GDPR – Practice Privacy Notice
Please click the link below to view, alternatively the same information is available by scrolling down this page.
MMC Patient Privacy Notice
How we use your Information
Memorial Medical centre – Patient Privacy Notice
How we use your personal information
Memorial Medical Centre collects personal information about you in order to provide your
health care. When doing this the Memorial Medical Centre must respect your confidentiality
and comply with all applicable Data Protection legislations.
Our Lawful bases for processing your personal information
We must, among other things, ensure personal information held about you is only used for
specific purposes allowed by law. The Memorial Medical Centre collects and processes your
personal information as it is necessary for the purposes of preventative or occupational
medicine, medical diagnosis, and the provision of health or social care or treatment. This
leaflet answers questions you might ask about what personal information we hold, why, and
to whom it may be passed to.
What personal information do we collect?
The personal information we collect, store and use about you can includes:
Personal details e.g. name, date of birth, nationality, gender and NHS number.
Contact details e.g. phone number, email address and address.
Equality and diversity information about you. This may include special category
personal data like details of your ethnicity, sexual orientation, religious beliefs or
opinion, biometric data, criminal convictions and offences.
Information about next of kin or carers (including their contact details and their
relevant medical history if required).
Notes and reports relevant to your health, including any information you have told us
about your health.
Details of your treatment and care, including the professional opinion of the staff
caring for you.
Results of investigations, such as laboratory tests, scans and x-rays.
Relevant information from health and social care professionals, relatives or those
who care for you.
Communications, for example letters and emails between an NHS Trust providing
your treatment and you.
A full list of all of the people we share with can be found via the Memorial Medical Centres
privacy notice which is on our website at www.memorialmedicalcentre.co.uk and displayed
in our waiting room.
What we can use your personal information for?
We can use your personal information to:
Provide you with health or social care.
Help other organisations provide you with health or social care.
If you agree, to help other organisations provide you with other public services.
Communicate with you and if appropriate your next of kin, about your care.
Carry out internal audits and monitor the care we provide to ensure it is of the highest
Monitor equality and diversity.
We may use anonymised data to help train and educate our staff. Should we use
identifiable personal data we would always obtain your consent.
Respond to complaints.
Respond to queries from regulators like NHS Digital, the Care Quality Commission,
the General Medical Council, the Audit Commission, the Nursing & Midwifery Council
and the Health Service Ombudsman.
Conduct legal claims or seek legal advice.
Provide information to national registries that systematically collect data about
particular conditions to help research which is only undertaken when consent is
How do you store my records?
Personal information may be stored electronically on a computer system and/or manually in
a paper record form. When you arrive for an appointment, staff may check your details with
you to ensure that our records are accurate. To assist with this, we ask that you notify us
promptly of any changes to your personal details e.g. contact address, contact phone
number, email address, next of kin etc.
Sharing your personal data
Your personal data will only be disclosed to those who have a genuine need to know and
who agree to keep your information confidential. For your direct care we often share
GP federations and out of hours providers.
NHS hospitals e.g. NHS Trusts and NHS Foundation Trusts.
Organisations that deliver NHS services outside of hospital e.g. NHS Community
Health Trusts, Social Care Partnership Trust, and the Mental Health providers for
Private sector organisations that deliver NHS care in your area such as Virgin e.g.
private hospitals, dentists, opticians, pharmacists.
Voluntary sector organisations that deliver NHS care e.g. charities such as Wisdom
Hospice and Demelza.
Local authorities such as Kent County Council e.g. if social workers are part of the
Care Team, education services, children’s services, housing or benefit offices.
Organisations that provide diagnostic tests.
Solicitors for claims etc. but we will always obtain your written consent first.
The police for legal purposes.
Organisations that provide support health services such as running vaccination and
awareness clinics at our practices.
Organisations that provide ambulance services e.g. NHS Ambulance Trusts and
Do you share my personal information with third parties or non NHS agencies?
We may need to share your personal information with organisations that provide back office
support to the Practice in its delivery of services. These organisations are known as data
processors. These organisations are only able to use your personal information in
accordance with the Practices’ instructions and applicable laws:
Telephone services suppliers.
Suppliers of web hosting services.
Suppliers that we use to develop and improve the technology we use, including our
website and electronic patient records.
Can my personal information be shared without my consent?
Your personal information may not be shared without your consent except in a number of
limited circumstances when we are legally bound to do so to provide health and social care,
Where there is a danger of harm to a child or vulnerable adult.
As a result of a court order.
When it is absolutely necessary for the prevention or detection of crime or the
apprehension or prosecution of offenders.
Reporting notifiable infection diseases.
Where there are serious risks to the public or staff.
The above may only take place when there is a clear legal basis to use your personal
information. All these uses help to provide better health and social care for you, your family
and future generations. Confidential patient information about your health and care is only
used like this where allowed by law.
Most of the time, anonymised data is used for research and planning so that you cannot be
identified in which case your confidential patient information isn’t needed.
The Memorial Medical Centre is also working with NHS Digital to ensure compliance with the
National Opt-out programme on the use of NHS data from 2020. You have a choice about
whether you want your confidential patient information to be used in this way. If you are
happy with this use of information you do not need to do anything.
If you do choose to opt out your confidential patient information will still be used to support
your individual care. To find out more or to register your choice to opt out, please visit
www.nhs.uk/your-nhs-data-matters or call 0300 303 5678; there you will:
See what is meant by confidential patient information.
Find examples of when confidential patient information is used for individual care and
examples of when it is used for purposes beyond individual care.
Find out more about the benefits of sharing data.
Understand more about who uses the data.
Find out how your data is protected.
Be able to access the system to view, set or change your opt-out setting.
Find the contact telephone number if you want to know any more or to set/change your
opt-out by phone.
See the situations where the opt-out will not apply.
You can change your mind about your choice at any time.
Personal information being used or shared for purposes beyond individual care does not
include your personal information being shared with insurance companies or used for
marketing purposes as any of these would only be used in this way with your explicit
What if I change my mind after giving my consent for sharing or use of my
You have the right to restrict the use of your personal information in instances where your
consent is needed for us to share your personal information; unless it is in relation to
providing you with direct health and social care services or where the exceptional conditions
You can refuse or change your mind at any time about your consent; however this may
affect the healthcare that is available to you. You can change your mind, but please inform
us, so we can update our records.
Risk stratification is a mechanism used to identify and subsequently manage those patients
deemed as being at high risk of requiring urgent or emergency care. Usually this includes
patients with long-term conditions, e.g. cancer. Your information is collected by a number of
sources, including the Memorial Medical Centre; this information is processed electronically
and given a risk score which is relayed to your GP who can then decide on any necessary
actions to ensure that you receive the most appropriate care.
Your information may be shared if you have received treatment to determine which Clinical
Commissioning Group (CCG) is responsible for paying for your treatment. This information
may include your name, address and treatment date. All of this information is held securely
and confidentially; it will not be used for any other purpose or shared with any third parties.
In accordance with the NHS Codes of Practice for Records Management, your healthcare
records will be retained for 10 years after death, or if a patient emigrates, for 10 years after
the date of emigration.
How do you keep my records confidential?
Everyone working within the Memorial Medical Centre has a legal duty to keep information
about you confidential. There are strict codes of conduct in place to ensure your personal
information is safe, whether it is on paper or computer. Staff must abide by:
All applicable data protection legislations such as the EU General Data Protection
Regulation 2016 and Data Protection Act 2018.
Common Law Duty of Confidence.
NHS Code of Confidentiality
Can I get a copy of my records?
You have a right under the Data Protection legislations to access your medical records or
authorise a representative to do so. Personal information may be withheld if we believe it
could harm your physical or mental health. We would prefer your request in writing if
possible but will accept verbal requests if necessary: please contact us via our email at
firstname.lastname@example.org or by writing into the surgery at the below address:
Memorial Medical Centre, Bell Road, Sittingbourne, Kent ME10 4XX
What other rights do I have?
You have the right to request that personal information about you that is factually incorrect
be rectified by being amended or supplemented with additional information. Any information
you do not agree with (but is not factually incorrect), we will make a note on your records of
the point which you have drawn to our attention.
How can I complain about the way the Memorial Medical Centre handles my personal
If you are unhappy with the way we have dealt with your personal information please contact
the Practice in the first instance and then the Kent and Medway Clinical Commissioning
Group Data Protection Officers’ team at email@example.com or via
the Practice name at the address at the end of this leaflet. You also have the right to
complain directly to the Information Commissioner in relation to data protection. The contact
details are also at the end of this leaflet.
It is important to note that the General Practitioner (GP) record, usually held at the General
Practice, is the primary record of care and that the majority of other services must inform the
GP through a discharge note or a clinical correspondence that a patient has received care.
This record is to be retained for the life of the patient plus at least ten years after death. The
GP record transfers with the individual as they change GP throughout their lifetime.
Where can I find further information?
If you would like to know more about how we use your personal information or if you do not
wish to have your information to be used in any of the ways described above, please contact
the Memorial Medical Centre at the address at the end of this leaflet. You can also read
more about how we use your personal information on our website at
General information can be obtained from the Information Commissioner’s Office.
Information Commissioner’s Office: Wycliffe House Water Lane Wilmslow Cheshire SK9 5AF
t: 0303 123 1113 www.ico.gov.uk
Who to contact
Practice details: Administration Team, Memorial Medical centre, Bell Road, Sittingbourne,
Kent ME10 4XX
Name of Data Protection Officer for the Practice: Mrs Rebecca Unwin
Tel: 01795 477764
Helen Foreman – CCG Data Protection Officer
NHS Medway Clinical Commissioning Group,
Unit A, Compass Centre North, Pembroke Road,
Chatham Maritime, Kent, ME4 4YG
Tel: 03000 425100
our newsletter and on posters to reflect the changes.
Version: Review date: Edited by: Approved by: Comments:
1 23.05.2018 Rebecca Unwin Valerie Gibson To be reviewed in 1 year
2 29.08.2019 Rebecca Unwin Valerie Gibson To be reviewed in 1 year
3 11.03.2020 Rebecca Unwin Valerie Gibson To be reviewed in 1 year
Practice Privacy Notice
1.1 Policy statement
NHS Digital collects information with the purpose of improving health and care for everyone. The information collected is used to:
• Run the health service
• Manage epidemics
• Plan for the future
• Research health conditions, diseases and treatments
NHS Digital is a data controller and has a legal duty, in line with the General Data Protection Regulation (GDPR), to explain why it is using patient data and what data is being used. Similarly, the Memorial Medical Centre has a duty to advise patients of the purpose of personal data and the methods by which patient personal data will be processed.
The practice aims to design and implement policies and procedures that meet the diverse needs of our service and workforce, ensuring that none are placed at a disadvantage over others, in accordance with the Equality Act 2010. Consideration has been given to the impact this policy might have in regard to the individual protected characteristics of those to whom it applies.
This document and any procedures contained within it are contractual and therefore form part of your contract of employment. Employees will be consulted on any modifications or change to the document’s status.
1.4 Training and support
The practice will provide guidance and support to help those to whom it applies understand their rights and responsibilities under this policy. Additional support will be provided to managers and supervisors to enable them to deal more effectively with matters arising from this policy.
2.1 Who it applies to
This document applies to all employees, partners and directors of the practice. Other individuals performing functions in relation to the practice, such as agency workers, locums and contractors, are encouraged to use it.
2.2 Why and how it applies to them
Everyone should be aware of the practice privacy notice and be able to advise patients, their relatives and carers what information is collected, how that information may be used and with whom the practice will share that information.
The first principle of data protection is that personal data must be processed fairly and lawfully. Being transparent and providing accessible information to patients about how their personal data is used is a key element of the General Data Protection Regulation.
3 Definition of terms
3.1 Privacy notice
A statement that discloses some or all of the ways in which the practice gathers, uses, discloses and manages a patient’s data. It fulfils a legal requirement to protect a patient’s privacy.
3.2 Data Protection Act 2018 (DPA18)
The Data Protection Act (DPA18) will ensure continuity by putting in place the same data protection regime in UK law pre- and post-Brexit.
3.3 Information Commissioner’s Office (ICO)
The UK’s independent authority set up to uphold information rights in the public interest, promoting openness by public bodies and data privacy for individuals.
3.4 General Data Protection Regulation (GDPR)
The GDPR replaces the Data Protection Directive 95/46/EC and was designed to harmonise data privacy laws across Europe, to protect and empower all EU citizens’ data privacy and to reshape the way in which organisations across the region approach data privacy. The GPDR comes into effect on 25 May 2018.
3.5 Data controller
The entity that determines the purposes, conditions and means of the processing of personal data.
3.6 Data subject
A natural person whose personal data is processed by a controller or processor.
4 Compliance with regulations
In accordance with the GDPR, this practice will ensure that information provided to subjects about how their data is processed will be:
• Concise, transparent, intelligible and easily accessible;
• Written in clear and plain language, particularly if addressed to a child; and
• Free of charge
4.2 Article 5 compliance
In accordance with Article 5 of the GDPR, this practice will ensure that any personal data is:
• Processed lawfully, fairly and in a transparent manner in relation to the data subject
• Collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes
• Adequate, relevant and limited to what is necessary in relation to the purposes for which it is processed
• Accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that is inaccurate, having regard to the purposes for which it is processed, is erased or rectified without delay
• Kept in a form that permits identification of data subjects for no longer than is necessary for the purposes for which the personal data is processed
• Processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures
4.3 Communicating privacy information
At the Memorial Medical Centre, the practice privacy notice is displayed on our website, through signage in the waiting room, and in writing during patient registration. We will:
• Inform patients how their data will be used and for what purpose
• Allow patients to opt out of sharing their data, should they so wish
4.4 What data will be collected?
At the Memorial Medical Centre, the following data will be collected:
• Patient details (name, date of birth, NHS number)
• Address and NOK information
• Medical notes (paper and electronic)
• Details of treatment and care, including medications
• Results of tests (pathology, X-ray, etc.)
• Any other pertinent information
4.5 National data opt-out programme
The national data opt-out programme will afford patients the opportunity to make an informed choice about whether they wish their confidential patient information to be used just for their individual care and treatment or also used for research and planning purposes. This programme will be live with effect from 25 May 2018.
Patients who wish to opt out of data collection will be able to set their national data opt-out choice online. An alternative provision will be made for those patients who are unable to do so or who do not want to use the online system.
Individuals who have opted out using the existing Type 2 opt-out will be automatically transferred to the new national data opt-out system and will be notified on an individual basis of the change.
The following resources are available for staff at the Memorial Medical Centre:
• Pack A The NDG Review and Government Response Published March 2018
• Pack B Taking the National Data Opt-out Forward Published March 2018
• Pack C National Data Opt-out Approach Published March 2018
• Pack D National Data Opt-out Operational Policy Published November 2017
• Pack E1 Preparing for Implementation Published March 2018
• Pack F – Not yet published
• Pack G Fit with Data Protection Bill (GDPR) Published December 2017
Should any queries arise regarding the national data opt-out programme, the Memorial Medical Centre will email the query to the national data opt-out enquiries mailbox: firstname.lastname@example.org
To ensure that the Memorial Medical Centre is ready for the introduction of the national data opt-out programme, they will use the Readiness checklist.
4.6 Privacy notice checklists
The ICO has provided a privacy notice checklist which can be used to support the writing of the practice privacy notice. The checklist can be found by following this link.
4.7 Privacy notice template
A privacy notice template can be found at Annex A.
It is the responsibility of all staff at the Memorial Medical Centre to ensure that patients understand what information is held about them and how this information may be used. Furthermore, the practice must adhere to the DPA18 and the GDPR, to ensure compliance with extant legal rules and legislative acts.
4.9 Practice Privacy Notice For Patients
The Memorial Medical centre has a legal duty to explain how we use any personal information we collect about you, as a registered patient, at the practice. Staff at this practice maintain records about your health and the treatment you receive in electronic and paper format.
What information do we collect about you?
We will collect information such as personal details, including name, address, next of kin, records of appointments, visits, telephone calls, your health records, treatment and medications, test results, X-rays, etc. and any other relevant information to enable us to deliver effective medical care.
How we will use your information
Your data is collected for the purpose of providing direct patient care; however, we can disclose this information if it is required by law, if you give consent or if it is justified in the public interest. The practice may be requested to support research; however, we will always gain your consent before sharing your information with medical research databases such as the Clinical Practice Research Datalink and QResearch or others when the law allows.
In order to comply with its legal obligations, this practice may send data to NHS Digital when directed by the Secretary of State for Health under the Health and Social Care Act 2012. Additionally, this practice contributes to national clinical audits and will send the data that is required by NHS Digital when the law allows. This may include demographic data, such as date of birth, and information about your health which is recorded in coded form; for example, the clinical code for diabetes or high blood pressure.
Processing your information in this way and obtaining your consent ensures that we comply with Articles 6(1)(c), 6(1)(e) and 9(2)(h) of the GDPR.
Third Party Processors
In order to deliver the best possible service, the practice will share data (where required) with other NHS bodies such as other GP practices and hospitals. In addition the practice will use carefully selected third party providers. When we use a third party service provider to process data on our behalf then we will always have an appropriate agreement in place to ensure that they keep the data secure, that they do not share information other than in accordance with our instructions and that they are operating appropriately. Examples of functions that may be carried out by third parties includes:
• Companies that provide IT services & support, including our core clinical systems; systems which manage patient facing services (such as our website and service accessible through the same); data hosting service providers; systems which facilitate appointment bookings or electronic prescription services; document management services etc.
Maintaining confidentiality and accessing your records
We are committed to maintaining confidentiality and protecting the information we hold about you. We adhere to the General Data Protection Regulation (GDPR), the NHS Codes of Confidentiality and Security, as well as guidance issued by the Information Commissioner’s Office (ICO). You have a right to access the information we hold about you, and if you would like to access this information, you will need to complete a Subject Access Request (SAR). Please ask at reception for a SAR form and you will be given further information. Furthermore, should you identify any inaccuracies; you have a right to have the inaccurate data corrected.
Risk stratification is a mechanism used to identify and subsequently manage those patients deemed as being at high risk of requiring urgent or emergency care. Usually this includes patients with long-term conditions, e.g. cancer. Your information is collected by a number of sources, including the Memorial Medical Centre; this information is processed electronically and given a risk score which is relayed to your GP who can then decide on any necessary actions to ensure that you receive the most appropriate care.
Your information may be shared if you have received treatment to determine which Clinical Commissioning Group (CCG) is responsible for paying for your treatment. This information may include your name, address and treatment date. All of this information is held securely and confidentially; it will not be used for any other purpose or shared with any third parties.
You have a right to object to your information being shared. Should you wish to opt out of data collection, please contact a member of staff who will be able to explain how you can opt out and prevent the sharing of your information; this is done by registering to opt out online (national data opt-out programme) or if you are unable to do so or do not wish to do so online, by speaking to a member of staff.
In accordance with the NHS Codes of Practice for Records Management, your healthcare records will be retained for 10 years after death, or if a patient emigrates, for 10 years after the date of emigration.
What to do if you have any questions
1. Contact the practice’s data controller via email at email@example.com. GP practices are data controllers for the data they hold about their patients
2. Write to the data controller at Memorial Medical Centre, Bell Road, Sittingbourne, Kent ME10 4XX
3. Ask to speak to the Data Protection Officer (DPO) for Memorial Medical Centre who is Rebecca Unwin or the Operations Manager Ms Leigh O’Halloran.
In the unlikely event that you are unhappy with any element of our data-processing methods, you have the right to lodge a complaint with the ICO. For further details, visit ico.org.uk and select ‘Raising a concern’.
National COVID-19 and Flu Vaccination Programmes
The National Immunisation Management Service
|Covid-19 – Notice under Regulation 3(4) of the Health Service Control of Patient Information Regulations 2002
This process has been produced in the response to Covid 19 pandemic and will ensure that patients all patients across Kent and Medway will receive the Seasonal Flu Vaccine and Covid 19 Vaccine.
Purposes for processing
With the availability of a vaccine for COVID-19, there is a need to coordinate vaccination for the population of England.
The seasonal flu programme is a long-established and successful vaccination programme. The service is offered to patients who are particularly susceptible to the flu for example because of their health condition, age or because they are pregnant.
NHS England has established a centralised service for the management of both the COVID-19 and seasonal flu vaccination programmes. This service is supported by a central system, the Immunisation Management System.
The key functions of this system are to enable identification of priority groups, to send invitations to book appointments for vaccination, to manage and monitor the progress of the programme.
There may be instances due to allocation of resources and supply of the vaccination where there will be a need for patients to be seen in a GP practice/Vaccination centre outside of their PCN or local area to receive their vaccination. The patient will be informed by their own practice by way of letter or email or by telephone. The practices will strive to ensure patients are seen by a practice as close to their home as reasonably practicable.
In summary, the system works as follows:
Loading personal information about people in England
The demographic details of everyone resident in England or registered with a GP in England are imported into the system from the Primary Care Registration Management Service operated by NHS Digital on behalf of NHS England. After an initial load from NHS Digital, the data is kept up to date overnight.
Information about patients who are particularly susceptible to the flu because of their health condition or because they are pregnant is also uploaded into the system from data held by NHS Digital.
Further data such as lists of shielded patients, NHS staff and social care workers and ethnic category information are also uploaded. This data can then be used for prioritising invitation for flu or COVID-19 vaccination, and for reporting purposes.
Selecting people to invite for immunisation
The system has an interactive dashboard which will allows us to select groups of people to invite for immunisation. Factors such as age, ethnic origin, gender and underlying health conditions can be applied. We can also select NHS staff and social care workers.
The system shows how many people will be invited if the selected criteria are used. The analysis will include a full geographical breakdown so users can ensure there are sufficient vaccinations and delivery capacity to meet demand. People already vaccinated will be excluded automatically so they are not invited again.
The system sends invitation letters to the people selected.
Sending invitations for vaccination
The list of people to be invited to book an appointment is sent to the mailing service and the National Booking System. The mailing service prints the invitation letters, which explain how to book an appointment for vaccination.
The system keeps a record of everyone who has been invited and sends reminders via text or letter to anyone who has not been vaccinated, or who has not booked an appointment through the National Booking System.
The system sends daily updates to GP systems to allow them to update their local record and monitor progress for their patients.
The system includes a business intelligence tool which provides comprehensive analysis of how the vaccination programmes are progressing, nationally and locally.
Data collection and reporting
To provide centralised data collection and reporting services for the National Immunisation Service, NHS England has implemented a centralised data capture tool for clinical teams delivering COVID-19 and seasonal flu vaccinations. The system collects data about vaccinations administered to NHS staff for COVID19 and flu, in schools and by maternity teams for the flu vaccine only.
Categories of personal data and sources
The IMS obtains names, addresses telephone numbers, other personal details, and GP registration information from the Primary Care Registration Management service that NHS Digital manages as a processor for NHS England.
It receives information about health conditions and other factors that can make people vulnerable to the flu from NHS Digital who collect it from GP Practices, acting under directions from the Secretary of State for Health and Social Care. We also obtain information about ethnic category from NHS Digital.
It receives information about vaccinations given from GP Practices, pharmacies and other vaccination centres. This is so that we can send out reminder letters, inform GPs for them to update their records, and monitor the progress of the vaccination programme.
The data collection and reporting system receives information about vaccination decisions – given or not given. It also includes demographic data about NHS staff from the NHS Electronic Staff Record, obtains NHS Numbers traced from the Primary Care Registration Management service
Categories of recipients
The system sends lists of people to be invited for vaccination to the mailing service and the National Booking Service managed by NHS Digital.
The system sends information to GP Practices so that they can update their records about vaccinations that their patients have received at pharmacies or other vaccination centres.
The system sends personal data to the NHS England COVID-19 datastore, and to Public Health England.
Legal basis for processing
For GDPR purposes NHS England’s lawful basis for processing is Article 6(1)(e) – ‘…exercise of official authority…’; and
For the processing of special categories (health) data the conditions are 9(2)(h) – ‘…health or social care…’, and 9(2)(i) – ‘…public health purposes…’.
For processing special categories (ethnicity) data the conditions are
9(2)(h) – ‘…health or social care…’, and 9(2)(b) – ‘…social protection law…’ (for monitoring equality of access)
Covid-19 and your information – Version 1 updated on 8th April 2020 version 1
Supplementary privacy note on Covid-19 for patients using GP Surgeries based in
Kent and Medway
This notice describes how we may use your information to protect you and others during the
Covid-19 outbreak. It supplements our main Privacy Notice which is available
The health and social care system is facing significant pressures due to the Covid-19
outbreak. Health and care information is essential to deliver care to individuals, to support
health and social care services and to protect public health. Information will also be vital in
researching, monitoring, tracking and managing the outbreak. In the current emergency it
has become even more important to share health and care information across relevant
Existing law which allows confidential patient information to be used and shared
appropriately and lawfully in a public health emergency is being used during this outbreak.
Using this law the Secretary of State has required NHS Digital; NHS England and
Improvement; Arms Length Bodies (such as Public Health England); local authorities; health
organisations and GPs to share confidential patient information to respond to the Covid-19
outbreak. Any information used or shared during the Covid-19 outbreak will be limited to the
period of the outbreak unless there is another legal basis to use the data. Further
information is available on gov.uk here and some FAQs on this law are available here.
During this period of emergency, opt-outs will not generally apply to the data used to support
the Covid-19 outbreak, due to the public interest in sharing information. This includes
National Data Opt-outs. However in relation to the Summary Care Record, existing choices
will be respected. Where data is used and shared under these laws your right to have
personal data erased will also not apply. It may also take us longer to respond to Subject
Access requests, Freedom of Information requests and new opt-out requests whilst we focus
our efforts on responding to the outbreak.
In order to look after your health and care needs we may share your confidential patient
information including health and care records with clinical and non clinical staff in other
health and care providers, for example neighbouring GP practices, hospitals and NHS 111.
We may also use the details we have to send public health messages to you, either by
phone, text or email.
During this period of emergency we may offer you a consultation via telephone or videoconferencing with in Kent and Medway CCG we are using AccuRx. By accepting the
invitation and entering the consultation you are consenting to this. Your personal/confidential
patient information will be safeguarded in the same way it would with any other consultation.
We will also be required to share personal/confidential patient information with health and
care organisations and other bodies engaged in disease surveillance for the purposes of
protecting public health, providing healthcare services to the public and monitoring and
managing the outbreak. Further information about how health and care data is being used
and shared by other NHS and social care organisations in a variety of ways to support the
Covid-19 response is here.
NHS England and Improvement and NHSX have developed a single, secure store to gather
data from across the health and care system to inform the Covid-19 response. This includes
data already collected by NHS England, NHS Improvement, Public Health England and NHS
Digital. New data will include 999 call data, data about hospital occupancy and A&E capacity
data as well as data provided by patients themselves. All the data held in the platform is
subject to strict controls that meet the requirements of data protection legislation.
In such circumstances where you tell us you’re experiencing Covid-19 symptoms we may
need to collect specific health data about you. Where we need to do so, we will not collect
more information than we require and we will ensure that any information collected is treated
with the appropriate safeguards.
General Practice Transparency Notice for GPES Data for
Pandemic Planning and Research (COVID-19)
This practice is supporting vital coronavirus (COVID-19) planning and research by sharing
your data with NHS Digital.
The health and social care system is facing significant pressures due to the coronavirus
(COVID-19) outbreak. Health and care information is essential to deliver care to individuals,
to support health, social care and other public services and to protect public health.
Information will also be vital in researching, monitoring, tracking and managing the
coronavirus outbreak. In the current emergency it has become even more important to share
health and care information across relevant organisations. This practice is supporting vital
coronavirus planning and research by sharing your data with NHS Digital, the national safe
haven for health and social care data in England.
Our legal basis for sharing data with NHS Digital
NHS Digital has been legally directed to collect and analyse patient data from all GP
practices in England to support the coronavirus response for the duration of the outbreak.
NHS Digital will become the controller under the General Data Protection Regulation 2016
(GDPR) of the personal data collected and analysed jointly with the Secretary of State for
Health and Social Care, who has directed NHS Digital to collect and analyse this data under
the COVID-19 Public Health Directions 2020 (COVID-19 Direction).
All GP practices in England are legally required to share data with NHS Digital for this
purpose under the Health and Social Care Act 2012 (2012 Act). More information about this
requirement is contained in the data provision notice issued by NHS Digital to GP practices.
Under GDPR our legal basis for sharing this personal data with NHS Digital is Article 6(1)(c)
– legal obligation. Our legal basis for sharing personal data relating to health, is Article
9(2)(g) – substantial public interest, for the purposes of NHS Digital exercising its statutory
functions under the COVID-19 Direction.
The type of personal data we are sharing with NHS Digital
The data being shared with NHS Digital will include information about patients who are
currently registered with a GP practice or who have a date of death on or after 1 November
2019 whose record contains coded information relevant to coronavirus planning and
research. The data contains NHS Number, postcode, address, surname, forename, sex,
ethnicity, date of birth and date of death for those patients. It will also include coded
health data which is held in your GP record such as details of:
diagnoses and findings
medications and other prescribed items
investigations, tests and results
treatments and outcomes
vaccinations and immunisations
How NHS Digital will use and share your data
NHS Digital will analyse the data they collect and securely and lawfully share data with other
appropriate organisations, including health and care organisations, bodies engaged in
disease surveillance and research organisations for coronavirus response purposes only.
These purposes include protecting public health, planning and providing health, social care
and public services, identifying coronavirus trends and risks to public health, monitoring and
managing the outbreak and carrying out of vital coronavirus research and clinical trials. The
British Medical Association, the Royal College of General Practitioners and the National
Data Guardian are all supportive of this initiative.
NHS Digital has various legal powers to share data for purposes relating to the coronavirus
response. It is also required to share data in certain circumstances set out in the COVID-19
Direction and to share confidential patient information to support the response under a legal
notice issued to it by the Secretary of State under the Health Service (Control of Patient
Information) Regulations 2002 (COPI Regulations).
Legal notices under the COPI Regulations have also been issued to other health and social
care organisations requiring those organisations to process and share confidential patient
information to respond to the coronavirus outbreak. Any information used or shared during
the outbreak under these legal notices or the COPI Regulations will be limited to the period
of the outbreak unless there is another legal basis for organisations to continue to use the
Data which is shared by NHS Digital will be subject to robust rules relating to privacy,
security and confidentiality and only the minimum amount of data necessary to achieve the
coronavirus purpose will be shared. Organisations using your data will also need to have a
clear legal basis to do so and will enter into a data sharing agreement with NHS
Digital. Information about the data that NHS Digital shares, including who with and for what
purpose will be published in the NHS Digital data release register.
For more information about how NHS Digital will use your data please see the NHS Digital
Transparency Notice for GP Data for Pandemic Planning and Research (COVID-19).
National Data Opt-Out
The application of the National Data Opt-Out to information shared by NHS Digital will be
considered on a case by case basis and may or may not apply depending on the specific
purposes for which the data is to be used. This is because during this period of emergency,
the National Data Opt-Out will not generally apply where data is used to support the
coronavirus outbreak, due to the public interest and legal requirements to share information.
Your rights over your personal data
To read more about the health and care information NHS Digital collects, its legal basis for
collecting this information and what choices and rights you have in relation to the processing
by NHS Digital of your personal data, see:
the NHS Digital GPES Data for Pandemic Planning and Research (COVID-19)
the NHS Digital Coronavirus (COVID-19) Response Transparency Notice
the NHS Digital General Transparency Notice
how NHS Digital looks after your health and care information
We may amend this privacy notice at any time so please review it frequently. The date at the
top of this page will be amended each time this notice is updated.
A cookie is a small file, typically of letters and numbers, downloaded on to a device (like your computer or smart phone) when you accesses certain websites.
Cookies allow a website to recognise a user’s device.
Some cookies help websites to remember choices you make (e.g. which language you prefer if you use the Google Translate feature). Analytical cookies are to help us measure the number of visitors to a website. The two types we use are ‘Session’ and ‘Persistent’ cookies. Some cookies are temporary and disappear when you close your web browser, others may remain on your computer for a set period of time.
We do not knowingly collect or intend to collect any personal information about you using cookies. We do not share your personal information with anyone.
What can I do to manage cookies on my devices?
Most web browsers allow some control of most cookies through the browser settings. To find out more about cookies, including how to see what cookies have been set and how to manage and delete them, visit www.allaboutcookies.org.
To opt out of being tracked by Google Analytics across all websites visit http://tools.google.com/dlpage/gaoptout.
If you are concerned about cookies and would like to ask further questions please do not hesitate to write to our website developers – firstname.lastname@example.org