You and Your Medical Data



Individual Right's Policy      Privacy Notice


Are you aware that your personal medical information that you share with your GP or other healthcare professional is about to be extracted and stored on a computer outside of the control of this practice where the practice will have no say on who has access to that information?

Purpose of this leaflet:

There are changes occurring in how we protect the confidential and personal information that we record in your medical records. The changes make it a legal obligation for us to share your information (see below). The proposed benefits of sharing identifiable data are to help to plan and monitor effective patient services, especially where patients receive care from several different organisations.

We feel it is vital that you as our patient are made aware of these changes. This leaflet has been produced to help you understand what currently happens to information you share with your health professional and how that information may be used outside of your direct care.

The majority of patients come to their GP practice when they have something wrong with them. Problems discussed are usually of a personal nature and patients expect that the information they are sharing will remain confidential. This confidentiality is central to the trust between healthcare professionals and you as our patient. Without doctor-patient confidentiality, you may be reluctant to disclose information of a personal nature that we may need to help provide you with the best possible healthcare.

What we record at Our practice

Healthcare professionals in our practice record information about the care we provide.

The type of information that is recorded includes the following;

  • Demographics, e.g. address, telephone number, e-mail, date of birth, gender, etc. 
  • What you tell us when you see us in consultations e.g. about your physical and psychological health and social circumstances 
  • Diagnoses, investigations, treatments, referrals, family background 
  • Social information e.g. housing status, alcohol, smoking data 
  • Third party sources e.g. hospital letters, A&E attendances, relatives, carers, insurance companies, solicitors.

What we already share about you:

We share different types of information about our patients. These include:

  • Personal information about you and your illness, when needed for your direct care, e.g. referral to hospital consultants, district nurses, health visitors, midwives, counsellors, the summary care record.
  • Patient identifiable information to public health, in order to arrange programs for childhood immunisations, communicable diseases, cervical smears and retinal screening.  
  • With explicit consent, personal information to other organisations outside the NHS, e.g. insurance companies, benefits agencies. 
  • Limited information about you, if relevant, to protect you and others, e.g. to social services child protection investigations.  
  • Under certain acts of parliament to protect you and others e.g. court order.  
  • Summary information which is anonymised (can not identify you) e.g. quality and outcome frameworks (QoF), medical research and clinical audit.

It is also important to understand that currently a limited amount of patient information or data is used mostly at local level to help design health services or undertake clinical audit.  Some information is used at a national level.  Information from lots of individual patients allows the NHS to build a picture of what is happening to the nation’s health. The majority of this information is anonymised before it leaves the healthcare professional, in other words no one can identify who the information relates to.

How we protect your personal information:

Currently, your GP is responsible for protecting your information and to do this they comply with the Data Protection Act 1998 (DPA). As part of the DPA, all healthcare professionals have an obligation to only share information on a need to know basis. For further information on the DPA please follow this link: (

The physical storage of information is on secure servers which are protected by firewalls. Access to the information is by strong authenticated password. The number of people who have access to your information is limited to members of the practice team and in a few instances some pre agreed data is shared with other health care professional e.g. District nurses but on a need to know basis.

So what is changing?

Under the Health and Social Care Act 2012 the Health & Social Care Information Centre (HSCIC) on behalf of NHS England (the body responsible for commissioning health services across England) will be able to extract personal and identifiable information about all patients in England.  The programme, called, is administered by the HSCIC using software and services provided by a private sector company. Once your identifiable information has been taken from different health organisations (GP practices , hospitals, mental health trusts) it will then be linked together to produce a complete record about you.  This information will be stored on national secure servers and will be managed by HSCIC.  Although access to information will be strictly controlled, the HSCIC is planning to share this information with other organisations both NHS and private.  The HSCIC will decide what information they will share and who they then share this information with. 

Your GP will not be able to object to this information being released to HSCIC and will no longer be able to protect your information under the DPA as stated above. Effectively, where the HSCIC is concerned the health and social care act over rules the DPA with regard to disclosure of personal information.

What you need to do:

  • If you are happy for NHS England to direct the HSCIC to extract, store and manage/use your personal information then you need do nothing as the information will be automatically taken from your GP’s computer systems. 
  • If you don’t wish your information to be extracted from the practice records then you MUST inform your GP practice who will then block the uploading of your identifiable and personal information to the HSCIC. 
  • If you are happy for your information to be extracted and used by the HSCIC for anonymised reports and research, but NOT happy for it to be shared by the HSCIC with other agencies or companies, you can ask your GP practice to add a code to your record which will alert the HSCIC not to use your information in this way. This choice, if you should make it, will also prevent the HSCIC from sharing further any other data they have gathered about you from hospitals and other sources.
  • It should be emphasised that your access to health care and the care that you receive will not be affected by either decision.

Further information:

If you wish to enquire further, more information about the HSCIC and is to be found on the internet: go to or Google for ‘ HSCIC’. The HSCIC has a public telephone number: 0845-300-6016. If you encounter difficulty with this, please contact reception at the surgery.

Call 111 when you need medical help fast but it’s not a 999 emergencyNHS ChoicesThis site is brought to you by My Surgery Website