one combined record.
How is your personal information kept safe and secure in the GM Care Record?
We ensure the information we hold is kept in secure locations, restrict access to information to authorised personnel only and protect personal and confidential information.
Appropriate technical and security measures in place to protect the GM Care Record include:
- complying with Data Protection Legislation;
- encrypting Personal Data transmitted between partners;
- implementing and maintaining business continuity, disaster recovery and other relevant policies and procedures
- a requirement for organisations to complete the Data Security and Protection (DSP) Toolkit introduced in the National Data Guardian review of data security, consent and objections, and adhere to robust information governance management and accountability arrangements;
- use of ‘user access authentication’ mechanisms to ensure that all instances of access to any Personal Data under the GM Care Record are auditable against an individual accessing the GM Care Record;
- ensuring that all employees and contractors who are involved in the processing of Personal Data are suitably trained in maintaining the privacy and security of the Personal Data and are under contractual or statutory obligations of confidentiality concerning the Personal Data.
The NHS Digital Code of Practice on Confidential Information applies to all NHS and care staff, and they are required to protect your information, inform you of how your information will be used, and allow you to decide if and how your information can be shared. All staff with access to Personal Data are trained to ensure information is kept confidential.
Privacy Notice - Call Recording
Which calls does this refer to?
This could include any incoming or outgoing telephone calls that are handled by the Howard Medical Practice.
Why are calls recorded?
It has become common practice to record calls due to the growth of business conducted by telephone. Recording conversations allows organisations to assess customer satisfaction, train and develop staff, review call quality, and have access to a verbal record of what is said in the event of a subsequent complaint. It also hopefully means employees feel more protected knowing that any threatening behaviour can be evidenced and acted upon where necessary.
How will call recordings be used?
- Quality monitoring. Written records only provide partial information. A call recording provides a more rounded view and allows us to better understand patient experience and assess the processes applied. This can help us identify any improvement areas.
- Training and Development. Listening to a sample number of calls, allows managers to identify training needs. Sample scenarios are based on the recordings but any transcripts are anonymised.
- Gaining a better understanding of our customers – Many calls are verbally resolved without the need to complete any records. Listening to sample calls will help us better understand our customer needs, and gain a more informed view of organisations we signpost to.
- Complaints and disputes. Some calls are verbally resolved. Where information is entered onto an electronic system this becomes the established record. In the event of a complaint or dispute, a call recording (if available), may provide additional information to help us investigate any allegations.
- Data Protection Officer
Our Practice Data Protection Officer is: Ms Jane Hill
She can be contacted by email: email@example.com
How have we informed our customers that we record calls?
Patient who ring the Practice will hear the following message:
All calls are recorded for training and monitoring purposes
Can I request a copy of my call recording?
Call recordings are destroyed after a maximum of 2 months. If the recording is still available, you can request a copy of your conversation by contacting the Practice: firstname.lastname@example.org
The copy will be provided to you in accordance with the terms of the Data Protection Act 2018 (GDPR) and will be treated as a Subject Access Request.