General Practice Data for Planning and Research (GPDPR)
NHS Digital will primarily use your information in a way that does not identify you (your information will be pseudonymised). However, they will be able to use their software to identify you in certain circumstances, and where there is a valid legal reason to do so. NHS Digital may also share your information with third parties such as Local Authorities, primary care networks (PCNs), clinical commissioning groups (CCGs), research organisations, including universities, and pharmaceutical companies.
Data that directly identifies you as an individual patient, including your NHS number, General Practice Local Patient Number, full postcode, date of birth and if relevant date of death, is replaced with unique codes produced by de-identification software before it is sent to NHS Digital. This means that no one will be able to directly identify you in the data.
NHS Digital will be able to use the same software to convert the unique codes back to data that could directly identify you in certain circumstances, and where there is a valid legal reason. Only NHS Digital has the ability to do this. This would mean that the data became personally identifiable. An example would be where you consent to your identifiable data being shared with a research project or clinical trial in which you are participating, as they need to know the data is about you. Re-identification of the data would only take place following approval of the specific request through the Data Access Request Service, and subject to independent assurance by IGARD and consultation with the Professional Advisory Group, which is made up of representatives from the BMA and the RCGP.
NHS Digital has been directed by the Secretary of State for Health and Social Care under the General Practice Data for Planning and Research Directions 2021 to collect and analyse data from GP practices for health and social care purposes including policy, planning, commissioning, public health and research purposes.
NHS Digital is the controller of the patient data collected and analysed under the GDPR jointly with the Secretary of State for Health and Social Care.
All GP practices in England are legally required to share data with NHS Digital for this purpose under the Health and Social Care Act 2012 (2012 Act). More information about this requirement is contained in the Data Provision Notice issued by NHS Digital to GP practices.
The data NHS Digital collects:
- Data on your sex, ethnicity and sexual orientation if coded in your GP record (normally asked and updated when you register as a patient at a new GP surgery)
- Clinical codes and data about diagnoses, symptoms, observations, test results, medications, allergies, immunisations, referrals and recalls, and appointments, including information about your physical, mental and sexual health
- Data about staff who have treated you
NHS Digital does not collect:
- Your name and address (except for your postcode in unique coded form)
- Written notes (free text), such as the details of conversations with doctors and nurses
images, letters and documents
- Coded data that is not needed due to its age – for example medication, referral and appointment data that is over 10 years old
- Coded data that GPs are not permitted to share by law – for example certain codes about IVF treatment, and certain information about gender re-assignment
NHS Digital only stores and processes patient data for this data collection within the United Kingdom (UK).
Fully anonymous data (that does not allow you to be directly or indirectly identified), for example statistical data that is published, may be stored and processed outside of the UK. Some of our processors may process patient data outside of the UK. If they do, we will always ensure that the transfer outside of the UK complies with data protection laws.
NHS Digital will keep your patient data for as long as is necessary for the purposes outlined above in accordance with the Records Management Code of Practice for Health and Social Care 2016 and .
Other organisations with whom NHS Digital share your personal data must only keep it for as long as is necessary and as set out in the Data Sharing Agreement with that organisation. Information about this will be provided in their privacy notices on their websites.
Details of who NHS Digital have shared data with, in what form and for what purposes are published on their data release register.
Data can only be accessed by organisations which will legitimately use the data for healthcare planning and research purposes, and they will only get the specific data that is required. All requests are subject to independent oversight and scrutiny, and audits are conducted to ensure it is being used for the purpose it was requested for.
Previously there were two ways in which a patient could opt out of sharing their personal information:
A type 1 opt out prevents information being shared outside a GP practice for purposes other than direct care.
A type 2 opt out prevented information being shared outside NHS Digital for purposes beyond the individual’s direct care.
From 25 May 2018 the type 2 opt-out has been replaced by the national data opt-out.
Type 2 opt-outs that were recorded on or before 11 October 2018 have been automatically converted to national data opt-outs.
Opting out of NHS Digital sharing your data (National Data Opt-out)
If a patient registers an opt out with the National Data Opt-out, their data will be extracted. However, the National Data Opt-out will be applied on access or dissemination of the data. In this instance, this would mean the information is shared with NHS Digital, but that they will not share it to third parties such as universities and charities.
Opting out of NHS Digital collecting your data (Type 1 Opt-out)
If a patient does not want their identifiable data to be shared outside of the GP Practice, except for their own direct care, a patient is able to opt-out. If a patient registers a Type 1 opt-out with the practice, their data will not be extracted. You can register a Type 1 Opt-out at any time. You can also change your mind at any time and withdraw a Type 1 Opt-out.
If you register a Type 1 Opt-out after your patient data has already been shared with NHS Digital, no more of your data will be shared with NHS Digital. NHS Digital will however still hold the patient data which was shared with us before you registered the Type 1 Opt-out.